Close all irrelevant programs first, and then we will start to check the current process. What is the current process? The current process is all the running programs now! Looking at the current process is to see which programs are running now. What if there is an unknown program? It may be a Trojan horse, because usually a Trojan horse also exists as a program.
What do you think of the current process? Please use professional tools. If there are no tools, please press Ctrl+Alt+Delete to open the Task Manager for viewing.
So what kind of programs are unknown?
Here, I want to emphasize once again that we must find a process viewing tool that can verify the digital signature of a process file, otherwise you can't judge whether a process is suspicious, and it is not enough to rely solely on the file name.
If a process is not a system process or program you are running, then this process is what we call a suspicious process. (Non-system process that failed digital signature verification)
What should I do if I find suspicious processes? Delete after killing?
No, don't kill it ~ there are three reasons for not killing it:
1, what is the result of killing it? It's hard to predict. If you interact with other programs or kernel drivers, if you kill it, you will probably commit suicide and crash the system.
2. Killing and deleting it will not clear the startup item it wrote into the registry, so you will still try to load this program every time you start it. Although the file is gone, you can't make Troy run, but every time you try to load it, it takes time, which is one of the reasons why the system is slow.
3. Finally, based on the above detection, it can only show that this process is suspicious, but it cannot be confirmed as a Trojan horse. So, if you kill now, it's probably a manslaughter ~
Then what should I do? The answer is to ignore it. After finding it, write down the file name, and then proceed to the next step, temporarily ignoring it.
What if you can't find it?
This means that your machine may be clean and there is no Trojan horse.
In other words, Troy is a Trojan with hidden process or without process.
What about the hidden process?
Let's first understand some means of the Trojan kurama process ~
At present, the popular means of Trojan hiding process are as follows:
0, primary hiding, find the list box of the column process in the enumeration sub-window of the task manager window, and delete your name ~, which can be checked by general professional tools.
1, intermediate hidden, hook Win32API filters out Ma's own process. As long as it is a driver-level process management tool, you can basically check it.
2, advanced hiding, Hookssdt ntquerysystem information, filtering out the horse's own process, and you can find a driver-level tool with the function of restoring ssdt.
3. Sub-advanced hiding, inlining hook SSDT, filtering out your own processes, restoring inlining or directly enumerating process chains.
4. Quasi-advanced hiding, deleting your own process from the active process chain. Tools based on thread scheduling linked list detection technology can be found.
5, advanced hiding, bypassing the kernel scheduling list to hide the process, tools based on HOOK-KiReadyThread technology can check.
For the hidden process, please use the inspection tools with corresponding functions to check ~
Of course, we don't have to find out the hidden process of Trojan horse for no reason. If we can't find it, we can just regard it as a Trojan horse, without a process, and go directly to the next step.
Because process inspection is only one of the means of inspection, we can't see or kill the process of Troy, which doesn't prevent us from eliminating Troy.
Ok, no matter what the inspection result is, let's start the next inspection, module inspection!
Please refer to the following figure:
The following figure is a process check chart (please judge by the result of digital signature verification, supplemented by the file path name, the process of Rising antivirus software is not a system process, but you can know that it is the main control program of Rising by the file name and path, hehe, don't reinvent the wheel, we should judge it by combining many aspects ~-):
Chapter II Module Articles
What is a module? Module refers to a special functional module with a certain function or a certain type of function, and its external manifestation is usually various dynamic library files (usually with. Dll as an extension word) or plug-in files (usually with. OCX as an extension word). They are loaded by the application and provide specific functions for the program.
Just like our TV, if we add a satellite antenna, we can receive more programs. Satellite antenna itself has nothing to do with TV, but once it is used by TV, it can provide extra functions for TV. Satellite antenna is relative to TV, which is equivalent to module relative to program.
Each process has several to hundreds of modules, and each module has its specific purpose. Of course, if a module is a Trojan horse, it also has its Trojan horse purpose.
With the popularization and deepening of process checking, Trojan horse makers began to make non-process Trojans, which appeared in the form of modules, so that it would not exist in the process list. No matter how advanced process detection technology you use, you can't detect the existence of Trojan module.
