How to detect and clear malware under the command line (recommended text)

Since malicious Software More and more security vendors have joined the battlefield of malicious software after the dark screens are published. However, malware is also evolving and many new technologies are applied to the development of malicious software, malware is becoming increasingly resistant to detection and removal. Although there are many anti-virus software or malware cleanup in the graphic interface Tools Yes, but users often encounter situations where such tools cannot be used to detect and kill malware, And the malware is deleted or disabled. Detection And clear the work, there are no such shortcomings, the user to understand the specific steps is very necessary. I will introduce the steps for detecting and clearing malware under the system command line through examples, the commonly used commands and third-party tools that come with the system.

The test environment is the English version of Windows XP SP2 running on virtual machines. The patches are complete, and the malware sample selects a common Trojan on the Internet, such:

　　

Figure 1

The trojan disappears after execution:

　　

Figure 2

If you find that your machine is abnormal at this time, such as abnormal network connection activity or frequent alerts from anti-virus software/firewall, you can follow these steps to check:

　　1. First exit all browsers, applications, and instant chat tools, Check network connections, and then enter CMD in the "run" menu to enter the command line status,For example

　　

Figure 3

Netstat is a network status check tool provided by the system. It can detect network activity of General Trojans, but it cannot find some malware using Rootkit Technology, you can use Microsoft's free tool tcpview to enhance the detection effect. The difference between netstats and tcpviews is that the netstats display is normal, but the tcpviews display has an Abnormal TCP connection initiated by svchost.exe to 192.168.4.134.

　　2. After checking the network connection, check whether there are any abnormal processes in the system. Here we use the tasklist command that comes with the system:

　　

Figure 4

Is the display result of tasklist/svc, And the/svc parameter is the display process and Service . Svchost.exe in the red box is a suspicious process that starts a service named zzxrubbr. By the way, if the target malware is not installed as a service but an independent process, you can use taskkilltarget/force to kill the malware process from the memory.

　3. Use Microsoft's free tool psservice to view information about this suspicious service. Toolkit To view the result of zzxrubbr using psservice:

　　

Figure 5

　　4. According to the principle that the service name and executable file name are generally the same and the vast majority of service programs or other key files are placed under system32, first, use the system's built-in dir command to find the file of the suspicious service:

　　

Figure 6

The dir command cannot find the file. The/a parameter of Dir indicates the file that shows all properties, including hiding and system problems. The/S parameter indicates that the search scope includes all subdirectories of the current directory.

From the perspective that this trojan program hides network connections and the characteristics of its own files, it can be determined that the sample uses the Rootkit Technology, and common malware tools may not be able to clear it. Next, I will continue to demonstrate how to clear the trojan program under the command line:

　　1. Because a self-starting service is generated after the trojan program is installed, the first thing to do is to stop and disable the service and still use the psservice:

　　

Figure 7

Psservicestopzzxrubbr

Psserviceconfigzzxrubbrdisabled disable suspicious services

The advantage of using psservice is that even if the Microsoft console MMC is disabled by malware, you can still control the service through the operations under the command line, at the same time, some services that do not support user interaction (most malware services belong to this category) can also be managed.

　　2. After the system is restarted, we can use dir to re-confirm whether the executable file of the suspicious service exists:

　　

Figure 8

You can see three files with the same name as the suspicious service, but with different extensions.

　　3. All the trojan files have been found. There are three methods to clear them:

1) The deletion method is suitable for cases where a malicious program's process in the memory has been stopped. Use the built-in deletion command DEL:

　　

Figure 9

2) the rename method is applicable to scenarios where the target malware cannot be deleted or where the malicious software process cannot be cleared in the memory. Sometimes, you need to use attrib with another command of the system (command line: attrib-H-S-rtarget) in combination, after the name is changed, you need to restart. After the restart, the target malware cannot be started because the file name has changed. Then, you can manually delete the executable file of the malware:

　　

Figure 10

3) The permission modification method is the final and most effective measure in malware cleanup operations. It is mostly used when the target malware cannot be deleted or renamed, target malware can also be immune. After the restart, the target malware cannot be started because it has no execution permission:

　　

Figure 11

The cacls command is a Windows Command Line file permission management tool. The/d parameter is used to deny access to specified files by a specified user. In the malware cleanup operation, usually drop the system and administrators users.

After the above steps, a malicious software sample with the rootkit function has been detected and cleared. The steps for cleanup of other types of malware are similar. You need to know the locations where executable files of common malware are stored, and we recommend that you clear them in safe mode. For example, Autorun. INF virus, after killing the virus process under the system command line, and delete Autorun under the root directory of each partition. INF and virus executable files, and then clear the system directory. In short, it is not complicated to detect and clear malware under the command line. If you cannot clear stubborn malware under the graphic interface, you can try to clear it using the methods described in this article.