Hackers to do after the invasion is to upload a trojan back door, in order to be able to upload the Trojan is not found, they will try to do a variety of ways to camouflage. And as the victim, how can we see through camouflage, the system of the Trojan all clear away!
First, file bundle detection
The Trojan Horse bundled in the normal program, has been a Trojan camouflage attack a common means. Let's see how we can detect the Trojans bundled in the file.
1.MT Bundle Buster
In the file, as long as the bundle of Trojan, then its file header signature will certainly show a certain regularity, and Mt bundled nemesis is through the analysis of the program's file head signature to judge. Once the program is running, we simply click the "Browse" button, select the files that need to be instrumented, and then click the "Analyze" button on the main interface so that the program automatically analyzes the files that are added. At this point, we just look at the number of headers that can be executed in the analysis, and if there are two or more executable headers, then the file must have been bundled!
2. Pulling out the Trojan horse bundled in the program
Light detected a file bundled in the Trojan is not enough, but also must please out "Fearless Bound file detector" Such "agents" to remove the Trojan.
After the program is run, it first requires that you select the program or file that you want to detect, click the Process button in the main interface, click the Clean File button, and then click Yes in the pop-up warning dialog to confirm the Trojan that was bundled in the removal program.
Second, clear the DLL class back door
Relative to the file bundle run, DLL insert class of the Trojan is more advanced, with no process, not the beginning of the mouth and other characteristics, the general people are difficult to find. So the cleanup steps are also relatively complex.
1. End Trojan Process
Because this type of Trojan is embedded in other processes, itself in the process Viewer does not generate a specific project, so if we find that the system is abnormal, we need to determine whether the DLL Trojan.
Here we are using the IceSword tool, after running the program will automatically detect the system is running the process, right click suspicious process, in the pop-up menu, select "Module Information" in the pop-up window can see all the DLL modules, then if you find a project with unknown origin can be selected, and then click Uninstall button to remove it from the process. For some of the more stubborn processes, we also click the "Force release" button and then go directly to its folder to delete it from the address in the module file Name column.
2. Find Suspicious DLL module
Since the general user is unfamiliar with the invocation of DLL files, it is difficult to tell which DLL module is suspicious. So Ecq-ps (Super process King) can come in handy.
After running the software, you can see all the processes in the current system in the middle list, and after you double-click one of the processes, you can display detailed information, including the module name, version and vendor, and the time of creation, in the All Modules tab of the window below. The manufacturer and the creation time information is more important, if it is a system key process such as "Svchost.exe", the result calls is an unknown manufacturer's module, that module must be problematic. In addition, if the manufacturer is Microsoft, but the creation time and other DLL module time is different, then it may be a DLL Trojan.
Alternatively, we can switch directly to the "suspicious module" option, and the software automatically scans for suspicious files in the module and displays them in the list. Double-click the suspect DLL module in the scan results list to see the process that called the module. Typically, each DLL file has multiple processes that are invoked if this DLL file is invoked only for this process, or it may be a DLL. Click the "Strong to delete" button, you can remove the DLL from the process.
Third, thorough rootkit detection
It is impossible for anyone to check the ports, registers, files and services of the system at all times to see if the Trojan is hidden. At this time I can use some special tools to detect.
1.Rootkit Detector Clear Rootkit
Rootkit detector is a Rootkit detection and removal tool that detects multiple Windows Rootkit including the famous hxdef.100.
Using the method is simple, run the program name "Rkdetector.exe" directly under the command line. After the program runs, it will automatically complete a system column hidden item detection, find out the running Rootkit program and service in the system, mark the reminder in red, and try to clear it off.
2. The powerful knlps
By contrast, Knlps is more powerful, and it can specify the end of a running rootkit program. When used, enter the "knlps.exe-l" command at the command line to display all hidden rootkit processes and the corresponding process PID numbers in the system. After you find the rootkit process, you can use the "-K" parameter to delete it. For example, the process of "Svch0st.exe" has been found, and the PID number is "3908", you can enter the command "Knlps.exe-k 3908" to abort the process.
Iv. Cloning of account detection
Strictly speaking, it is not a backdoor Trojan. But he also set up administrator rights in the system account, but we are looking at the guest group members, very easy to paralyze the administrator.
Here for you to introduce a new account cloning detection tool Lp_check, it can check out the finesse system of the clone users!
The use of Lp_check is extremely simple, the program after the operation of the Registry and the "Account Manager" in the user account number and permissions of the comparative detection, you can see the program detected just the Guest account has a problem, and in the list of red triangle symbol to mark out the key, We can then open the User Management window to delete it.
Through the introduction believe has been able to make the system to restore the relatively safe, but to avoid the Trojan attack, or need to understand its basic knowledge.