The Falling Snow Trojan is a huge team of Trojan virus files consisting of about 14 files. Once infected, the virus files will fall to the computer like falling snow, which is why it is named so
p>You can’t find the pagefile and other two files, which does not prove that there is no Snow Trojan
But from the situation you described, there is no sign that can prove the existence of Snow Trojan, for example, except winlogon .exe, the main program of Luoxue Trojan may also be lsass.exe or smss.exe in disguise. But you said there is only one winlogon.exe, so it shouldn’t be Luoxue.
There are many Trojans that can be inserted into the winlogon.exe process, and they may modify the registry. This symptom also cannot prove that it is Luoxue. Moreover, Luoxue Trojan will not add websites to your system
Based on the comprehensive judgment, you are not infected by Luoxue Trojan
Many Trojan viruses now enter the user system in groups. Very complicated. You should figure it out one by one now. I suggest you download HIJACKTHIS, scan a system log, and send it up. In this way, you can make a comprehensive and accurate analysis of the status of your computer. What is the problem and what kind of virus is in it? . Otherwise, your current description is rather vague and you cannot judge no matter how high your level is. Logs are very important
As for UPDATE, that is a small problem. You can upgrade manually or use the system disk to repair the system and then upgrade automatically
/q?word= C2E4D1A9C4BEC2EDamp; ct= 17amp; pn=0amp; IceSword 1.22 Introduction
/q?word=B1F9C8D0amp; ct=17amp; pn=0amp; tn=ikaslistamp;rn=10
Added small The functions are:
1. Module search in the process bar (Find Modules)
2. Search function in the registry bar (Find, Find Next)
3. The search functions in the file bar are ADS enumeration (including or excluding subdirectories) and ordinary file search (Find Files)
The above is the most requested, and it is indeed useful for finding malware. Helpful
4. Deletion of BHO column and restoration of SSDT column
This is considered a "tasteless" item and can be added or not.
5. Advanced Scan: The Scan Module in the third step is provided to some advanced users. General users should not restore casually, especially the entries whose first item is displayed as "-----", because They are either modifications of the operating system itself or modifications of IceSword. After restoration, the system will crash or IceSword will not work properly. The earliest IceSword also restored some malicious inline hooks of the kernel execution body and file system, but did not prompt the user. Now I think it may be helpful to let advanced users analyze it themselves like SVV does. In addition, some items in it will be repeated (IAT hook and Inline modified hook). I am too lazy to check it. Repeated restore does not matter much. Also, do not do other things while scanning, please wait patiently.
Some friends suggested that we should do more analysis on the found results to determine the meaning of the modified code. This is certainly good, but it is very cumbersome to get perfect results - for example, I can use one instruction to jump. , you can also use ten or more redundant instructions to do the same job - and there is no time to perfect it at the moment, so there is only JMP/PUSH RET judgment.
An alternative solution proposed for advanced users: remember the modified address, use the "Disassembly" function in "Memory Read and Write" in the process bar, and ask the user to analyze it manually first, haha.
6. Hide Signed Items (View-gt; Hide Signed Items). When selected in the menu, it has an effect on the process, module enumeration, driver, and service columns. Please note that refreshing the four columns after selection will be very slow, so be patient. During operation, the system-related functions will actively connect to the outside world to obtain some information (such as going to crl.microsoft.com to obtain the certificate revocation list). Generally speaking, you can use the firewall to ban it, so it is not surprising to find that IS is connected after selecting it. M $ did it, haha.
7. Others are the strengthening of internal core functions. There are quite a few bits and pieces, so I won’t go into details. Please observe the View-gt; Init State when using it. If it is "OK", it means that the initialization is not completed. Please report it.
IceSword is a sharp blade that cuts off black hands (so the name is a bit silly, haha). It is suitable for Windows 2000/XP/2003/Vista operating system and is used to detect the mastermind (Trojan horse backdoor) in the system and deal with it. Of course, using it requires the user to have some knowledge of the operating system.
