1. Learn about Trojans
A Trojan is essentially a network customer/service program. The principle of network customer/service mode is that one host provides services (servers) and the other host accepts services (clients ). A host that acts as a server usually opens a default port and listens (Listen). If a client initiates a connection Request to this port of the server ), the corresponding program on the server runs automatically to respond to the client request. This program is called a daemon process. The controlled end is equivalent to a server, and the control end is equivalent to a client, which provides services for the control end.
Ii. Trojan Detection
Because the trojan is based on a remote control program, the host of the Trojan will open a specific port. Generally, a personal system can only have up to 137, 138, and 139 ports after it is started. Other ports will be opened if surfing the Internet. IE usually opens ports 1025,1026, 1027 ......, QQ will open 4000, 4001 ...... And other ports. Run the netstat-na command on the doscommand line to view all opened ports on the local machine.
If we find that there are other ports used in addition to the above mentioned ports (especially common ports used by Trojans), for example, the port occupied by the trojan "glacier" is 7626, the port occupied by black hole 2001 is 2001, and the network bull uses port 234444 ...... If you find these ports are occupied, you can basically determine that you are a Trojan!
3. Search for Trojans
First, you must enable your system to display hidden files, because some Trojan file attributes are hidden. Most Trojans will copy themselves to the system directory and add the startup items (if they are not copied to the system directory, they will be easily discovered. If they are not added to the system directory, the trojan will not be executed after the restart ), the startup items are generally added to the Registry. The specific location is:
All key values starting with "run" in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion;
All key values starting with "run" in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion;
All key values starting with "Run" in hkey_users.defasoftsoftwaremicrosoftwindowscurrentversion.
However, some Trojans are not loaded in these places, and they are hidden in the following places:
① Start in Win. ini
In Win. in ini, the [windows] field contains the startup commands "load =" and "run =". In general, "=" is followed by a blank space, for example:
Run = c: windowsfile.exe
Load = c: windowsfile.exe
The file.exe file may be a Trojan.
② Start in System. ini
System.ini is located in the Windows installation directory. The shell‑policer.exe In The bootstrapping field is the favorite hidden loading place for Trojans. The general method of a Trojan is to change this sentence to the following: shell = Explorer. exe cannot exceed exe, and window.exe in this example is the trojan program. In addition, in the [Program ENH] field of System. ini, check "driver = path program name" in this section, which may also be used by Trojans. Then, in System. in ini, the [mic], [drivers], and [drivers32] fields play the role of loading drivers, but they are also a good place to add Trojans.
③ Load and run in Autoexec. bat and Config. sys
However, this loading method usually requires the control end user to establish a connection with the server, and then upload the file with the same name as the trojan startup command added to the server to overwrite the two files, this method is not very concealed, so this method is rare, but it cannot be taken lightly.
④ Start in Winstart. bat
Winstart. bat is a batch file that is no less special than Autoexec. bat. It is also a file that can be automatically loaded and run by Windows. It is automatically generated for applications and Windows in most cases, after Win.com is executed and most drivers are loaded, run the command. (you can press the F8 key at startup and select the start mode to track the startup process step by step ). Because the Autoexec. bat function can be replaced by Winstart. bat, the Trojan can be loaded and run as it is in Autoexec. bat, which is dangerous.
⑤ Start group
Although Trojans are hidden in the startup group, they are indeed a good place to automatically load and run. Therefore, Trojans prefer to reside here. The corresponding folder of the Startup Group is C: WindowsStart MenuProgramsStartUp, and the location in the registry is hkey_current_usersoftwaremicrosoftwindowscur=versionjavasershell Folders Startup = C: windowsstart menuprogramsstartup.
⑥ *. INI
That is, the application startup configuration file. The control end uploads the file with the same name as the trojan startup command to the server to overwrite the file with the same name, in this way, the Trojan can be started.
7. Modify file association
Modifying file associations is a common method of Trojans (mainly domestic Trojans, which are mostly unavailable to foreigners). For example, the open mode of txt files is Notepad under normal circumstances. but once the file is associated with a Trojan, the open txt file will be changed to open with a Trojan program. "glacier" is to change the key value under "HKEY_CLASSES_ROOTxtfileshellopencommand" C: change WindowsNotepad.exe % 1 to "C: WindowsSystemSYSEXPLR. EXE % 1 ", so once you double-click the txt file, the original application Notepad opened the file, but now it turns into a trojan program, it's so cool! Please note that not only txt files, but other such files as HTM, EXE, ZIP, and COM are targets of Trojans. To deal with such Trojans, you can only check the primary key of the HKEY_CLASSES_ROOT file type \ shellopencommand to check whether the key value is normal.
Upload bundled File
To implement this trigger condition, you must first establish a connection between the control end and the server end through a Trojan, and then control the end user to use the tool software to bind the trojan file with an application, upload the file to the server to overwrite the original file, so that even if the trojan is deleted, the trojan will be installed as long as the application bound with the trojan is run. Bind to an application. If it is bound to a system file, every Windows Startup starts a Trojan.
When a suspicious file is found, you can try to delete it, because most Trojans run in the background mode and cannot be found by pressing Ctrl + Alt + Del, the background should run system processes. If you cannot find it in the previous process, but cannot delete it (the prompt is being used), you should pay attention to it.
4. manually clear
If you find that your hard drive is always invisible, the drive lights are always on, and network connections and mouse screens are abnormal, it is likely that Trojans are lurking in the machine, now we should try to clear these guys. So how to clear Trojans without accidentally deleting other useful files? When you find a suspicious program using the above method, you can first look at the properties of the file. The file creation time should not be very close. When we see that the suspicious execution file was last or even the current time, it would be a problem.
First, check the process and check whether the suspicious process can be killed by using the "view process" function of the third-party software. Then, check whether the suspected port is opened (sometimes need to be restarted ), if no, it means you are right. Then delete the program so that you can manually delete the Trojan.
If the trojan changes the association of TXT, EXE, ZIP, and other files, you should change the Registry. If not, you can change the Registry back to the previous one to restore the file association, you can run the scanreg/restore command in DOS to restore the Registry. However, this command can only restore the registry of the previous five days (this is the default one ). In this way, the registry key value changed by the trojan is easily restored and easy to use.