In a computer, there may be dozens or dozens of processes, but there are hundreds of modules. The increase in the number has also increased the difficulty of our detection.
The requirement for detection tools is to have the ability of digital signature verification, otherwise it is really tiring to manually pick out Trojans from hundreds of module files ~ (see the figure below for Trojan module inspection).
What should I do if I find it?
Hehe, the last time a friend encountered this problem, it was uninstalled and deleted by violent means. Should it be handled like this?
The answer is still no!
Don't uninstall and delete by violence ~ ~ Why? Let's wait for the reason. Let's first understand the startup and operation mechanism of Trojan module, and then explain why it should not be uninstalled and deleted violently.
There are two kinds of modular Trojans: one is static loading and the other is dynamic injection.
Static loading is to register your Trojan file under a registry key, so that when the system starts or runs a program, all modules registered under the registry key will be automatically loaded, so that Trojan can enter the program and perform its illegal activities. (which items in the registry can be loaded by the system, and the startup item check will explain later)
Dynamic loading, this Trojan is the so-called process injection Trojan. Its implementation requires not only a module file, but also an injector to inject the module file into the process. Start the injector first, and then inject the module Trojan into other processes through the injector. After the injection is completed, the injection program ends, so you still can't see the process.
Now do you understand why you can't uninstall and delete by violence?
After violent uninstallation and deletion, if it is loaded statically, the add-in will still remain in the registry, and it will still try to load the module every time it is turned on or the related programs run. If it is too much, it will cause the system to run slowly.
If it is dynamically loaded, you only uninstall and delete the module Trojan, but the injector remains on your machine. If this Trojan horse is designed properly, it should be backed up with module files, so when you turn on the computer again, you will find that the module files you violently deleted are back in your machine, and you will never be able to delete them cleanly. If the design of this Trojan horse is unreasonable or vicious, only God and the maker of the Trojan horse know what will happen ~ ~-_-!
If you can't delete it violently, what should I do when I find it? Like the process, write down the path and name of the module file, and then start the next inspection, temporarily ignoring it.
When it comes to non-process trojans, we have to say "thread injection trojans". Process injection Trojan injects a module into the process, that is, there must be a module file, so that we can find this module and find out the injection Trojan by signing and verifying its file. The thread-injected Trojan is just a piece of code injected into the process, and there is no file. Although it is possible to check the threads of each process, it is impossible to find out which thread is Trojan, but it is almost impossible. What you can find is a very tall person, not me ~ Look at the second picture below, which is EXPLORER.exe's thread list. What can you see?
By the way, that picture is a screenshot of ProcessExplorer, a very, very famous and useful process management tool, which can be downloaded here:)
What about this Trojan horse injected with thread?
Fortunately, the Trojan horse injected with thread also needs a syringe to cooperate with it. It's hard for us to find that wire, but it's much easier to find its injector.
Now, whether or not you find a suspicious module or thread, we have to start the next check, start the next check!
Chapter III Self-initiated Projects
What is a self-created article? Self-startup item means that after the program is registered somewhere in the system, the system will automatically run the program every time it is turned on. The registered item of the program is called self-startup item.
Trojan horses don't want to run only once. If it wants to settle down in your computer, it must run every time it is turned on. In this way, we can achieve the purpose of self-protection and Troy's normal work.
Generally, Trojans will have one or more self-starting items, which has become a necessary step when looking for Trojans. (This is just a common Trojan horse. Of course, there are two kinds of Trojans that don't need to start themselves. We'll talk about this later. )
It is very important to find the self-starting items of Trojans, and the requirements for tools are also high.
How many places in the system can make the program run automatically? Sweat ~ ~ I don't know, I can only say more than n ~ ~ So we need to find a comprehensive tool to check, and we need to find several tools to check, so together, it should be comprehensive enough. No one dares to say that it can list all the boot locations in the system. Therefore, the first requirement of the startup item inspection tool is to be complete!
Is that enough? Of course, this is not enough. Another point is the same as above. It should also be able to verify digital signatures to avoid confusion with the names of system files.
