不使用第三方工具如何判断系统是否中木马和手动清楚木马
The task manager looks at the port of view for PID
Wmic - process
Netstat -ano
Or use the ice sword to see the process and path
Tasklist/svc SVCHOST corresponding service (how to judge SVCHOST)
Add that CPU takes up 100%
Tasklist/m
Find the appropriate path
Better use 360 force delete
==================================================
How to judge whether the system is trojan and manual clear trojan in the case of not using third party tools?
Turn on the power landing system and turn off all unnecessary programs that are self activated. The first step is to open Task Manager (Crtl+Alt+Delete), we see in the menu item click [select column] check the [PID (process ID)] to determine the point. At this point, the process has more than one [PID] list, corresponding to the corresponding process. Then find out the
malicious process from it. Process so much, how to identify what is abnormal process (XP reinstall the system, boot process number in 20 or so, including the killing of soft 28 is normal)? How to locate the location of non normal processes in numerous processes? The first general exclusion of Trojan remote control, connect local computer and remote view which IP. At this point, enter the netstat at the command prompt and add a parameter -ano
Netstat -ano
[protocol] [native IP and port] [remote IP and port] [status] [PID number]
Proto, Local, Address, Foreign, Address, State, PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1024
TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 588
TCP 192.168.0.101:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.101:1166 122.72.7.19:80 TIME_WAIT 0
TCP 192.168.0.101:1178 211.115.106.193:80 TIME_WAIT 0
TCP 192.168.0.101:3945 123.125.65.210:80 CLOSE_WAIT 3604
TCP 192.168.0.101:4595 211.115.106.194:80 CLOSE_WAIT 2805
TCP 192.168.0.101:4604 211.115.106.194:80 CLOSE_WAIT 2805
TCP 192.168.0.101:4610 111.73.45.234:7887 ESTABLISHED 1676
TCP 192.168.0.101:4697 121.189.15.203:80 CLOSE_WAIT 2806
UDP 0.0.0.0:1032 *: * 2920
UDP 0.0.0.0:2052 *: * 3824
......
Did you see the remote IP and the port? After the investigation, I found the 111.73.45.234:7887, IP.
Let us see how I lock the IP and port, down PID number 1676, we return to the task manager to check the PID number 1676 is what the corresponding process or in the command prompt window, enter the tasklist with parameters of /svc process and corresponding PID number listed as below (only a part of the shear key);
Tasklist/svc
[image name (process name)] [PID] [service] [Chinese simplified solution service]
Svchost.exe 1632 Dnscache system services
Svchost.exe 1808, LmHosts, SSDPSRV, system services
ZhuDongFangYu.exe 1848, ZhuDongFangYu 360 active defense
Ati2evxx.exe 284 for graphics management software
Spoolsv.exe 392 Spooler printer
No sound card related to soundman.exe 368
No vmware-tray.exe 396 virtual machine
Ctfmon.exe 424 n input method
Svchost.exe 2004 stisvc system services
Vmware-usbarbitrator.exe 444 VMUSBArbService virtual machine
Winker.exe 1676, VNware, NAT, window are unknown
Vmnetdhcp.exe 2032 VMnetDHCP virtual machine
Vmware-authd.exe 588 VMAuthdService virtual machine
Svchost.exe 2700 HTTPFilter system services
Svchost.exe 3972, XLDoctor, Service system services
3824 QQ.exe n QQ
3408 TXPlatform.exe n QQ
2920 QQ.exe n QQ
No vmware.exe 1952 virtual machine
No vmware-unity-helper.exe 3680 virtual machine
Conime.exe 3252 n conime (usually can also be used as a backdoor Trojan use)
Let's take a look at the process name of PID for 1676. Yes, this is the [winker.exe] [1676] [VNware NAT window], and the service was created (later on the deletion of the service). How do I find the location of this process file? At this point, you need another command. Enter WMIC at the command prompt, and it will prompt you later, etc. after the word "[wmic:root\cli>]", appear some letters,
Then, following the process command later, it lists the task manager process, followed by the corresponding path, as follows (cutting only the key part);
Conime.exe C:\WINDOWS\system32\conime.exe
Winker.exe "C:\WINDOWS\system32\winker.exe""
Explorer.exe C:\WINDOWS\explorer.exe
IEXPLORE.EXE "C:\Program Files\Internet Explorer\iexpl"
NOTEPAD.EXE "C:\WINDOWS\notepad.exe" C:\Documents and
Vmware-vmx.exe "C:\Program Files\VMware\VMware Workstati"
Vprintproxy.exe "C:\Program Files\VMware\VMware Workstati"
Cmd.exe "C:\WINDOWS\system32\cmd.exe""
Wmic.exe wmic
Wmiprvse.exe C:\WINDOWS\system32\wbem\wmiprvse.exe
Did you find the winker.exe file and path? Yes, locate the file, close the process, and delete it (the process cannot be deleted during operation). Really not, 360 help, or safe mode to delete it. In order not to let the Trojans restart and start the next boot, we also delete the corresponding service under the registry. The method is as follows; find the service name [VNware NAT window] and then the lower left corner [started] - run input regedit open the registry editor, locate the left
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
In these 3 locations, find VNware, NAT, window, see delete (do not delete, then stop the service running). Then restart. Congratulations, at this time your system Trojan horse has been clear
How to determine the truth when added; the system comprises a plurality of SVCHOST.exe? Is the most simple way to service input tasklist/svc view behind the general is empty. Trojan (not absolute), some Trojans will be inserted into the process
in the SVCHOST service, and EXPLORER desktop IEXPLORE browser process and.Rundll32.exe process, etc..
Maybe we all have rundll32.exe process CPU occupied 100% of the experience at this time can also be used to solve this problem by using the /m parameter of the tasklist command. The more trouble and to have a certain understanding and experience on the system, later I will have the opportunity to speak to you in detail. Also can use third party tools, such as 360 security. I write in general, wordy point is to let you see more detailed, clear, unclear where I can give you answer, or add Q group communicate together 73682851