Close Topic Options

[jinx]

****************************************************************
* SK Tut: How To Remove a Trojan From Your Box *
* Author: magic *
*
****************************************************************

CHAPTERS

Chapter 1 - QUESTIONS
1- How do I know if I'm infected?
2- Is it harmful if I don't take action?
3- Should I panic and call the police?

Chapter 2 - TOOLS
1- What are the tools that I need?
2- How do I use them?

Chapter 3 - TAKING ACTION/REMOVING
1- Method 1
2- Method 2

Chapter 4 - SAFETY TIPS
1- What should I do to not get infected again?
2- How can I secure my self?

AUTHOR'S LAST WORDS

_____________________________________________________________


Chapter 1 - QUESTIONS

1- How do I know if I'm infected?

If your're wondering if you have been infected by a trojan aka RAT and want to be sure, then a few ways to tell are by;
- You're box starts making wierd noises (ex. beeps)
- Your box freezes up frequently
- Applications are started out of a sudden
- Wierd error message boxes pop up.

And I could go on forever but those are a few good examples. Another way to tell if your infected is by pressing
CTRL+ALT+DEL, which brings up the process manager. If you know your box very well, or know which files are usually
running when your system is on then scroll down through the list and check for any suspicious or unusual files and
delete them. A suspicious file would be, "trojan.exe" or "user.exe". Those are just examples of suspicious and unusual
files. Sometimes attackers name the server as another file used by the system which shows up on the list. So if that's
the case then find both of them, and delete the one that comes first. I've tested this and its 100% true.

2- Is it harmful if I don't take action?

That depends. If the attacker using the trojan knows how to cause serious damage with just a trojan then yes. But if
it's just a user that's new to trojans then not likely, the most would be a format of your C: drive. So if you're
infected, then you MUST take action and go on about removing it right away(which I will explain the methods of doing so
later on in the tut), because you never know whos using the trojan.

3- Should I panic and call the police?

If you insist on doing so, yes. But the result will be unpleasing.That would make things even worse. Local Police are
never good at tracing 'hackers' (I know from experience). I suggest you stay calm and don't worry about a thing, because
at the end, everything turns out okay Wink .



Chapter 2 - TOOLS

1- What are the tools that I need?

For 1 of the methods you will need a trojan/RAT removal tool/utility. There's alot of them out there on the net. A few
sites to download one from are;

- http://www.webattack.com/ (recommended from here)
- http://www.download.com/
- http://www.tucows.com/

It doesn't really matter which site you download from(even though I have a recommendation), and neither does the utility,
as long as it has an updated trojan definiton list.

Or an AV scanner is just fine, but I recommend a trojan removal utility because not all AV scanners have good definition
lists of trojans.

You will also need a Trojan Port Scanner. It's need for the 2nd method. I suggest you get a fast and reliable trojan port
scanner. The only good one that I know of is "Trojan Hunter". You can get your self it from the following site under
the "IP Scanners" section;

http://www.library.2ya.com

And download it. Incase you don't know what Trojan Hunter is, I'll tell you. It's a port scanner, but not just A port
scanner. It's a trojan port scanner. It scans IPs for open ports that are used by trojans so the client can connect to
the server. Now that's out of the way, we can continue.

2- How do I use them?

If you are asking this question, then I feel sorry for you. But don't let that put you down, because every 'good'
program comes with a ReadMe text file. So check the main folder of the tool/utility for readme.txt or something like that,
which tells you about using the tool/utility properly.



Chapter 3 - TAKING ACTION/REMOVING

1- Method #-1

The first method that I will guide you through on removing a trojan/RAT is pretty simple. I'm sure you might of taught of
it. I will write this method in steps, so its easy for your mind to learn Smile .

Step1 - Run a FULL trojan scan with the trojan removal utility.(Full=scan the whole system, hidden folders,subfolders,
folders)
Step2 - If the scan fails (which happens sometimes) do it again.
Step3 - If the results are negative (as in the scanner has picked up some trojans/rats), track down what the path to the
trojan/rat is and quickly go to that path.
Step4 - Check the file/server's properties for any tacks to who the author of the trojan is, or the date it was
'injected' into your system. That might help you out if your wanting to find out who did it.
Step5- If you just want to get rid of the trojan as quick as possible let the trojan remover/AV delete it.
Step6 - If the results are positive (as in the scanner picked up nothing/no trojans in your box), then you have nothing
to worry about.