You also need to be able to detect hidden startup items. Similarly, let's first learn about Trojan horse's technology of hiding startup items:
0. The Trojan horse did not hide, but found a hidden location, which depends on whether the items listed in the tools and programs used are complete enough.
1, Trojan horse is hidden in the application layer, and HOOK has related registry enumeration functions in Win32API. This kind of horse is easy to detect, and any driver-level detection program can be competent.
2. Trojan horse is hidden in the kernel layer, and Hooke has SSDT. Such a horse doesn't work under normal circumstances, so we must find a professional detection program to restore SSDT.
3. Trojans are hidden in the kernel layer, shameless. INLINE-HOOK has related service functions, so most inspection programs of horses will not work. We need to find a program that can restore inline hooks.
4. Trojan horse is hidden at the bottom, and INLINE-HOOK is used to find the undisclosed underlying functions of Microsoft, such as Cm* series functions. Hey, it's hard to get to the bottom. Such a horse can only be found by using HIVE file scanning detection program or special tools to restore the underlying INLINE-HOOK.
These four hidden ways have been used by rogue software or Trojans. Don't take any chances, thinking that Trojans can't use this advanced technology. It's best to check the startup items with several tools, and the powerful ones are usually not complete enough. Hey, maybe the experts are lazy ~
Ok, let's start checking ~ first restore HOOK and INLINE-HOOK, and then run the tool to start checking. I still remember the suspicious modules and suspicious processes we found before, so we used them at this time. Compare the found startup items with those startup items to see if there are any startup items.
what's up Ok, back up the registry, and then delete the startup item. Can't you delete it? Did you forget to restore the hook? Restore, and then open the registry editor to see if you have permission to delete this key. Right-click the key to be deleted, select permissions, and then select Full Control to delete it. Hehe, it's just a trick it plays.
After it was deleted, there was another one? It doesn't matter. At this time, you have two choices. One is to finish its process first, uninstall its module, and make it lose the ability to rewrite. Second, turn on the "system lock" function, temporarily lock the system, and do not allow any program to write into the registry. There is no problem to delete at this time.
After the deletion is completed, restart the computer.
Didn't you write down the suspicious processes and modules? Check again to see if they are still there. No, congratulations, you have finished your trojan horse killing work.
Are you still there?
Oh, don't be afraid, if it is still there, it proves that you haven't really completely cleared its startup item; The possible reasons are:
1, this Trojan also uses a triggered startup mechanism.
2. It also has other protection mechanisms, such as shadow programs or drivers;
Next, we continue to dissect the triggered Trojan horse ~ ~
The fourth chapter triggered Trojan horse
Above, I said the general method of Trojan horse killing. Through the above killing, most Trojans can be removed. I forgot to write it last time. After restarting, if the Trojan horse can't start, the next step is of course to delete all written Trojans. )
Then I'll talk about the trigger Trojan. What is a trigger Trojan? Triggered Trojan is a startup mechanism. When you do something, it will trigger Trojan, thus starting Trojan. If you don't do this, Troy will never start. Generally, Trojans start running on their own initiative, while security inspection tools and anti-virus software mostly check active Trojans, such as checking self-startup items, and checking whether they automatically start running after booting. Only a few common items that can trigger the Trojan horse to start are checked, but there are many local operations that can trigger the Trojan horse to start, which is why this Trojan horse is difficult to kill.
Its performance is that the system is normal after cleaning. At that time, the inspection machine was clean, but it didn't take long for Trojan horse to resurface.
Now let's really kill these tough guys!
It should be noted that in order to be coherent and clear here, we will say separately that we can certainly do it together when actually killing. (When checking the process and starting the project, you can easily check the following)
Of course, the most common and the first thing we need to check is Autorun.inf. What is this? This is a configuration file. If you look at the name, it means "automatic operation" Yes, this normal purpose is to play the CD automatically, that is, after inserting the CD into the CD-ROM drive, the system will automatically run the program specified in Autorun.inf.
