How to use Excel to destroy DLL Trojans

DLL Trojans are evil by Using DLL files. New processes are not displayed in the Process List during Trojan running, and many DLL Trojans are inserted into key processes of the system (which cannot be terminated ), even if it can be detected by antivirus software, it cannot be detected, which poses a great threat to system security. If you do not have a horse-killing weapon at hand, you can copy the Office Excel files. Next, let's take a look at how we use excelto deploy this trojan that is inserted into the lsass.exe process!

Step 1: Search for infected Processes
Recently, after I started online for a while, I felt that the network speed was extremely slow. So I ran "netstat-a-n-o" to check the open ports and connections, the connection initiated by the process PID 580 is extremely suspicious: The status is ESTABLISHED, indicating that the two machines are communicating (see figure 1 ). The task manager can understand this process as an explanation of lsass.exe. lsass.exe is a security mechanism for Microsoft Windows systems and is used for local security and login policies. Obviously, this process does not need to open ports and external connections, this determines that the process is likely to insert a DLL Trojan. If the Wrangler is not currently connected, you can use the port status to determine whether the connection is successful. For example, TIME_WAIT indicates that the connection has been terminated, indicating that the access to the port has been completed, indicates that a hacker has intruded into the local machine. LISTENING indicates that the Service port is in the LISTENING status, waiting for the connection, but not connected. However, only the TCP Service port can be in the LISTENING status.

TIPS: the premise for judging whether the attack is successful is to identify the infected process. By the type of the inserted process, the DLL Trojan can be roughly divided:
1. Plug-in is commonly used, for example, notepad.exepolicipolicer.exe (this trojan is easy to judge. After the trojan is started, no program is started. Open the task manager. If the above process is found, it can be determined ).
Listener will not open the port connection ).
3.for the open end process like alg.exew.svchost.exe on the plug-in end, the connection status, connection IP address, and DLL call should be used to make a comprehensive judgment.

Step 2: track Trojans
Knowing the process of inserting the DLL Trojan, we can compare the DLL module called by the process.
1. Run "tasklist/m/fo list> G: dll1.txtfiles" at the command prompt on other normal computers to export all the preceding dllfiles in the form of logs. Then open dll.txtand copy the DLL file list loaded by lsass.exe (see figure 2 ).

The number of DLL files loaded by the volume is different (64 and 68 ). Now, set the font of Column B to red, cut column B content and paste it to column A, click "Data/sort" in Excel, and sort the data again, the trojan file is in a continuous red DLL file, which is mswsock. dll, PSAPI. DLL, wshtcpip. dll, share. dll (see figure 3 ).

TIPS:
If you cannot determine which process is inserted with a Trojan, You can first output all DLL files, then sort the files in Excel and compare them with normal DLL files, and find the newly added DLL files one by one for troubleshooting.

Step 3: delete the trojan file
From the above, we can see that the DLL Trojan is in the four more files above, and now we can find these files through the search function (the DLL files are mostly in the system directory, and the search scope can be limited here ), and finally find c: windowssystem32share. dll. Now, in safe mode, delete share. dll, and find and delete the Trojan horse's associates Based on the Creation Time and size. Generally, Microsoft system DLL files have version labels, and most of the files have the same date. You can use these attributes to determine.
TIPS: You can directly Delete the dll Trojan after the process is terminated.

Step 4: Back up data to prevent potential problems
It is difficult to judge. Therefore, we usually use the Tasklist command to back up the DLL files of common system processes. In this way, we can restart and close any irrelevant programs when we suspect that we are recruiting them. Then, we can sort these programs in Excel to quickly find out the Trojans!
Note: The system has multiple svchost.exe processes, but their process pid is different and must be backed up separately.