International Sales:
 
China
 
Italy
 
Austria
 
 

RhinoSoft.com Knowledge Base

RhinoSoft.com FTP Software and much more


  • Article -- 1467



Trojan/Rootkit Removal Instructions

One of our users submitted these instructions on ways to clean a computer which has been compromised.

There are many ways for someone to get into your system. Several of the most common are below:

  • Via email (example: if Outlook Express is not configured for maximum security)
  • Via a web site (browsed with a non updated web browser, and something installed itself, generally known as a browser hijacker or addon)
  • Antirvius software not regularly updated or not always running
  • Latest Microsoft updates not installed (Windows Update)
  • No firewall, or one which is not secure. (www.kerio.com, www.sygate.com)
  • The system is running a database server with a vulnerability in it, usually on the standard port, such as MySQL

If a server has been compromised, the worst kind of trojan is what is called a rootkit. They are very difficult to detect and remove. Sysinternals has several tools which help in removal: Autorun, Process Explorer, Filemon, Regmon, and Rootkitrevealer. Download these programs, as well as Kerio Personal Firewall , Lavasoft's Ad-Aware and Spybot Search and Destroy. Update your antivirus software, then follow these steps:

  • Remove the network cable.
  • Run an antivirus scan.
  • Run Rootkitrevealer
  • Run AdAware and Spybot. Remove any suspicious entries they find.
  • Start Autorun. Disable anything non-trustworthy from loading at startup with this tool.
  • Install Kerio.
  • Shut down the computer
  • Plug the network cable back into the computer.
  • Restart the computer

Kerio will install some default rules. When it is done, inspect Kerio to see if something you have not installed is waiting for a connection from outside. Alternately, Process Explorer can be used to check all ports being used for every process. Find any suspicious processes, discover where they originate and check them. If necessary, delete the file that spawns these processes. NOTE: Some trojans are split into multiple components, each checking the other. If you stop one, the other will trigger the original process to restart.

Once these steps are completed, remove the network cable and reboot. Once restarted, make certain the things that were removed stay removed. If so, there is a reasonable expectation that the trojan has been successfully removed. If all these steps did not remove it, the only recourse is likely to be wiping the machine and reinstalling the operating system.



FTP server that is both secure and easy to use. Easiest to use Interface Shopping Cart Contact Information Products Downloads Purchase Options Support Options Company Information

Corporate Information

Software

Purchase Information

Support Information

Downloads