Later, it was used by some people in the hard disk. When this file is placed in the root directory of the hard disk partition, right-click the drive letter, and you will find that the default operation is "automatic play" instead of opening. At this time, double-clicking a drive will no longer open the browsing folder, but directly run the specified program (it needs to be changed somewhere in the registry, so I won't say it, because it has nothing to do with our killing, so as not to be used by bad people).
If the Trojan virus is deleted by violence, the file Autorun.inf will still exist after the program is deleted, which means that you can't double-click to open the disk. By the way, this trigger mode is combined with the self-starting items when the panda burns incense. )
Because double-clicking the disk will trigger the Trojan horse to start, right-click it when killing, and then select "Open" or use "Explorer" to view it, and delete the file after finding it.
Usually, this file will appear as a hidden file, and even more viciously, "registry monitoring and write-back" will be added to protect the file from being hidden. Once you change the system to "show all files", it will be changed to "don't show hidden files" again. How to get rid of this registry write protection is written in the above post, so I won't go into details here.
Another trigger is to modify file associations. What is file association? File association is the corresponding relationship between a certain type of file and a certain program. You know, there are countless file formats in our system, such as: picture files (extension. bmp。 jpg。 Gif, etc. ), music files (mp3 mp4, etc. ) ... When you double-click a picture, the system will call the picture viewer to open and display the picture instead of calling the player to play the picture. Why does the system know to call the drawing program? This is because of the existence of file association. In the registry, picture files have been associated with picture viewing programs, and correspondingly, music files are associated with players, and most types of files are associated with specific programs. In this way, the system will know what programs need to be called to open what files.
Clever, you already know how Trojan horse is triggered by file association, right? Yes, the cunning Trojan changes the association of certain files to its own association. Once you open such files, it will trigger the Trojan horse to start. Because Trojan will call the normal associated program after startup, the file will still open normally, and you won't know that your operation has actually started Trojan.
What kind of archives association will Troy change? I don't know. Only God and the author of the Trojan horse know.
How many file associations need to be changed in the system? You open the registry editor and look at the sub-items below the first item, and you will know how many there are and how many thousands there are.
How?
General Trojan will change the association of some files you will use frequently, such as text files, program files, web pages and so on. There are many programs or registry export files on the Internet that can restore these common file associations.
But this kind of inspection is obviously not enough. If you are the author of Trojan horse, you know that these common file associations will be checked and restored, will you change them? Not really, because you have too many choices. For example, if you choose to modify. Rar file, which is a file or compressed file. Many downloadable programs on the Internet exist in this file format, so the probability of opening the compressed file is very high, and there is almost no program associated with this file, because the direct result after recovery is that the compressed file cannot be opened, because the author of the recovery program is not a fairy, and he does not know what kind of compression software you are using and where your compression software is installed.
In this way, as long as you open the compressed file, it will trigger a Trojan horse. If the file related to this Trojan horse is a shadow program, the whole file scan will not find it because the shadow program has no virus characteristics. What you found and deleted was the release of this program, and the source code is still there. From now on, Trojan horse will be your lingering nightmare ~ (we will talk about the shadow plan in detail next time)
How do I view file associations? There are two ways, one is to find out which file association has been modified by monitoring, and then change it back. The second is to scan all file associations with professional software.
How to get whether the file association is correct through monitoring?
First, find a tool program for thread monitoring, turn on "thread monitoring", and then keep opening all kinds of files you commonly use, and open files to check the running situation of the program. For example, opening a. rar file should display "WinRAR.exe started by Explorer.exe" in the process monitoring, which is normal. If it shows that other programs were run by Explorer.exe and WinRAR.exe was started by that program, then it has been changed. Of course, you can also open the registry to see if the file associations are normal.
The second method is to scan and filter out the system files with professional software, so the remaining non-system files are rarely related, and the results will come out after a little judgment. Very simple, I won't say much, just look at the picture below.
What should I do if I find it?
Don't just clean up. After cleaning, find a normal machine to export a normal one, or tell a friend about the file you deleted, let a friend export a normal one from his machine, and then import it into his own machine at once.
If it is a non-system file association, such as. Rar compresses the file, it will be deleted directly, and then when you open it. Thirdly, you will be prompted to choose a program to open this type of file. In this case, select WinRar.exe, and then select the check box "Always use this program to open this type of file".
