Recently, the computer's browser is tampered, I tried to recover the browser and delete the key value of the registry. When I didn't restart, it was recovered, but when we restart, there are two The DOS file is running, but it will disappear. I didn't see the command. I also tried the system recovery, but I was not yet, and I was changed, so I thought it should be caused by the embedded DLL file, because I tried to find a process, but there are always two update processes, one is a prompt 16 digits, one is 32 bits, I think it should be the problem of this file, but I don't know how to find and modify this file, ask!
Here is the method provided by netizens, it may also benefit to write Trojan ^ _ ^ dynamic embedded DLL Trojan discovery and clearing with MS transition from WinNT system (including 2K / XP / 2003), MS task management Also suddenly remove the bones, become a golden eye (the traditional Trojan in WinNT can no longer hide your own process), which makes it unprecedented from the Trojan from the task manager before WIN98. The crisis, so the developers of Trojans have adjusted the development ideas in time, so there will be today's articles on how to remove dynamic embedded DLL Trojans.
First, let's take a look at what is dynamic embedded Trojan. In order to continue to hide the process under the NT system, the developers of the Trojan began to use the DLL (Dynamic Link Library Dynamic Link Library) file. At first they just write their own Trojans into a DLL. Forms to replace the system responsible for Win Socket1.x in the system call wsock32.dll (where Win Socket2 is responsible for the WS2_32.dll), which is through the operation of the agreed function and the forwarding of the unknown function (the DLL Trojan replaces WSOCK32.dll The name will be renamed to achieve future function forwarding) to implement remote control features. However, with the introduction of MS digital signature technology and file recovery function, this DLL horse's vitality is also weak, so the mainstream Trojan-dynamic embedded DLL Trojan, which appears under the developer's efforts, embedding DLL Trojans In the process of running system, the system key process that cannot end in the executable system, SMSS.exe, etc. is the favorite of the DLL Horse, so that we will not appear in the task manager, and It is our DLL carrier EXE file. Of course, further processing DLL Trojans can also achieve additional some port hijacking / multiplexing (that is, so-called no port), registration as system services, multi-thread protection, and so on. In short, the DLL Trojan has reached an unprecedented level.
So how do we discover and remove DLL Trojans?
First, starting from the DLL file of the DLL Trojan, we know that SYSTEM32 is a great place to hide and seek. Many Trojans have turned their heads to drill there. The DLL horse is no exception. For this, we can install system and necessary applications. After the EXE and DLL files in this directory: Run the CMD-- Convert directory to System32 - DIR * .EXE> EXEBACK.TXT & DIR * .DLL> DLLBACK.TXT, so all EXE and DLL files The names are recorded in EXEBACK.TXT and DLLBACK.TXT, and if they find abnormalities in the future, they should consider whether they have sneaked into DLL Trojans in the system. This is the same Command Record the exe and dll files under System 32 into additional exeback1.txt and dllback1.txt, then run CMD - FC EXEBACK.TXT EXEBACK1.TXT> Diff.txt & FC DLLBACK.TXT DLLBACK1.TXT> Diff.txt ((In the previous rear DLL and EXE files with the FC command, enter the result into Diff.txt) so that we can find some of the more DLL and EXE files, and then pass the creation time, version, Compression, etc., it is easier to determine whether it has been patron with DLL Trojans. No, if there is anything, don't go straight, we can move it to the recycle bin. If the system does not have an abnormal reaction, then completely delete or submit it to the anti-virus software. Second, the above has also mentioned that some system key processes are the favorite of such Trojans, so once we suspect that the system has already entered the DLL Trojan, we certainly have to take care of these key processes, how to take care? Here is a powerful shell tool tool procedump.exe. You can help you see that the process calls those DLL files, but because there are many DLL files called by the process, make it less reality that we go to a nuclear change. So we will use a Shotgun write NT process / memory module viewer ps.exe, with command ps.exe / a / m> nowdlls.txt, save the system to NOWDLLS.TXT, Then we use the FC to compare the DLLBACK.TXT in advance, which can also reduce the discussion range.
Third, remember one of the features of Trojans? All Trojans will only open the port as long as it accepts / send data, and the DLL Trojan is no exception. This also discovers that they provide a clue, we can use the Foundstone's process port to view tool fport.exe to view tool fport.exe The process corresponding to the port, which can narrow the range to the specific process, then combine procedump to find the DLL Trojan. Of course, some Trojans as mentioned above will communicate through the port hijacking or port reuse. 139, 80, 1443, the common port is the favorite of Trojans. Because even if the user uses port scan software to check your port, it is also similar to the situation similar to TCP Userip: 1026 Controllerip: 80 ESTABLISHED, slightly neglected, you will think that you are browsing the web (firewall will think so). So the light is not enough, we have to monitor port communications, this is the fourth point to say.
Fourth, we can use the sniffer to understand what data is transmitted in the open port. By setting the NIC to a mixed mode, all IP packets can be accepted, and the snober program can analyze the part of the payable of interest, and the remaining is decoded in accordance with the RFC document. This makes it possible to determine the port used by Trojans, combined with fport and procedump we can find the DLL Trojan. As for the sniffer personal recommendation, IRIs, the graphical interface is easier to get started.
5. Try to say that Killing Marta will habitually go to the registry to touch your luck. It may be quite effective before, but if you encounter Trojans registered as a system service (principle: In NT / 2K / XP, the specified service program is loaded when the system starts), this time check: Startup group / registry /autoexec.bat/win.ini/sysytem.ini/wininit.ini / *. INF (such as autorun.inf) /config.sys, I can't find whit, then we should check the system service: Right click on My Computer - Manage - Services and Applications - Services, then you will see more than 100 services, (MS is true, 75% is useless, can be disabled). Slowly, look at who is not pleasing to your eye :), of course, if you have previously used the export list function to the service backup, use the file comparison method to find what is a foreign guest, then you can Record the service load is that file, and then use Srvinstw.exe provided in Resource Kits to remove the service and clear the loaded file. Through the above five steps, it is basically able to discover and clear the dynamic embedded DLL Trojan, maybe you also find that if you do some backups properly, you will have a lot of help to our find Trojans, of course, there will be a lot. The pressure of the work.
