**Key Points of ntldr.exe Virus Analysis Technology**
---
### **One: File Image Hijacking**
Relevant technical articles can be found at: [http://www.hackpro.cn/thread-3095-1-1.html](http://www.hackpro.cn/thread-3095-1-1.html).
Of course, if you only repair the issue, the virus may rewrite the registry and still hijack the file image. To prevent this, we can restrict access to the registry (not only effective when infected but also helpful for preventing future infections). Specific methods can be found in the post: [http://www.hackpro.cn/thread-5167-1-2.html](http://www.hackpro.cn/thread-5167-1-2.html). In this post, the restricted permissions target setting values, but to prevent file image hijacking, we cannot limit "setting values." Instead, we should deny the creation of subkeys. This way, the virus will not have permission to create file images.
---
### **Two: autorun.inf**
This method is probably familiar to everyone. An `autorun.inf` file is created on every drive, and double-clicking the drive activates the virus. To counteract this, you can immunize against the `autorun.inf` file. This can be done directly using our forum's tool: **DoIt - System Related - Immunize autorun.inf**. Typically, the `.exe` file pointed to by `autorun.inf` is fixed, so we can also immunize this virus file. Use **DoIt - System Related - File Immunization**, input the virus path (e.g., `c:\virus.exe`), and then immunize it.
---
### **Three: Process Injection**
This is probably the most technically challenging method. The virus injects itself into other processes, such as `explorer.exe`, which in turn injects into subsequently opened program processes. Manually removing the virus using this method can be difficult. My usual approach is to rename the virus file (note: at this point, it is usually impossible to delete, but renaming is possible). In the past, deleting such viruses only required terminating the process that the virus had injected into, allowing the virus file to be deleted. However, today I encountered a virus that injected into the `winlogon.exe` process, which cannot be terminated without causing system failure. Moreover, `winlogon.exe` would continue injecting into other subsequently opened processes, including `explorer.exe`. By enumerating process modules, you can see which virus file has injected into which process. Currently, **360 Security Guard** has this feature: **360 Security Guard - Advanced - System Process Status**. After finding the path of the virus file that injected into the process, you can rename the file or directly immunize it.
---
### **Four: Registry Startup Items**
This method is relatively simpler. However, the virus I encountered today would immediately regenerate its startup item in the registry after deletion. None of the usual methods worked. Ultimately, the issue was resolved by setting registry permissions and attempting to delete or immunize the virus file pointed to by the registry.
---
### **Five: System Services for Startup Items**
The solution to this problem is similar to the fourth point. The Gray Pigeon Trojan uses this method to start. Similarly, because the service would regenerate after deletion, the issue was ultimately resolved through permissions.
---
### **Six: Driver Hijacking Browser**
In the directories `c:\program files\internet explorer\` and `c:\program files\internet explorer\plugins`, three to five `.sys` driver files are generated to hijack the browser. This issue is relatively easy to resolve. Simply rename or delete the virus files once identified.
---
### **Additional Observations**
I also discovered that this virus maliciously deletes your `userinit.exe` file (which prevents system login if deleted). Perhaps this is a retaliatory action taken by the virus after multiple startup errors. What a despicable act!
These are roughly the key points I could think of. Essentially, they cover the techniques we encounter during regular virus removal. If you master manual virus removal skills, no virus can escape your grasp.
---
**Source**: Computer Technology [http://www.dnjishu.cn/](http://www.dnjishu.cn/)
Original Article: [http://www.dnjishu.cn/post/ntldr.exe.html](http://www.dnjishu.cn/post/ntldr.exe.html)