Before explaining the software, let me first explain the first note: Do not activate the kernel debugger (such as softice) when this program is running, otherwise the system may crash immediately. In addition, please save your data before use to prevent losses caused by unknown bugs.
IceSword is currently only designed for systems using 32-bit x86-compatible CPUs, and administrator privileges are required to run IceSword.
If you have used an old version, please be sure to restart the system before using the new version and do not use the two interchangeably.
IceSword’s internal functions are very powerful. Maybe you have used many software with similar functions, such as some process tools and port tools, but now the system-level backdoor functions are becoming more and more powerful. Generally, they can easily hide processes, ports, registry, and file information. Common tools There is no way to discover these "masterminds". IceSword uses a large number of novel kernel technologies to make these backdoors invisible.
How to exit IceSword: Close it directly. If you want to prevent the process from being terminated, you need to enter it in the command line form: IceSword.exe /c. At this time, you need Ctrl Alt D to close (before using the three keys) Press any key).
If the tray icon disappears when minimized to the tray: At this time, you can use Ctrl Alt S to call up the IceSword main interface. I didn't redraw the icon because I was lazy, so I'll just use it ^_^.
You do not need to pay for this software, but if you find any bugs when using it, please mail to me: jfpan20000@sina.com, thank you very much.
Update instructions:
1.20: (1) Restored the plug-in function and provided a small plug-in for the file registry, see FileReg.chm for details; (2) Made changes to the core part Some changes have been made, and only the file menu has changed slightly in the interface part.
1.20 (SubVer 111E3): Added support for 32-bit version of Vista (NtBuildNumber: 6000).
1.22: (1) Add search functions for ordinary files, ADS, registry, and modules; (2) Hide signature items; (3) Add HOOK scanning of modules; (4) Strengthen core functions.
Processes
To view the current process, please click the "Process" button. Among the processes listed on the right, hidden processes will be highlighted in red to facilitate search. Hide your own system-level backdoor. The process bar in 1.16 only includes basic functions. If you want to use some extended hidden process functions, please use system check.
Right-click menu:
1. Refresh the list: Please click the "Process" button again, or right-click and select "Refresh List".
2. End the process: left-click to select one item, or hold down the Ctrl key to select multiple items, and then use "End Process" on the right-click menu to end them.
3. Thread information: Select "Thread information" in the right-click menu.
Note that "forced termination" is a dangerous operation and should only be performed once on a thread, otherwise the system may crash. In order to be as general as possible, a lot of code has been commented out, so it is not complete. However, it can meet the requirements of some users: terminating system threads and threads in endless loops in the core state. Although their existence may still be seen, it is just some remnants.
4. Module information: Select "Module Information" in the right-click menu.
"Uninstall" is invalid for system DLLs. You can use "forced uninstall", but forcibly uninstalling system DLLs will inevitably cause the process to hang. After forced uninstallation, the uninstalled DLL can still be seen in the tool that uses PEB to query modules, but in fact the DLL has been uninstalled. This is because I am too lazy to deal with the aftermath - modify the contents of the PEB.
5. Memory read and write: Select "Memory read and write" in the right-click menu.
During operation, first fill in the starting address and length of the read, and click "Read Memory". If the specified address in the process is valid, it will be read and displayed. You can modify it in the edit box and click "Write Memory" writes to the selected process. Note that the prompt box at this time will suggest that you select "No" to not break the COW mechanism. Before you fully understand COW, please select "No", otherwise the wrong address may be written, causing errors and even crashes in the system.
After reading the content, you can click "Disassembly" to view the disassembly value. Some Trojans modify the function entry to hook the function, which can be judged by analyzing the disassembly value.
Port
The function of this column is process port association. Its first four items are similar to netstat -an, and the last two items are the process that opens the port.
In the "Process ID" column, a value of 0 means that the port has been closed and is in the "TIME_WAIT" state. Since the technology used on 2000 is different from XP/2003, the former and the latter two The display on may be slightly different. IceSword breaks the port hiding of system-level backdoors. As long as the process uses Windows system functions to open the port, it cannot escape the search. However, please note that due to laziness, the hidden ports are not displayed in red like processes, so you need to check them yourself.
