hacked
If you do detect spyware activity on your machine, remain calm (which is easier said than done.) It is not possible to determine quickly what type of spyware you have found so treat anything as dangerous because if you are dealing with a hacker backdoor trojan, it is necessary that your next actions do not alert the intruder that they have been detected as they may attempt to delete any trails that will lead back to them, and in doing so may cause harm to your computer.
Don't hang around online
If your internet connection is live then close out immediately and if you are running broadband then temporarily turn off the DSL router to avoid remote reconnection. ( Unless you really know what you are doing then we advise against attempting to determine the intruders IP address or monitor their actions before disconnecting. )Trojan and Spyware Removal
There are 3 different methods which we will outline here, and you will most probably use a combination of one, two or all of them.
No one way is the right or wrong way, these are just different options to achieve the same end result. It really depends on some extent on your level of expertise and what you feel comfortable with.
Manual Trojan Removal Hints and Techniques
Using a virus and malware scanner is essential but it does not mean that these programs will be able to remove a trojan infection when one occurs. This article aims to give you a general overview on how a trojan infects you as well as hints and techniques on manually removing a trojan infection.
Trojans need to be able to start up
This may sound obvious but a lot of people don't realise that trojans cannot continually infect your computer without somehow finding a way to re-start when the computer re boots.
To re-start after a computer has been rebooted a trojan will often use the various start up methods legitimate software use to re-start. This gives us an advantage over the trojan, if we know where to look we can stop the trojan from re-starting and basically stop the infection.
The registry is the first place to look; many simple trojans will use the registry to start up.
To view your registry with windows XP go to start then run and type regeditthen hit ok.
To view your registry with windows vista go to the start search dialog box and type in regedit
Once you have the registry editor open you can try navigating to the following paths
To re-start after a computer has been rebooted a trojan will often use the various start up methods legitimate software use to re-start. This gives us an advantage over the trojan, if we know where to look we can stop the trojan from re-starting and basically stop the infection.
The registry is the first place to look; many simple trojans will use the registry to start up.
To view your registry with windows XP go to start then run and type regeditthen hit ok.
To view your registry with windows vista go to the start search dialog box and type in regedit
Once you have the registry editor open you can try navigating to the following paths
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
These registry paths are the most common paths that a trojan can start up on. The picture below is a hypothetical trojan infection.
Please note that a trojan will never be as easy to spot as this and will almost always use names that sound like they are part of windows or important files to trick the user.
Please note that a trojan will never be as easy to spot as this and will almost always use names that sound like they are part of windows or important files to trick the user.
The windows built in start up tools
Windows 98, Windows XP and Windows ME and Vista all come with a tool called MSConfig.
This tool is a hidden tool and you will not see it in your program accessories or a link to it on your desktop but it is easy to get it running. Simply go to start, then run and type msconfig then hit ok
This tool is a hidden tool and you will not see it in your program accessories or a link to it on your desktop but it is easy to get it running. Simply go to start, then run and type msconfig then hit ok
Now msconfig will appear. It has different appearances depending on what operating system you are using. Windows 98 and ME will not have the same options that XP has but don’t worry they can all do the same sort of job.
At the top of the MSConfig program you will see an array of tabs. To begin with you will want to look at the tab that is entitled startup. What you see under this tab is all the software that uses the registry to autostart when windows reboots. This is where you can disable software from autostarting.
Before you go and disable software it is important to find out exactly what it does first. There are only a few essential core programs that need to start with Windows but you may also want your antivirus software and other programs you use frequently to start.
If a Trojan has written itself to the registry to autostart you can use msconfig in some circumstances to stop it restarting.
Once you have disabled the Trojan from restarting then you will need to reboot your computer. Once your computer has been rebooted you should now be able to delete the Trojan files. This doesn’t always work as trojans have become very sophisticated and sometimes use a process to continually write the entry back to the registry every few seconds.
