Removing a Trojan Horse
Trojans often modify the startup files of your computer, add or change lines in the system registry and even overwrite system files to make sure they are run every time you boot up. For that reason, removing them by hand takes time, patience and an understanding of what you are doing. It is fraught with dangers, including trashing your registry or loosing the ability to run programs so it is definetly not for everyone - even those who know exactly what they are doing often prefer to use automated tools when removing a trojan horse.
Each trojan has its own specific removal routine, see the Cleaners & Fixes pages for details on those. They do however all conform to the same basic patterns :
- They usually insert a line in the run, run once or run services keys in the system registry. This is the principal startup method of most trojans including Back Orifice & Sub7. Remove trojan line from the registry and rebooting usually stops the trojan loading.
- Some alter Win.ini, system.ini or plae themselves in the "Startup" folder. Again, removing the offending line usually stops the trojan running.
- Some alter or replace system files. These need careful handling and are best left to experts or automated tools.
- One in particular can modify a certain setting in the registry, causing it to be executed before ANY program you run. removing this line stops you running ANYTHING! Again, this is best left to experts or automated tools to deal with.
The steps involved in removing a trojan are simple:
- Identify the trojan horse file on your hard disk.
- Find out how it is being started and take the necessary action to prevent it being restarted after a reboot.
- Reboot your machine and delete the trojan horse.
- See the Recovering from a System Compromise pages for more in-depth help on what else you may need to do.
Reprinted from http://www.nohack.net/detection.htm
0 comments: