Dialysis Svchost process clearing Backdoor

The hacker clears the trojan that is started. I hope you will gain some benefits.
Svchost.exe is an important file in the NT core system and is indispensable for Windows 2000/XP. The Svchost process provides many system services, such as logical disk manager and remote procedure call (RPC) dhcp client, Automatic Updates, Background Intelligent Transfer Service, COM + Event System, Internet Connection Sharing, Network Connections, Portable Media Serial Number Service, Remote Access Auto Connection Manager, Remote Access Connection Manager, Removable Storage, Routing and Remote Access, System Event Notification, Telephony, Wireless Configuration.
For the dynamic link libraries loaded using svchost.exe in the service, we can click a service listed above in the service to see. For example, if you want to view the Automatic Updates service, you can right-click it and view its attributes.
In the same situation, if the reader wants to use svchost.exe for the desired service, you can use the same method as above to observe it.
The intelligent reader can see how important svchost.exe is to the system. It is also because of the importance of svchost.exe. Therefore, viruses and Trojans try their best to use it and attempt to confuse users with its characteristics to infect, intrude, and destroy users. How can we determine which virus process is used? The normal svchost.exe file should exist in the "C: Windowssystem32" directory. Be careful if the file appears in other directories. If you do not pay attention to the observation, it is easy to escape the eyes of ordinary users.
In general, we can use the following method to check whether svchost.exe is running on our computer. The call path of the Svchost.exe file can be viewed through "Computer Management> System Tools> system information> software environment> running tasks.
Here is only an example. Suppose Windows XP is infected with w32.welchia. worm. The normal Svchost file exists in the "c: Windowssystem32" directory. Be careful if the file appears in other directories. "W32.welchia. the worm virus exists in the "c: Windowssystem32wins" directory. By using the method described above, you can easily view the execution file paths of all Svchost processes, once it is found that the execution path is abnormal, it should be detected and processed immediately.
Now we have some questions, but we do not know which service calls the dynamic link library file. Is there any way to solve this problem? If there is no place to find, how does Windows know which one to call? As you know, Windows stores all the system information and application information in the system registry, so we can find it in the registry.
The following uses the Remote Procedure Call (RPC) service as an example to see how the Svchost process calls the DLL file. In Windiws, open the service, and then open the "Remote Procedure Call (RPC)" attribute dialog box. You can see that the path of the executable file of the Remote Procedure Call (RPC) service is "C: WINNTsystem32Svchost-k rpcss "indicates that the Remote Procedure Call (RPC) service relies on Svchost to Call the" rpcss "parameter, while the parameter content is stored in the system registry.
Enter “regedit.exe in the running dialog box and press Enter. Open the Registry Editor and find the "HKEY_LOCAL_MACHINESystemcurrentcontrolsetservices rpcss" item. Then, find the "Imagepath" item of the type "reg_expand_sz, its key value is "% SystemRoot % system32Svchost-k rpcss" (this is the Service Startup Command seen in the service window ), in addition, there is a key named "ServiceDll" in the "parameters" subitem, and its value is "% SystemRoot % system32pcss. dll, where "rpcss. dll is the dynamic link library file to be used by the Remote Procedure Call (RPC) service. In this way, the Svchost process can start the service by reading the registry information of the "rpcss" service.
In a similar situation, if a program has been used for testing, and svchost.exe is used to start its own dynamic link library file (such as making a trojan as a dynamic link library file), we can find the path of the DLL Trojan here and reveal it to the rest of the world.
To learn how many system services each Svchost process provides, enter the "tlist-s" command in the Command Prompt window of Windows 2000, this command is provided by Windows 2000 support tools. However, the effect shown here is the same as that shown in the service, but it is only a DOS interface.

TIPS: in Windows xp, the "tasklist/svc" command will receive the same effect.

Due to the length of the article, all functions of Svchost cannot be described in detail. This is a special process in Windows. If you are interested, refer to the relevant technical materials to learn more about it.
Next, we have used svchost.exe to launch the trojan program. Here, I chose PortLess BackDoor v1.2for demonstration. This is a BackDoor program that uses svchost.exe to start and usually does not open the port. It can be used for anti-connection (the same type of BackDoor as the BITS of Xiao Rong ).
To find out why svchost.exe is used for startup, we should take a snapshot of the registry before running the software. Here, I chose Regshot 1.61e5 final and named the initial snapshot 1.hiv. Then we upload portlessinst.exe and Svchostdll. dll (do not rename) to the system directory (% winnt % system32 directory ).
Next, run the command line and install it with “portlessinst.exe-install ActiveString Password. The ActiveString here is the verification string entered after connecting to the port opened by the system, the password here is the password you need to enter when you connect to the port opened by the backdoor. For example, input the following:
Portlessinst.exe-install smiler wind_003
So we can see the changes in the registry. Load 1. hiv into 1 st shot in Regshot, then take a snapshot of 2st shot in the current registry, and then use compare for comparison. The comparison result is as follows:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet assumerportlessfdsnqbtsuni ': "tjnkbu"
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet assumerportlesswfttphuc: "tofiXdo"
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPSecuritySecurity: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 00 20 02 00 00 6D 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01 01 00 00 00 00 05 12 00 00 01 01 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPParametersServiceDll: "C: WINNTsystem32Svchostdll. dll"
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPParametersprogram: "SvchostDLL.exe"
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPParametersInteractive: 0x00000000
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPType: 0x00000020
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPStart: 0x00000002
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPErrorControl: 0x00000001.
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPImagePath: "%systemroot=system32svchost.exe-k netsvcs"
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPDisplayName: "Intranet Services"
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesIPRIPObjectName: "LocalSystem"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPSecuritySecurity: 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 63 00 6F 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 00 20 02 00 00 6D 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 6D 00 00 00 01 01 00 00 00 00 05 12 00 00 01 01 00 00 00 00 05 12 00 00 00
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPParametersServiceDll: "C: WINNTsystem32Svchostdll. dll"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPParametersprogram: "SvchostDLL.exe"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPParametersInteractive: 0x00000000.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPType: 0x00000020
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPStart: 0x00000002
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPErrorControl: 0x00000001
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPImagePath: "%systemroot=system32svchost.exe-k netsvcs"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPDisplayName: "Intranet Services"
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPRIPObjectName: "LocalSystem"
As you can see, PortLess BackDoor V1.2 registers itself as a service IPRIP and uses the startup parameter "%