Kernel module: The core module loaded by the current system, such as a driver.
Startup group: It is the content of the two RUN subkeys. I am too lazy to write the operation. Please change the registry by yourself.
Services: Used to view hidden or unhidden services in the system. Hidden services are displayed in red. Note that some services may take a long time to operate. Please refresh them manually later. Second-rate.
SPI, BHO: No more to say.
SSDT: The system service distribution table, in which modified items will be displayed in red.
Message hooks: enumerate the message hooks registered in the system (through SetWindowsHookEx, etc.). If the hook function is in the exe module, it is the actual address. If it is in the dll module, it is relative to the dll base address. Offset, please judge by yourself (generally, the address value less than 0x400000 is a global hook).
Monitor the creation of incoming threads: As the name suggests, the creation record of incoming threads is stored in a circular buffer. It is recorded while IceSword is running. You can use it to discover what processes and threads are created by the Trojan backdoor, especially Distant thread. What is shown in red is process creation (when the target process TID is 0, it is process creation, and the red item immediately following it is the creation of its main thread) and remote thread creation (should be noted). It should be noted that this column only Display the latest 1024 items.
Monitoring process termination: Generally, it only monitors the termination of one process and the termination of another process. The termination of the process itself is generally not recorded.
System check: There are updates in 1.22
Registry
Similar to Regedit usage, note that it has permission to open and modify any subkey, be careful when using it , do not modify it by mistake (such as SAM subkey).
To delete a subkey and create an item under a subkey, right-click on the subkey on the left and select from the menu. Click on the items on the right and a "Delete Selected" menu will appear. , delete the selected item or items. Double-click an item on the right and a modification dialog box will appear.
File
File operations are similar to Explorer, but only provide file deletion and copy functions. Its feature is to prevent files from being hidden, and at the same time, it can modify the opened file (through the copy function, just specify the copied target file as the opened file).
Menu
Settings: The meanings of the items in this column are consistent with their names. Please see the FAQ for details.
Dump: "GDT/IDT" saves the contents of GDT and IDT in the current directory into GDT.txt, IDT.txt;
"List" saves the current List (only for the previous 5 items (ie: process, port, kernel module, startup group, service) are saved in the user-specified log file. For example, to save the process path name into a log file, first click the "Process" button, then select the "List" menu, specify the file and confirm.
Tray switching: Minimize Icesword to the tray or vice versa.
For the rest, please refer to the FAQ
FAQ
Q: There are many process port tools now, why should I use IceSword?
Answer: 1. Most of the so-called process tools are written using Windows Toolhlp32 or psapi or ZwQuerySystemInformation system call (the first two eventually also use this call), any ApiHook will do It's easy to kill them, not to mention some kernel-level backdoors; very few tools use the kernel thread scheduling structure to query processes. This solution requires hard coding. Not only does it differ between different versions of the system, but a patch may also require upgrading the program, and Some people have also proposed ways to prevent such searches. IceSword's process search core state solution is currently unique and fully considers the possible hiding methods of kernel backdoors. Currently, it can detect all hidden processes.
2. Most tools also use Toolhlp32 and psapi to find the process path name. The former will call the RtlDebug*** function to inject remote threads into the target, and the latter will use the debugging api to read the target process memory. Essentially The above are all enumerations of PEB. By modifying the PEB, these tools can easily be found. IceSword's core solution displays the entire path as it is, and cutting to other paths during runtime will also display it.
3. The process dll module is the same as 2. Other tools that use PEB will be easily deceived, but IceSword will not make a mistake (there are very few systems that do not support it. At this time, the PEB is still used to enumerate ).
4. IceSword’s process removal is powerful and convenient (of course it is also dangerous). Multiple selected processes can be easily killed together.
Of course, it is not accurate to say that it is arbitrary, except for three: idle process, System process, and csrss process. The reasons will not be detailed. The remaining processes can be easily killed. Of course, some processes (such as winlogon) will crash the system after being killed.
