Removing Trojans

1. Find the service holding the port open on Windows 2000/NT machines by using Foundstone Inc. Vision. See the diagram below for an example of the Vision Port Mapper.

NOTE: Once you have identified the application holding the port(s) open, do not delete or kill the process; you will need it to find other components of the hack.

2. Execute a search for the Trojan application. Change the View within the search window to “Details” - this will allow you to see when (date and time) the files were modified. Change Folder Options to show all hidden and protected operating system files since files remotely downloaded on the machine often are given the hidden attribute.

3. Once you have found the Trojan application, write down the location, path and date it was created. Search for all files/folders created around that time - select a time frame of several days before and after the creation date of the Trojan. This lists all files created around the time the Trojan was created on the computer. Re-sort the view by the Modified date field and look for the Trojan file using the path and date listed for that file. This will help you find additional files downloaded at the same time.

4. Open Vision or go to the Task Manager and kill the processes. Delete the Trojan and all files and folders associated with it. Clean the registry - keep in mind that often a Trojan is given the same name as a required operating system file or it may be linked to a registry entry. If this is the case, Windows may not let you stop the process, or delete files associated with the Trojan meaning that you must clean the registry before you can delete the Trojan and its associated files.

NOTE: You will be able to tell the difference from a required Windows file and the Trojan by comparing their paths and creation dates.

5. Clean the Registry. Make a backup of the registry before proceeding - if you are uncomfortable editing the registry, do not proceed with this step. Instead please call OIS Client Services at 966-1325 to make an appointment for deskside support. Search for the Trojan executable file in the registry. Most likely it will show up in the HKEY_LOCAL_MACHINE\System\ControlSet keys either under Control or Services. If the Trojan is named after a legitimate Windows process, a common example is services.exe, make sure that the Image Path matches the one you have written down for the Trojan. Once you have found the executable in the registry, it is likely that the Trojan will appear as a string value, and you can delete the key associated with it. After clearing the registry, try to delete the Trojan. You may have to reboot for the registry changes to take effect.

6. Reboot the machine and run Netstat (XP) or Vision (2K) to see if the Trojan has been removed and that no other Trojans are present. Occasionally, a computer may have multiple instances of a Trojan placed in different locations - when the original is removed, another instance of the Trojan is activated. If you find another instance of the Trojan, repeat steps B through E until the Trojan is deleted.

7. Secure the machine following the steps outlined in the Securing Windows 2000 or Securing Windows XP documents. If your system has been compromised, all passwords for the local accounts on the computer and possibly the domain login passwords are known. Reset passwords for the Administrator and all local / domain accounts on the computer. For additional help or information about this procedure, please read the section on Managing Users.

8. The steps listed in this Trojan Removal document will work on most compromised computers. However, there are some complex Trojan worms/viruses that would take too long to document here. If you need additional assistance, please call OIS Client Services at 966-1325 during business hours.

9. For more information or to download other security tools, please refer to our Virus/Security or Downloads pages.

[top]