不使用第三方工具如何判断系统是否中木马和手动清楚木马

不使用第三方工具如何判断系统是否中木马和手动清楚木马 The task manager looks at the port of view for PID Wmic - process Netstat -ano Or use the ice sword to see the process and path Tasklist/svc SVCHOST corresponding service (how to judge SVCHOST) Add that CPU takes up 100% Tasklist/m Find the appropriate path Better use 360 force delete ================================================== How to judge whether the system is trojan and manual clear trojan in the case of not using third party tools? Turn on the power landing system and turn off all unnecessary programs that are self activated. The first step is to open Task Manager (Crtl+Alt+Delete), we see in the menu item click [select column] check the [PID (process ID)] to determine the point. At this point, the process has more than one [PID] list, corresponding to the corresponding process. Then find out the malicious process from it. Process so much, how to identify what is abnormal process (XP reinstall the system, boot process number in 20 or so, including the killing of soft 28 is normal)? How to locate the location of non normal processes in numerous processes? The first general exclusion of Trojan remote control, connect local computer and remote view which IP. At this point, enter the netstat at the command prompt and add a parameter -ano Netstat -ano [protocol] [native IP and port] [remote IP and port] [status] [PID number] Proto, Local, Address, Foreign, Address, State, PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1024 TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 588 TCP 192.168.0.101:139 0.0.0.0:0 LISTENING 4 TCP 192.168.0.101:1166 122.72.7.19:80 TIME_WAIT 0 TCP 192.168.0.101:1178 211.115.106.193:80 TIME_WAIT 0 TCP 192.168.0.101:3945 123.125.65.210:80 CLOSE_WAIT 3604 TCP 192.168.0.101:4595 211.115.106.194:80 CLOSE_WAIT 2805 TCP 192.168.0.101:4604 211.115.106.194:80 CLOSE_WAIT 2805 TCP 192.168.0.101:4610 111.73.45.234:7887 ESTABLISHED 1676 TCP 192.168.0.101:4697 121.189.15.203:80 CLOSE_WAIT 2806 UDP 0.0.0.0:1032 *: * 2920 UDP 0.0.0.0:2052 *: * 3824 ...... Did you see the remote IP and the port? After the investigation, I found the 111.73.45.234:7887, IP. Let us see how I lock the IP and port, down PID number 1676, we return to the task manager to check the PID number 1676 is what the corresponding process or in the command prompt window, enter the tasklist with parameters of /svc process and corresponding PID number listed as below (only a part of the shear key); Tasklist/svc [image name (process name)] [PID] [service] [Chinese simplified solution service] Svchost.exe 1632 Dnscache system services Svchost.exe 1808, LmHosts, SSDPSRV, system services ZhuDongFangYu.exe 1848, ZhuDongFangYu 360 active defense Ati2evxx.exe 284 for graphics management software Spoolsv.exe 392 Spooler printer No sound card related to soundman.exe 368 No vmware-tray.exe 396 virtual machine Ctfmon.exe 424 n input method Svchost.exe 2004 stisvc system services Vmware-usbarbitrator.exe 444 VMUSBArbService virtual machine Winker.exe 1676, VNware, NAT, window are unknown Vmnetdhcp.exe 2032 VMnetDHCP virtual machine Vmware-authd.exe 588 VMAuthdService virtual machine Svchost.exe 2700 HTTPFilter system services Svchost.exe 3972, XLDoctor, Service system services 3824 QQ.exe n QQ 3408 TXPlatform.exe n QQ 2920 QQ.exe n QQ No vmware.exe 1952 virtual machine No vmware-unity-helper.exe 3680 virtual machine Conime.exe 3252 n conime (usually can also be used as a backdoor Trojan use) Let's take a look at the process name of PID for 1676. Yes, this is the [winker.exe] [1676] [VNware NAT window], and the service was created (later on the deletion of the service). How do I find the location of this process file? At this point, you need another command. Enter WMIC at the command prompt, and it will prompt you later, etc. after the word "[wmic:root\cli>]", appear some letters, Then, following the process command later, it lists the task manager process, followed by the corresponding path, as follows (cutting only the key part); Conime.exe C:\WINDOWS\system32\conime.exe Winker.exe "C:\WINDOWS\system32\winker.exe"" Explorer.exe C:\WINDOWS\explorer.exe IEXPLORE.EXE "C:\Program Files\Internet Explorer\iexpl" NOTEPAD.EXE "C:\WINDOWS\notepad.exe" C:\Documents and Vmware-vmx.exe "C:\Program Files\VMware\VMware Workstati" Vprintproxy.exe "C:\Program Files\VMware\VMware Workstati" Cmd.exe "C:\WINDOWS\system32\cmd.exe"" Wmic.exe wmic Wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe Did you find the winker.exe file and path? Yes, locate the file, close the process, and delete it (the process cannot be deleted during operation). Really not, 360 help, or safe mode to delete it. In order not to let the Trojans restart and start the next boot, we also delete the corresponding service under the registry. The method is as follows; find the service name [VNware NAT window] and then the lower left corner [started] - run input regedit open the registry editor, locate the left HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services In these 3 locations, find VNware, NAT, window, see delete (do not delete, then stop the service running). Then restart. Congratulations, at this time your system Trojan horse has been clear How to determine the truth when added; the system comprises a plurality of SVCHOST.exe? Is the most simple way to service input tasklist/svc view behind the general is empty. Trojan (not absolute), some Trojans will be inserted into the process in the SVCHOST service, and EXPLORER desktop IEXPLORE browser process and.Rundll32.exe process, etc.. Maybe we all have rundll32.exe process CPU occupied 100% of the experience at this time can also be used to solve this problem by using the /m parameter of the tasklist command. The more trouble and to have a certain understanding and experience on the system, later I will have the opportunity to speak to you in detail. Also can use third party tools, such as 360 security. I write in general, wordy point is to let you see more detailed, clear, unclear where I can give you answer, or add Q group communicate together 73682851