5. There are indeed many port tools on the Internet, but there are also many ways to hide ports on the Internet. Those methods are completely unworkable for IceSword. In fact, I wanted to bring a firewall for dynamic search, but I didn't want to make it too bloated. The port here refers to the port to which the Windows IPv4 Tcpip protocol stack belongs. Third-party protocol stacks or IPv6 stacks are not included in this list.
6. Let’s talk about this first...
Q: The service tools that come with Windows are powerful and convenient. What are the better features of IceSowrd?
Answer: Because I am lazy, the interface is indeed not as good as others. However, the service function of IceSword is mainly to check the Trojan service, so it is still very convenient to use. For example, let’s talk about the search for a type of Trojan: svchost is the host of some private process services. Some Trojans exist as DLLs and rely on svchost to operate. How to find them? First look at the process column and find that there are too many svchosts. Remember their pids. Go to the service column to find the service item corresponding to the pid. Use the registry to check its dll file path (listed in the first column of the service item). Name the subkey of the corresponding name under the services subkey of the registry). It is easy to find the abnormal item based on whether it is a common service item. The remaining work is to stop the task or end the process, delete the file, restore the registry, etc. Yes, of course the process requires you to have general knowledge about services.
Q: So what kind of Trojan backdoor can hide process registry files? How to search using IceSword?
Answer: For example, hxdef, which is very popular recently and is open source (and prone to variants), is such a backdoor. IceSword can be used to clean it easily. You can directly see the hxdef100 process displayed in red in the process bar, and you can also see the service items displayed in red in the service bar. By the way, you can also see it in the registry and file bar. Find them, and if the Trojan is connecting backwards, you will also see it in the port bar. To kill it, first find the full path of the backdoor program from the process bar, end the process, delete the backdoor directory, delete the service corresponding items in the registry... This is just a brief introduction, please learn how to effectively use IceSword by yourself.
Q: What is a "kernel module"?
Answer: The PE modules loaded into the system and space are mainly driver *.sys. Generally, they exist as core drivers after the core state. For example, a certain rootkit loads _root_.sys, as mentioned earlier. The arrived hxdef also loads hxdefdrv.sys, which you can see in this column.
Q: What are "SPI" and "BHO"?
Answer: The SPI column lists the network service providers in the system, because it may be used to make processless Trojans. Pay attention to the "DLL path". Normal systems only have two different DLLs (of course the protocol comparison many). BHO is a plug-in for IE, its full name is Browser Help Objects. If the Trojan exists in this form, the Trojan will be activated when the user opens the web page.
Q: What is "SSDT" used for?
Answer: The kernel-level backdoor may modify this service table to intercept the service function calls of your system, especially some old rootkits, such as the ntrootkit mentioned above, which use this hook to implement registry and file of hiding. The modified value is displayed in red. Of course, some security programs will also modify it, such as regmon, so don't panic when you see red.
Q: What is the relationship between "message hook" and Trojan horse?
Answer: If you use SetWindowsHookEx in a dll to set a global hook, the system will load it into the process using user32, so it can also be used as a process injection method for non-process Trojans.
Q: What are the last two monitoring items used for?
Answer: "Monitor incoming thread creation" records the incoming thread creation calls during the running of IceSword in the circular buffer, and "monitoring process termination" records the situation when a process is terminated by other processes. An example to illustrate the function: when a Trojan or virus process is running, check whether there is an anti-virus program such as Norton process, and kill it if there is one. If IceSword is running, this operation will be recorded, and you can find out which process did it. Thus Trojan or virus processes can be discovered and terminated. Another example: a Trojan or virus uses multi-thread protection technology. You find that an abnormal process ends and then starts up again. You can use IceSword to find out what thread created this process and kill them together. You may use the "Settings" menu item during the process: select "Disable incoming thread creation" in the settings dialog box. At this time, the system cannot create processes or threads. After you safely kill suspicious incoming threads, you can cancel the ban.
Q: What are the characteristics of IceSword’s registry keys? Relatively speaking, does RegEdit have any shortcomings?
Answer: There are too many shortcomings of Regedit, such as its name length limit. Create a subkey with a full path name longer than 255 bytes (programming or using other tools, such as regedt32 ), this item and the subkeys behind it cannot be displayed in regedit; and if a subkey with special characters intentionally created by a program, regedit cannot be opened at all.
Of course, adding registry editing to IceSword is not to solve the above problems, because there are already many good tools that can replace Regedit. The "registry" item in IceSword is written to find registration items hidden by Trojan backdoors. It is not blinded by any current registry hiding techniques and truly and reliably allows you to see the actual contents of the registry.
Q: So what are the characteristics of file items?
Answer: Likewise, it has anti-hiding and anti-protection functions. Of course, there are some side effects. File protection tools (except removed files and file encryption classes) are ineffective in front of it. If your machine is used with other people, then use encryption for files that you don’t want others to see. Previous file protection (read-proof or hidden) is of no use. Another side effect on security is that files such as system32\\config\\SAM cannot be copied or opened, but IceSword can be copied directly. However, only administrators can run IceSword. Finally, a little trick: use copy to rewrite files. For a file opened by unauthorized sharing, or a running program file (such as a Trojan horse), you want to change its content (for example, you want to write junk data to the Trojan horse program file to make it unable to run after restarting), Then please select a file (containing the content you want to modify), select the "Copy" menu, and add the path name of the file (Trojan horse) you want to modify in the target file column. After confirmation, the content of the former will be written to the latter ( Trojan) position from the beginning.
One final reminder: Every time you start IceSword, you only run it for the first time to confirm administrator permissions. Therefore, after the administrator runs the program, if you want to hand over the machine to low-privilege users, you should restart the machine first, otherwise it may cause problems. Exploitation by low privileged users.
Q: What is in the GDT/IDT dump file?
Answer: GDT.log contains the contents of the system global descriptor table, and IDT.log contains the contents of the interrupt descriptor table. If there is a backdoor program that modifies it and creates a call gate or interrupt gate, it can be easily discovered.
Q: What does dump list mean?
Answer: Part of the content displayed in the current list view is stored in a designated file, such as dumping all processes in the system, and putting it online to ask someone to help diagnose. However, it is of little significance. Before writing IceSword, it is assumed that the user has certain security knowledge and may not need such functions.
Q: What is the use of "Restart and Monitor" in the File menu and how to use it?
Answer: Because IceSword is designed to leave as few installation traces on the system as possible, it is inconvenient to monitor programs that start automatically at boot. For example, after a program runs, it injects remote threads into processes such as explorer, and then ends itself. This makes it inconvenient to check the process, because only the thread exists. At this time, you can use "Restart and Monitor" to monitor all incoming thread creation when the system starts, and you can easily detect remote thread injection.
Q: What do "create process rules" and "create thread rules" mean?
Answer: They are used to set the rules when creating incoming threads. What should be noted is: the general rule refers to whether to allow or prohibit incoming thread creation events that meet all the terms of the rule; the relationship between the terms in a rule is the AND relationship, that is, only when they are met at the same time is the rule matched; "Rule No. "Starts from zero. Assume that there are currently n rules. When adding a rule, enter a rule number of zero to insert at the head of the queue. Enter a rule number of n to insert at the end of the queue. If the previous rule has been matched, then all subsequent rules will be inserted. It is ignored, and the system directly allows or prohibits this creation operation.
Q: What is the use of plug-ins?
Answer: You can easily expand functions without upgrading the program. In the future, some interfaces may be opened for users to customize. The official version of 1.06 has been temporarily canceled because user feedback was not very useful.
Q: What is the use of associates?
Answer: A replacement for plug-ins. Time is limited and I haven’t tested it much. If you feel it is unsafe, you can disable it in the “Settings” menu. See the header files and sample programs for details. IsHelp is a small toy-type associate that provides auxiliary functions. It should be noted that the operation of the association requires the support of IceSword (IceSword provides services through inter-process communication).
tn=ikaslistamp;rn=10