Clear Evilotus Trojan

Evilotus Trojan file

Evilotus Trojan is a domestic Trojan program launched by "Step by Step. This brand-new Trojan program not only uses mature Trojan technologies such as rebound connection, thread insertion, and service startup, but also has some original Trojan technologies. For example, it has the SSDT restoration function, through which it can easily bypass Kaspersky's defense function, to achieve immunity to Kaspersky Antivirus software.

Connection port cannot be avoided

Dr. Zhang understands that as long as all Trojans are connected successfully, the system port will be opened for receiving and sending data, that is, the Trojan with thread Insertion Technology is no exception. He is going to use the netstat Command provided by the system to view the opened port.

To prevent other network programs from interfering with your work, close all these programs and open the Command Prompt window. Dr. Zhang entered the "netstat-ano" command in the command line window, so that all connections and listening ports are displayed quickly. Dr. Zhang found in the connection list that a process is in external connection and the PID of the process is 1872 (figure 1 ).

Search for Trojans

As important information has been obtained, we now run the trojan helper finder, click the "Process Monitoring" tab, and find the suspicious Svchost process using the PID value.

Select the process and search for it in the module list below. A suspicious DLL file with neither the "Company" Description nor the "Description" information is found soon, therefore, this is the trojan Server File (figure 2 ). The trojan uses the thread Insertion Technology and inserts the Svchost process of the system.

 

After finding the trojan program process, Dr. Zhang began to look for the trojan startup Item. Run System Repair Engineer (SRE), and click "Start Project> service> Win32 service application.

In the pop-up window, after the "Hide Microsoft Service" option is selected, the program automatically blocks the project where the drop publisher is a Microsoft Project, soon the doctor found a startup service with the same name as the trojan file (figure 3), so he determined that this was the startup Item of the Trojan.

 

This is not the case for clearing Trojans.

In the process monitoring tab of the Trojan helper finder, find the Svchost process used by the trojan program using the PID value and select it, click "Terminate selected process" to terminate the process. Select the "Background Service Management" option in the "startup Item Management" tab, find the trojan startup item in the service list, and select the "delete service" button.

Open the Registry Editor, click "Search" in the "edit" menu, and enter the name of the Trojan file you just found in the pop-up window, modify or delete the project associated with the trojan file name (figure 4 ). Finally, go to the System32 directory of the system and delete the files related to the server to complete the cleanup of the server.