Or use other methods ... hey, in fact, as long as we find the Trojan horse, the rest will be easy ~ ~
It should also be noted that some triggers are not obvious file operations. For example, if you open a website, you may need to explain the execution script language, but what should you use to explain execution? The system will also look for corresponding programs in the registry, such as VBS, JScript and other keys, which are basically under HKEY _ class _ root primary key.
Anti-virus programs such as Kaba and Jinshan will use their own DLL to register under these keys, so as to check whether these scripting languages have virus characteristics before execution, but Trojans will also use these keys to let you execute Trojans as soon as you open the website.
Ok, let's talk about shadow programs (drivers) ~ Because they often cooperate with these trigger startup mechanisms, they always cooperate, because trigger programs can avoid the inspection of startup items, processes and modules, while shadow programs can avoid the file scanning of antivirus software. How did they cooperate closely to avoid our inspection? Let's talk about it next time ~ ~ ~
Chapter V Shadow Program (Driver)
What is a shadow program? Everyone knows the shadow ~ ~ even if there is a shadow, there must be an ontology. Shadow only exists for the existence of ontology, and other work is not done. What about the shadow program? In other words, it exists for the existence of the Trojan Plan, and it does not engage in any Trojan work.
Why does Troy want to be a shadow program or a shadow driver? The purpose is only to "protect the main Trojan from being cleared"
How does the shadow protect the Lord Troy? Before we know this, we need to know how antivirus software kills viruses.
Knowing how anti-virus software kills viruses, it is easy to understand how the shadow can escape the killing of anti-virus software.
Most anti-virus software relies on virus signatures to kill viruses, so it comes with a virus database. In fact, we usually upgrade the virus database. The virus database stores virus features, just like virus files (height, weight, measurements, facial features, etc.). If a program matches some virus features in the virus database, it will be considered as a virus and will be killed. How did the virus characteristics come from? It was extracted by virus analysts after analyzing the virus, so all the people killed in this way have criminal records, that is, those who have committed crimes before are left behind, and then they come out as rats crossing the street, and everyone shouts and fights.
This feature-based killing is a hard feature, as long as it meets the requirements, it is OK ~ ~ Although there is manslaughter, it is rare. After all, there are not many identical ones. Whether its killing accuracy and manslaughter rate are high depends largely on the extraction level of virus analysts. Hehe, we saw a well-known company report a driver framework as ROOTKIT Trojan. Obviously, its functional code has serious problems.
There is also a so-called active anti-uninstall type, which analyzes the behavior characteristics of virus Trojans while comparing feature codes. When the number of behaviors consistent with a specific behavior reaches a certain value, the program is considered as a virus. Of course, this false positive rate has also increased a lot. This kind of murder can have no criminal record, just like you didn't commit a crime before, and you didn't leave a criminal record, but you will definitely be caught chasing others with a knife, because your behavior conforms to the behavioral characteristics of the virus.
At present, the prevalence of viruses is becoming more and more common, and it is not difficult to obtain the source code of viruses. Some children can copy a text to spread the virus, but they can't change the code characteristics to avoid being killed by anti-virus software.
So some people desperately look for new shells to add different shells to viruses, but the shelling technology of anti-virus software is getting higher and higher, and it is difficult to find shells that are not shelled by anti-virus software.
Then some people come up with some other ways to avoid killing anti-virus software.
Shadow program is one of them ~ ~
The main program of Trojan virus, because it must work, so some functions are difficult to get rid of. The shadow program does not need to work in Trojan horse, so it is a normal program in essence, does not use any virus technology and does not have any virus characteristics, so it will not be killed by anti-virus software.
This is the purpose of virus Trojan adopting shadow program, because shadow program does not have virus characteristics, and it can avoid the full file scanning of antivirus software.
Then how does it protect the main program? Generally, the virus main program is put into itself as a resource, and the reinsurance point compresses and encrypts the main program and puts it into its own program as a resource. (Resources are just some data ~ ~ For example, pictures used in a program belong to picture resources. Antivirus software usually only checks the code, not the data resources. In fact, it can't find anything ~ there are n ways to change resources that exist in the form of pure data.
