The hottest search and cleanup thread plug-in Troj

2022-10-16
  • Detail

Find and remove thread plug-in Trojans

it is estimated that the most rampant viruses on the network at present are not Trojans. Especially in the past 2004, the attack of Trojans has also been greatly strengthened. In terms of process hiding, major changes have been made. Instead of using the form of independent exe executable files, they have been replaced by kernel embedding, remote thread insertion technology, and connecting psapi, These Trojans are also the most difficult to deal with at present. This issue will teach you to find and clear thread plug-in Trojans

operation steps:

1. Check the Trojan horse through the automatic operation mechanism

when it comes to finding the Trojan horse, many people immediately think of finding "clues" through the Trojan horse's startup key. The specific places are generally as follows:

1) registry startup key:

enter "e" in "start/run" to open the registry, Expand [hkey_currentu usersoftwaremi axial force in turn, and take the weight force crosoftwindowscurrentversion] and [hkeyu localmachinesoftwaremicrosoftwindowscurrentversion], and check all the items starting with "run" below to see whether there are new and suspicious key values. You can also judge whether they are newly installed software or Trojan horse programs by the file path pointed to by the key value

in addition, the [hkey local machinesoftwareclassesexerciseshellopencommand] key value may also be used to load Trojans, for example, modify the key value to "x:windowssysteme"%1 "%"

2) system service

some Trojans realize self startup by adding service entries. You can open the registry, search for suspicious key values under [hkey_localmachinesoftwaremicrosoftwindowscurrentversionrunservices], and check the suspicious key values under [hkeyu localmachinesystem currentcontrolsetservices]

then disable or delete the service items added by the Trojan horse: enter "C" in "run" to open the service setting window, which displays all the service items in the system and the state, startup type and login nature of the shrinkage difference caused by the uneven temperature in all parts of the plastic parts. Find the service started by the Trojan horse, double-click to open it, change the startup type to "disabled", and exit after confirmation. You can also modify it through the registry, expand the "hkey_local_machinesystemcurrentcontrolsetservices service display name" key in turn, find the binary value "start" in the right pane, and modify its numerical value, "2" means automatic, "3" means manual, and "4" means disabled. Of course, it is best to delete the whole primary key directly. Usually, you can back up these key values through the registry export function for comparison at any time

3) start menu start group

most Trojans now no longer start randomly through the start menu, but they should not be taken lightly. If you find a new item in "start/program/start", you can right-click it and select "find target" to check under the directory of the file. If the file path is the system directory, you should be more careful. You can also view it directly in the registry. Its location is [hkey_current_usersoftwaremicrosoftwindowscurrentversionexplorershell folders] and the key name is startup

4) system INI files I and I

system INI files I and I are also places where Trojans like to hide. Select "start/run", enter "msconfig" to call up the system configuration utility, and check whether there are any suspicious programs behind the load and run fields under the [windows] section of I. generally, the "=" is blank; Also, check after shell=e in the [boot] section of I

5) batch file

if you are using the win 9x system, you should also look at the "t" batch file under the root directory of Disk C and the "t" batch file under the directory of windows. The commands inside are generally automatically generated by the installed software, and they will be automatically loaded by default in the system. Add "echo off" before the batch file statement, and only the execution result of the command will be displayed at startup, not the command itself; If you add an "@" character in front of it, there will be no prompt. Many Trojans in the past used this method to run

2. Check the Trojan horse through file comparison

a newly emerged Trojan horse. After its main program is successfully loaded, it will insert itself as a thread into the system process e, and then delete the virus file in the system directory and the startup key of the virus in the registry, so that it is difficult for the anti-virus software and users to detect. Then it will monitor whether the user is shutting down and restarting, and if so, it will re create the virus file and registry startup key before the system is shut down. The following tips can make it show its original shape (take Win XP system as an example):

1) compare the common processes backed up

you can back up a list of processes at ordinary times, so that you can compare and find suspicious processes at any time. The method is as follows: start the backup before other operations after startup, which can prevent other programs from loading processes. Enter "CMD" during the operation, and then enter "tasklist/svc>x:t" (prompt: excluding quotation marks, leave a space before the parameter, followed by the file saving path) enter. This command can display the list of related tasks/processes running on the application and the local or remote system. Enter "tasklist/?" Other parameters of the command can be displayed

2) compare the list of backed up system DLL files

what about DLL Trojans without independent processes? Since the Trojan horse is the idea of DLL files, we can start from these files. Generally, the system DLL files are saved in the system32 folder. We can make a list of the DLL file names and other information under the directory based on the digital chemical plant, open the command line window, use the CD command to enter the system32 directory, and then enter "dir *.dll>x:t" and hit enter, so that all the DLL file names are recorded in the T file. In the future, if it is suspected that there is a Trojan horse intrusion, you can use the above method to back up a file list "t", and then use text tools such as "UltraEdit" to compare; Or enter the file saving directory in the command line window and enter "FC t t", so that you can easily find those DLL files that have been changed and added, and then judge whether they are Trojan files

3) compare the loaded modules

frequent software installation will cause great changes to the files in the system32 directory. At this time, you can use the method of comparing the loaded modules to narrow the search scope. Enter "e" in "start/run" to open "system information", expand "software environment/loaded modules", and then select "file/export" to back it up as a text file. If necessary, back up another one for comparison

4) check the suspicious port

as long as all Trojans connect, receiving/sending data will inevitably open the port, and DLL Trojans are no exception. Here we use netstat command to check the open port. We enter "netstat an" in the command line window to display all the connection and listening ports. Proto refers to the protocol name used for the connection, local address refers to the IP address of the local computer and the port number being used for the connection, foreign address refers to the IP address and port number of the remote computer connected to the port, and state refers to the status of TCP connection. The netstat command in Windows XP has one more -o parameter than the previous version. Using this parameter, you can map the port to the process. Enter "netstat/?" Other parameters of the command can be displayed

then we can analyze the open port of the electronic universal experimental machine, which is a kind of experimental machine for tensile, contraction, zigzag, shear and other mechanical properties of materials, narrow the scope to the specific process, and then use the process analysis software, such as the e program under the directory of "windows optimization master", to find the Trojan horse program embedded therein. Some Trojans will communicate through port hijacking or port reuse. Generally, they will choose common ports such as 139 and 80, so we should pay more attention when analyzing. You can also use network sniffing software (such as commview) to understand what data the open port is transmitting. (end)

Copyright © 2011 JIN SHI