And that's basically it for method #-1. I told you it was simple.

2- Method #-2

The second method that I have typed up is also simple, just a little more mouse-clicking involved. So it's basically a
manual way of getting rid of the trojan/rat. This is my recommended way of getting rid of a trojan. Again, I will guide
you through the steps of the second method, so no sweat.

Step1 - Get a Trojan Port Scanner from anywhere (look up to see more details on this)
Step2 - Scan your IP for open ports. If your getting confused already, just type in 127.0.0.1 in the box where it asks
for the IP.
Step3 - Wait and check that the scanner scans EVERY port. (1 - 65000)
Step4 - After the scan is done and if there are any ports that are open at all, check which trojan is using the port,
by either searching on Google or reading through Knightmare's updated port list located here;
http://forums.tgs-security.com/viewtopic.php?t=2061
Step5 - When you have found the trojan that uses the port, download it from its official site or a trusted site that is
hosting it.
Step6 - Run it, NOT the server.exe but client.exe which is usually the name of the trojan. For example;
If the trojan was called Magic RAT, the client.exe would be MagicRAT.exe. So you run that. Get it?
Step7 - After you've ran the client, connect to your self (127.0.0.1) by typing in the IP in the IP address field.
Step8 - After you've successfully connected to your self, look for options on the trojan with the name "Server" or that
sort of name. When you've found it, go to Step9.
Step9 - Look for a button that says "ShutDown/Melt/Delete Server".Most of the trojans have it as "ShutDown Server".
Step10 - After you've done that,well.. YOUR DONE!

And that's it for the second method of removing a trojan from your box. Wasn't that bad was it? Now, your perfectly safe.
Thought the damages still mite have left a mark, nothing else will happen.



Chapter 4 - SAFETY TIPS

1- What should I do to not get infected again?

- This is a very useful tip. NEVER download or accept anyfiles from ANYONE on the internet unless you trust the site
or the person that's sending it. Even if you trust them, make sure you scan the file before opening and using it.
Because that's how most of the infections occur. People don't bother to scan the files, and they cry about being
infected. So SCAN!

- Another usefull tip. Don't play around with trojans themselves. If your new to trojans or just wanting to experiment
on your self, but are not good with trojans then delete the trojan right away. As that will lead to you running
the server and forgetting or not knowing how to remove it after. Then if somebody finds your IP and scans it by
any chance, and sees you have that typical trojan port open, well its obvious what happens after.

That's all the tips I'm typing. Use your brain to figure out more, that's why you have it.

2- How can I secure my self?

Here is the top 3 things that you can and should do to secure your self.

- Install a good firewall (ZoneAlarm, Sygate)
- Install a good AV scanner (McAffee,AVG)
- Run virus/trojan scans once a week.



AUTHOR'S LAST WORDS
This is my very first tutorial. So if you see something is wrong, or I have missed something don't start flaming. Just
simply give feedback, negative or positive, they're both appreciated. I have written this strictly for SKs. I've been
asked so many times the stupid question on how to remove trojans, so I took my time and typed up a tutorial so I have a
link to send them to and save my self trouble. If you have any suggestions or comments about this tutorial, or would
like to host it on your site, contact me IMMEDIATLY and we will further discuss the situation. If not, and I find out that
you have been stealing my tutorial(s) I will warn you once to take it down or give credit where its due. There will be no
second warning. I will take action and immediately take down the site personally.
Sorry guys, but no pics. I was thinkin' about it, but didn't do it. It's pretty straight forward, so I guess it's alright.
I hope you've learned something from this, and will take it for granted. You should not need any extra help of what so ever. If you do, then read over the steps carefully and you'll find your solution.
*There is a chance that this tut might be updated* - so stay in touch!

Your's truly, Magic

[Agz]

Spybot is one of the popular and effective malware remover and so is Lavasoft's Ad-Aware removes some that spybot wasn't able to remove.