In this way, the shadow program solves the survival problem of the Trojan horse program in the computer through storage resources, leaving a fire for the Trojan horse in your computer.
After the Trojan virus is cleared, once the shadow program finds that the Trojan main program is lost, it will re-release a copy from its own resources. Regenerate the Trojan virus so that you won't be killed until you are exhausted and give up.
How did the shadow program find out that the Trojan horse's main program was cleared?
There are two ways. One is to add yourself to a certain starting position and start automatically every time you start. After startup, if you find that Troy's main program is gone, you will release a copy, start Troy, and then quit yourself. If so, the shadow program will exit directly.
Second, use the trigger mechanism to wait. After you trigger the shadow program, the shadow program will check whether the Trojan horse exists. If it doesn't exist, release the startup and then quit by yourself. If there is, just quit.
Because the shadow program only runs for a few seconds ~ ~ so your process check is of no use to it, because it doesn't run at ordinary times ~
To deal with shadow programs, we can only start with the startup item, and shadow programs have also noticed this, so many have adopted the trigger mechanism. Therefore, when we check, we should also pay attention to check the trigger Troy.
Oh, the conclusion has come out. Dear friends, don't kill suspicious processes in the process with red eyes ~ ~ Killing processes, deleting files and uninstalling modules is only a temporary solution ~ ~ Everything must be rooted out and "cured" ~ ~ Otherwise, the Trojan virus can't be killed ~ ~ What's more, the system will be killed more and more slowly ~ ~ Finally, it will have to be reinstalled.
Can you recover quickly with GHOST? Oh, don't you know that burning incense by pandas will delete the ghost's backup files? Pandas can delete ~ ~ others, of course ~ ~ It is not difficult for them to delete a file ~ ~
Is it safe to reinstall the system? I don't know ~ ~ Search online ~ See how risky the downloaded operating system is ~ Many Trojans are put in when installing the operating system ~ ~
Why can't I find it in it?
This is another topic ~ ~ Trojan horse with file modification and replacement ~ ~ A very depressing Trojan horse ~ ~ Let's talk about it next time ~ ~
Sweat ~ ~ think about it ~
Reference picture: shadow drive of CNNIC, main drive circled in blue, and shadow drive in red. The name of the shadow drive is random, and it is different every time it is opened.
Take this picture to answer a question asked by a friend last time about cleaning up the remaining CNNIC:
There are some keys matching the driver service under HKEY _ Local _ Machine \ System \ Current Control Set \ Enumeration \ root. If you use other cleaning tools, remember to clean them. If you use 5.0.0.7, you don't have to. When you clear the driver, you will automatically clear the key. (Note: 5.0.0.6 version has no corresponding function, so it may not have the function of automatically detecting shadow drive ~ ~ Delete it manually or find another tool to use. If not, just wait for the trial version of 5.0.0.7 ~)
If it's clear, it's clear ~ ~ Otherwise ~ ~ Hey ~ ~ Dead, that's what it means ~ ~
CNNIC also has the function of shutdown notification ~ ~ Don't forget ~ ~ Otherwise, even if it is cleaned up, it will be written back when it is turned off ~ ~
What? I don't know how to deal with ~ ~ sweat ~ ~ I haven't found the right tool for the time being. Although writing a program is the easiest to handle, it is not universal and is not worth writing a program for this guy.
There are two solutions for the time being:
One is a stupid way. Wasn't it notified by the system when it was turned off? We didn't even notice the system, so we just pressed the reset button to start the machine ~ ~-_-!
The second is to restore the HOOK and INLINE-HOOK of FSD first, then delete all related program files, driver files and DLL files, and then restart to delete startup items, and it will be OK ~ (Note that the lock system seems to be not easy to use for CNNIC ~ depressed ~)
In addition, friends who are used to using AutoRuns.exe should pay attention. The AutoRuns.exe I use is version 8.22. Can't find the driver startup item of CNNIC ~ If you kill CNNIC, please use another one first ~