MY trojan removal guide

**tonyiam** · 11-Dec-2006, 06:11 AM

First of all I gotta say sumtin Damn you guus! Damn you! Why couldn't you have posted yours tomorrow? Ah well, ours are different anyways.

Well if you have a trojan or virus on your computer, chances are you found out about it with one of those nice AV proggies, like McAfee or Norton or Panda. Well, I really like those programs for removing viruses. But in the trojan department they fall a little short. The best thing about these programs is their virus/trojan detection, chances are that if you went through your computer you wouldn't be able to know if you were infected with a virus or a trojan. So you absolutely need to have one of those programs! And if you are infected with a virus then they are incredibly useful for removal as well, because they can repair damaged programs and can quarantine infected files. Plus so many viruses are designed to spread that if you don't use one of these AV programs your friends could get really mad at you. SO you need to do 2 things. One is get one of these programs, I like Norton, its a little heavy on system resources but it has frequent updates and information on any viruses or trojans can be found the site of Symantec, the maker of the Norton suite of products. Most major AV programs have sites that have info on the latest viruses and trojans.

If you are running a crappy computer, something that can't be running auto-protection feature that comes with Norton AV then the best thing to do is to download files into a special folder and then scan them with the individual file scan option.

Trojan Detection: Well, the best to find them is to run an AV proggie, OR to check for open ports as trojans are designed to allow other users full access to your computer. These users do not usually have physical access to your computer, so trojans must provide a way for them to enter your computer by opening a port. Most common trojans have common ports that they use for entering a computer, usually a very high number that most portscans don't bother checking. For example subseven uses port 27-something, 27000+. Few portscans would start a port 1 and go up that high, so maybe you should start at something like 10000 and go up from there. Another way to find any open ports if you are on a windows box is to run netstat -a. There is probably some linux equivalent though I do not know it, so if anyone does please post it. You can also use programs which list all running processes to you. And if you are some kind of expert on your OS you could comb thorugh your directories looking for something that doesn't belong.

Trojan removal: Trojans, they are different from viruses because they are usually configured to run on startup and as a result are undeleteable because windows is using them. So when you try removal with your favourite AV program it will say it was unable to delete them, and then you may want to try to remove them manually but an error message will tell you that windows is using the specified file. So then you are wondering, "huh?" Welllll, that sucks! Now what ya gonna do? Who ya gonna call? GHOSTBUSTERS! Nah, hold off on that, instead think about it for a second. This trojan is most likely designed to run when windows starts up. Soo, the logical thing to do is to think of a way to have access to all your windows files and folders without actually running windows. Now how ya gonna do that? Well, go to start, shut down, and then pick restart in ms-dos mode! Click OK. Now you have access to everything and windows won't even be running! So I am assuming you know where the file is located because you tried to delete it manually. So lets say it was located in a directory that it created called "pooponyou". Well at the prompt type "cd c:\pooponyou" without the quotes. Now you can type "del" which is the dos delete command for specific files. So lets say this trojan is called "crybaby.exe", then you need to type "del crybaby.exe" without the quotes. OR at the prompt you can type "del c:\pooponyou\crybaby.exe" without the quotes. WOW!! YOU DID IT!!! Congrats, you just got rid of that undeleteable trojan! Now you get back into windows and you find that the folder pooponyou is for some crazy reason undeleteable. Well, go back into dos and this time you will use the dos command for deleting folders. And that command iiiiiiiiiss DELTREE. Yup, so type "deltree c:\pooponyou" without the quotes. You will then need to confirm the deletion, type yes. Well there ya go.

Trojan clutter: Trojans have to find a method to startup. So they either modified or created a new file, to facilitate that. And the number of files that are responsible to the programs that run on startup are limited. The easiest way to view these files is to run "sysedit" at the run prompt. Or to run it in the main windows directory. Look for any mention of the file or folder that you just deleted and erase those names. I advise against deleting the entire line, cuz ya don't know what the line is for! And the other way that programs usually run on startup is in the registry! So at the run prompt or in the main windows directory run "regedit" and tpye "F3" and type in the name of your trojan, the name of the file that you deleted it. You may find that there is an entire key for your trojan in which case delete the key, or if there is another program in the key, modify it and delete only the trojan name.

Well, thats it. So long everybody, time to ride into the sunset. I jus' need a horse. Ah well, I'll drive.

Hope this helps some people figure out why their AV program doesn't delete all their trojans.
Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by khakisrule
Trojan clutter: Trojans have to find a method to startup. So they either modified or created a new file, to facilitate that. And the number of files that are responsible to the programs that run on startup are limited.

The registry values that are usually added can be found in the following area's-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices\

or

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\

Not a bad little trojan removal guide..

11-Dec-2006, 06:11 AM	#1 (permalink)
tonyiam Fix my Error! Posts: 5 Join Date: Sep 2006 Rep Power: 0 IM:	MY trojan removal guide First of all I gotta say sumtin Damn you guus! Damn you! Why couldn't you have posted yours tomorrow? Ah well, ours are different anyways. Well if you have a trojan or virus on your computer, chances are you found out about it with one of those nice AV proggies, like McAfee or Norton or Panda. Well, I really like those programs for removing viruses. But in the trojan department they fall a little short. The best thing about these programs is their virus/trojan detection, chances are that if you went through your computer you wouldn't be able to know if you were infected with a virus or a trojan. So you absolutely need to have one of those programs! And if you are infected with a virus then they are incredibly useful for removal as well, because they can repair damaged programs and can quarantine infected files. Plus so many viruses are designed to spread that if you don't use one of these AV programs your friends could get really mad at you. SO you need to do 2 things. One is get one of these programs, I like Norton, its a little heavy on system resources but it has frequent updates and information on any viruses or trojans can be found the site of Symantec, the maker of the Norton suite of products. Most major AV programs have sites that have info on the latest viruses and trojans. If you are running a crappy computer, something that can't be running auto-protection feature that comes with Norton AV then the best thing to do is to download files into a special folder and then scan them with the individual file scan option. Trojan Detection: Well, the best to find them is to run an AV proggie, OR to check for open ports as trojans are designed to allow other users full access to your computer. These users do not usually have physical access to your computer, so trojans must provide a way for them to enter your computer by opening a port. Most common trojans have common ports that they use for entering a computer, usually a very high number that most portscans don't bother checking. For example subseven uses port 27-something, 27000+. Few portscans would start a port 1 and go up that high, so maybe you should start at something like 10000 and go up from there. Another way to find any open ports if you are on a windows box is to run netstat -a. There is probably some linux equivalent though I do not know it, so if anyone does please post it. You can also use programs which list all running processes to you. And if you are some kind of expert on your OS you could comb thorugh your directories looking for something that doesn't belong. Trojan removal: Trojans, they are different from viruses because they are usually configured to run on startup and as a result are undeleteable because windows is using them. So when you try removal with your favourite AV program it will say it was unable to delete them, and then you may want to try to remove them manually but an error message will tell you that windows is using the specified file. So then you are wondering, "huh?" Welllll, that sucks! Now what ya gonna do? Who ya gonna call? GHOSTBUSTERS! Nah, hold off on that, instead think about it for a second. This trojan is most likely designed to run when windows starts up. Soo, the logical thing to do is to think of a way to have access to all your windows files and folders without actually running windows. Now how ya gonna do that? Well, go to start, shut down, and then pick restart in ms-dos mode! Click OK. Now you have access to everything and windows won't even be running! So I am assuming you know where the file is located because you tried to delete it manually. So lets say it was located in a directory that it created called "pooponyou". Well at the prompt type "cd c:\pooponyou" without the quotes. Now you can type "del" which is the dos delete command for specific files. So lets say this trojan is called "crybaby.exe", then you need to type "del crybaby.exe" without the quotes. OR at the prompt you can type "del c:\pooponyou\crybaby.exe" without the quotes. WOW!! YOU DID IT!!! Congrats, you just got rid of that undeleteable trojan! Now you get back into windows and you find that the folder pooponyou is for some crazy reason undeleteable. Well, go back into dos and this time you will use the dos command for deleting folders. And that command iiiiiiiiiss DELTREE. Yup, so type "deltree c:\pooponyou" without the quotes. You will then need to confirm the deletion, type yes. Well there ya go. Trojan clutter: Trojans have to find a method to startup. So they either modified or created a new file, to facilitate that. And the number of files that are responsible to the programs that run on startup are limited. The easiest way to view these files is to run "sysedit" at the run prompt. Or to run it in the main windows directory. Look for any mention of the file or folder that you just deleted and erase those names. I advise against deleting the entire line, cuz ya don't know what the line is for! And the other way that programs usually run on startup is in the registry! So at the run prompt or in the main windows directory run "regedit" and tpye "F3" and type in the name of your trojan, the name of the file that you deleted it. You may find that there is an entire key for your trojan in which case delete the key, or if there is another program in the key, modify it and delete only the trojan name. Well, thats it. So long everybody, time to ride into the sunset. I jus' need a horse. Ah well, I'll drive. Hope this helps some people figure out why their AV program doesn't delete all their trojans. Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=#post) by khakisrule Trojan clutter: Trojans have to find a method to startup. So they either modified or created a new file, to facilitate that. And the number of files that are responsible to the programs that run on startup are limited. The registry values that are usually added can be found in the following area's- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices\ or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\ Not a bad little trojan removal guide.. ------------------

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)