The removal method for the insert-type Trojan

The current network of the most rampant virus estimates are not Trojan horse program MO Number, now the Trojan attack more and more strong, in the process of hiding, very few independent exe executable file form, but instead into the kernel embedding mode, remote threading technology, Hook Psapi and so on, these Trojans are currently the most difficult to deal with. Now teach you to find and clear threads to insert Trojans.

First, through the automatic operation mechanism to check the Trojan

When it comes to looking for Trojans, many people will immediately think of the launch of a Trojan horse to find "clues", specific places generally have the following:

(1) Registry Startup entry

Enter "Regedit.exe" in Start/Run to open Registry Editor, expand [hkey_current_user\software\microsoft\windows\currentversion\] and [HKEY_ Local_machine\software\microsoft\windows\currentversion\] Look at all of the following entries that start with run, whether they have new and suspicious key values, or they can be judged by the path of the file that the key value points to. is the newly installed software or trojan program. In addition, [hkey_local_machine\software\classes\exefile\shell\open\command\] key values may also be used to load Trojans, such as changing the key value to "X:\windows\system\ ABC.exe%1% ".

(2) System services

Some Trojans are by adding service items to achieve the start, you can open the Registry Editor, in [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] The suspicious primary key under [hkey_local_machine\system\currentcontrolset\services\] is looked up for suspicious key values. Then disable or remove the service items added by the Trojan: enter "Services.msc" in "Run" to open the Service Settings window, which displays information about all the service items in the system, their status, startup type, and login nature. Find the service started by the Trojan, double-click to open it, change the startup type to "disabled", and then exit. You can also modify it through the registry, expand the Hkey_local_machine\system\currentcontrolset\services\ service Display Name button, and then find the binary value "Start" in the right pane, and modify its number, "2 "Means automatic," 3 means manual, and "4" means disabled. Of course, it is best to directly delete the entire primary key, usually through the registry export function, back up these key values so that at any time control.

(3) Start Menu Start Group

Now most of the Trojans no longer through the Start menu to start randomly, but can not be taken lightly. If you find a new item in Start/program/startup, you can right-click it to select "Find Target" to view the file's directory, and be careful if the file path is a system directory. You can also view it directly in the registry, which is located in [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] The key is named startup.

(4) System INI file Win.ini and System.ini

System INI file Win.ini and System.ini is also a trojan like hidden places. Select "Start/Run" and enter "msconfig" to bring up the System Configuration Utility to check that there are no suspicious procedures behind the load and run fields in the Win.ini [Windows] section, which is generally blank after "="; and in System.ini. The Shell=Explorer.exe in the boot section is also checked later.

(5) Batch processing documents

If you are using the Win9x system, C-Packing directory "AUTOEXEC." BAT "and Windows directory under" Winstart.bat "Two batch files also look, the commands inside are typically generated automatically by the installed software, which is automatically loaded by default on the system. Adding "echo off" to the batch file statement shows only the execution result of the command at startup, not the command itself; If you add a "@" character to the front, there is no hint, and many of the previous Trojans run through this method.

Second, through the file comparison of the Trojan horse

The newly emerged Trojan master program was successfully loaded, inserts itself as a thread into the system process, and then deletes the virus files in the system directory and the startup entries in the registry to make it difficult for anti-virus software and users to find out, and then it monitors the user for operations such as shutdown and restart, and if so, It will re-create the virus files and registry startup entries before the system shuts down. Here are a few strokes to make it appear (take the Win XP system for example):

(1) Comparison of common processes of backup

You can usually back up a list of processes in order to compare and find suspicious processes at any time. You can prevent other programs from loading the process by starting the backup before you start another operation. Enter "CMD" in the Run and enter "Tasklist/svc >x:\processlist.txt" (Hint: do not include quotes, leave blank before parameters, save path for file) carriage return. This command displays a list of related tasks/processes running on the application and local or remote systems. Enter "tasklist/?" You can display additional parameters for this command.

(2) List of system DLL files against backup

What about a DLL that doesn't have an independent process? Since the Trojan is the idea of the DLL file, we can start from these files, general system DLL files are saved in the System32 folder, we can make a list of the DLL file name, such as the directory, open the Command line window, Use the CD command to enter the system32 directory and enter "dir *.dll>x:\listdll.txt" to hit enter so that all DLL file names are recorded in the Listdll.txt file. In the future, if you suspect Trojan intrusion, you can use the above method to back up a file list "Listdll2.txt", and then use the "UltraEdit" and other text editing tools for comparison, or in the Command Line window into the file save directory, enter FC Listdll.txt Listdll2.txt ", so you can easily find those changes and new DLL files, and then to determine whether the Trojan file.

(3) against loaded modules

Frequent installation of the software will make a large change in the files in the System32 directory, at which point the lookup scope can be narrowed by using a method that controls the loaded module. Enter "Msinfo32.exe" in Start/Run to open System information, expand Software Environment/loaded modules, and select File/export to back it up to a text file, and then back up one to compare it.

(4) View suspicious port

All Trojans as long as the connection, receive/Send data is bound to open mouth, DLL Trojan is no exception, here we use the netstat command to view the open port. We enter "Netstat-an" in the Command line window to display all the connection and listening ports. Proto refers to the protocol name used by the connection, which is the IP address of the local computer and the port number on which the connection is being used, and Foreign addresses is the IP address and port number of the remote computer on which the port is connected, and State indicates the status of the TCP connection. Windows XP has a netstat command that has more than a previous version of the-o parameter, which you can use to map the port to the process. Enter "netstat/?" You can display additional parameters for this command. We can then narrow the range down to specific processes by analyzing the ports that are open, and then use process analysis software, such as card assistants and rising personal firewalls.