System security is the highest priority for deleting DLL Trojans

DLL injection Trojan is a very popular Trojan on the network. It is like a parasite. The Trojan is hosted in an important system process in the form of DLL files, call the DLL file through the host to implement remote control. Such Trojans can be embedded into the system process and can be crossed through the firewall. what's even more troublesome is that anti-virus software can be used to scan and kill software. Even if the alarm prompts a virus, the trojan file cannot be killed, the trojan DLL file cannot be deleted because it is being called by the host. Next we will put the software aside and clear the DLL Trojan using dedicated tools and their manual methods.

I. Clear ideas

1. Find the host process of the Trojan through system tools and third-party tools, and locate the trojan DLL file.

2. Terminate the trojan injection process.

3. Delete the trojan file.

4. Clear registry-related items.

Ii. Clearing Method

1. Clear normal process DLL injection Trojan

Many dlltrojans are injected into the i‑e.exe‑and ‑cycler.exe processes. The DLL Trojans injected into such common processes are well cleared.

If the dllfile is injected into the “iexplore.exe process, this process is the IE browsing process, you can close all IE Windows and related programs, and then directly find the DLL file to delete it. If it is injected into the zookeeper er.exe process, it will be a little troublesome, because this process is used to display the desktop and resource manager. When the "cmd.exe" process is dropped by the task manager, the desktop cannot be seen. At this time, all the icons on the desktop disappear, and all the icons such as "My Computer" and "Network neighbors" are gone, you cannot open the resource manager and find the trojan file to delete it. What should we do?

In this case, you can click "file"> "new task running" in the task manager to create a new task dialog box, click Browse to open the path of the DLL file in the Browse dialog box. Select "all files" as the "file type" to display and delete the DLL.

Tip: If you are familiar with the command line (cmd.exe), you can directly clear it by using the command, such:

Taskkill/f/im assumer.exe

Del C: WindowsSystem32est. dll

Start assumer.exe

The first line is delete.exe, and the second line is to delete the trojan file test.dll.

2. Use IceSword to uninstall the DLL file

If a trojan is inserted into a key process such as cmdsvchost.exe, you cannot expect the process manager to end the process. You may need some additional tools to uninstall the call of a DLL file.

IceSword V1.22 is very powerful and can be used to detach DLL files inserted into running system processes. In the IceSword process list display window, right-click the DLL Trojan host process and select the "module information" command in the pop-up menu to open the DLL module List dialog window. After selecting a suspicious module, click the "Uninstall" button to delete the DLL Trojan.

If you are prompted that the DLL cannot be uninstalled, you can click the force release button to forcibly Delete the DLL call from the process. In this case, you can obtain the path of the DLL file from the module File name column, and then delete the DLL Trojan in the folder.

3. SSM ends all DLL Trojans

Processes, these processes can not end in normal ways, use special tools to end the process or uninstall the DLL files in the process, but it is likely to cause the system to crash and not run normally. For example, a trojan named "winlogon.exe" is in the process of logging on to Windows. When you use IceSword to uninstall the system, the system restarts abnormally, And the dll file cannot be cleared. After the restart, the dll Trojan is loaded again.

For such dll Trojans, the dll file loading must be blocked before the process runs. A powerful security tool "System Safety Monitor" (SSM) is used to prevent dll file loading ). SSM is a system monitoring software developed by Russia. It monitors system-specific files and programs to protect system security. This software is very powerful and can work well with firewalls and anti-virus software to better protect system security.

Run SSM, select the "Rules" tab in the program interface, right-click the blank area of the intermediate rule list, and select the "add" command. In the pop-up window, select "library file" as the file type, and select the specified file path "C: Windowssystem32ejoice. dll ". After confirming, you can add the DLL Trojan file to the rule list, and select "block (F2)" from the "Rules" drop-down list at the bottom of the page)

After adding rules, click "Apply Settings" and restart the system. Before restarting the system, check the SSM settings to ensure that the SSM is loaded and running as the system starts. When the system restarts, the process is automatically prevented from calling the rejoice. dll Trojan file. Because the trojan file is not called by any process, you can delete it directly.

In addition, we can also use other tools to clear DLL Trojans and backdoors, such as the "balcklist" function of Tiny Personnal Firewall 2005 (TPF) Firewall, which works the same way, in short, before the trojan DLL file is called, it is blocked from being loaded by the process to end the Trojan process and delete the Trojan.

4. Clear the DLL Trojan through the system permission Method

In Windows, the NTFS partition format has a powerful file restriction setting function, which allows you to set whether a file can be accessed by a program call. Through this function, we can prevent trojans from calling the corresponding DLL files, so as to completely clear the DLL Trojan Files.

Double-click "my computer" and choose "Tools"> "Folder Options"> "View" from the menu. On the Advanced Settings tab, remove the "simple file sharing" option.

Locate the DLL file that cannot be deleted, right-click the file, select the "properties" command in the pop-up menu, and click the "advanced" button, in the pop-up window, remove "permission items that can be applied to sub-objects from the parent item, including those explicitly defined here" and are not selected. Click Delete in the displayed window, and then click OK ". In this way, no user can access and call this DLL Trojan file. Restart the system to delete the DLL file.

5. Restore the system

After deleting the DLL file, go to the Registry to find all the projects associated with the DLL Trojan, especially:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

And so on.

In addition, DLL Trojans not only exist in Run and Runonce, but may exist in more places. For example, "KnownDLLs" is a good hiding place for the DLL of the later category. Under the Registry's "HEKY_LOCALMACHINESYSTEMControlSet001ControlSession ManagerKnownDLLs" sub-key, some default paths of known DLL are stored. If the DLL Trojan modifies or adds some key values, the DLL Trojan can be embedded into the corresponding process in place of the normal DLL file without sound during system startup.

Iii. Summary

In general, there are many types of DLL Trojan Horse backdoors, and the Registry options and system processes selected by the trojan are also different. The general idea of clearing the DLL Trojan is as follows:

When encountering a DLL injection Trojan, We can first consider using tools such as procexp to find the host process of the DLL Trojan. After finding the host process and injecting it into a common process that can end, you can directly Delete the trojan file after the host process ends.

If the DLL Trojan is injected into a key process of the system, you can use IceSword to uninstall the DLL file. If the DLL file fails, you can directly use SSM to establish rules or prevent the DLL file from being loaded.