If you come across a Trojan that will not let you remove its registry entries you will need to use a program like unlocker to stop it running. Then you can delete it and disable the start up entries using msconfig. You can download unlocker for free here:
ccollomb.free.fr/unlocker/
Services in Windows XP
Windows XP differs from windows 98 and ME in that it can also use services to autostart programs. In msconfig again you can access the services by clicking on the services tab at the top. You will be presented with the following:
I have drawn a box and an arrow around hide all Microsoft services field. It is important to tick this as it hides the important services that are required for your operating system to function correctly. What you are left with is programs from other manufacturers who also want there software to autostart using the services feature. You should be able to disable any services you don't want autostarting. Some services are harder to disable then others. I have found that with some Symantec ones I have had to kill the process (using the unlocker program previously mentioned) and rename the .exe file then reboot before I can disable the service.
INI File start up entries
Msconfig also features win.ini, system.ini and boot.ini. These are also areas that software can start up. Extreme caution should be taken with editing these files. Boot.ini should be left well alone unless you know exactly what you are doing. If you make a mistake with that file windows will fail to load.
Win.ini is ok to edit in msconfig if you are sure of what you are doing. Win.ini will show you the file paths so you can check to see what the program is before you disable it from starting. Some trojans will use win.ini or system.ini to start and you can effectively disable them with msconfig.
Remember if you are not sure then either ask someone who knows, do some thorough searching online or leave it alone.
Deleting the trojan
Once the trojan has been disabled from starting up, you should be able to simply reboot and delete the executable files (the .exe files) and it should remove the trojan.
Remember to always use a firewall and a good virus scanner.
Win.ini is ok to edit in msconfig if you are sure of what you are doing. Win.ini will show you the file paths so you can check to see what the program is before you disable it from starting. Some trojans will use win.ini or system.ini to start and you can effectively disable them with msconfig.
Remember if you are not sure then either ask someone who knows, do some thorough searching online or leave it alone.
Deleting the trojan
Once the trojan has been disabled from starting up, you should be able to simply reboot and delete the executable files (the .exe files) and it should remove the trojan.
Remember to always use a firewall and a good virus scanner.
We suggest you print these instructions out to refer to, because you may not be able to check back to it once you are in the middle of the removal process.
Scanner Assisted Trojan Removal
- Detected Intruders Quarantined.
After following the analyzing instructions and running a full system scan , you should have any infected files that were detected in a quarantine folder. - Create a Mirror File.
Good Scanners will allow you to create a mirror copy of the infected file. This is important because it allows you to work on cleansing the affected files and you can then see if this alters the operation of any programs they were linked to, without the risk of doing any permanent damage. If the affected program does not function correctly you should discard the changes. - Note the file location of the infected file
The pathway for the located trojan virus, spyware, or adware will be displayed in the quarantine folder. You should note which programs these files are associated with because these are the programs that you will need to check to see that they still operate correctly once the infection has been removed but before you delete the mirror files. If you have files that you are not sure of what program they are part of there are various ways to get more information on the file that you are looking at google search. Note that some trojans and spyware have names that are similar or identical to legitimate files in order to mask their true nature. You can proceed with care to the clean and repair stage without doing irreversible damage so long as you have created the mirror or duplicate file first. - Run the Clean Infection function
We will presume that you are using a program that has a Infection removal and repair function. After making sure that you are not connected to the internet and there are no other processes running, run the infection removal function. NOTE: Some of the free versions of the Virus Trojan scanners will have detection only capabilities. If this is the case you will have to purchase the program to use its removal capabilities OR download a freeware version that does have malware removal capabilities enabled. - Test your Application
Check that the program from which the parasite malware has been removed, is working correctly. Create a new file with this application, make modifications, save, close and reopen. Don't move on until you are sure that it is functioning correctly. Test all programs that were infected. If an application does not behave as it should then discard the changes and restart the process with a new mirror file. If after the second or third attempt you are still unsuccessful then it may be safer to delete the infected program and reinstall it. ( Now... where are those discs ? ) - Second Scan
Best practice if at all possible but use a different scanner ( like a medical second opinion ) because not every scanner will detect all malware. If you are using a paid version as your primary protection there are a number of good software scanners that have a free version for on-demand scans, such as Mamutu, Trend Micro's Housecall, Malwarebytes Anti-Malware, and others.
If anything else is found, repeat from 3. - Delete Mirror Files
Follow the instructions in the control panel of your software application to remove the now unnecessary backup data. - Reactivate Firewall and active scanning
No comments:
Post a Comment