Detection and cleaning Trojan


Checking the Listening Port

Detect the presence of a Trojan is an act that was difficult to do. The easiest way is to see which ports are open and are in a state of “listening”, by using certain utilities like Netstat. This is because many Trojan runs as a system service, and work in the background (background), so that the Trojan-Trojan can receive commands from remote attackers. When a transmission is UDP or TCP, but the transmission from port (which is in a state of “listening”) or the address is not recognized, then it can be used as guidelines that the relevant systems have been infected by a Trojan Horse.

Here is an example of using Netstat utility in Windows XP Professional

C:\>netstat -a -b

Active Connections

Proto Local Address Foreign Address State PID
TCP windows-xp:epmap 0.0.0.0:0 LISTENING 956
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
— unknown component(s) —
[svchost.exe]
TCP windows-xp:microsoft-ds 0.0.0.0:0 LISTENING 4
[System]
TCP windows-xp:50300 0.0.0.0:0 LISTENING 1908
[oodag.exe]
TCP windows-xp:1025 0.0.0.0:0 LISTENING 496
[alg.exe]
TCP windows-xp:1030 0.0.0.0:0 LISTENING 1252
[ccApp.exe]
UDP windows-xp:microsoft-ds *:* 4
[System]
UDP windows-xp:4500 *:* 724
[lsass.exe]
UDP windows-xp:isakmp *:* 724
[lsass.exe]
UDP windows-xp:1900 *:* 1192
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]
UDP windows-xp:ntp *:* 1036
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

Creating Snapshot

Another way that can be used is to create a “snapshot” of all the program files (*. EXE, *. DLL, *. COM, *. VXD, etc.) and compare it over time with previous versions, in computer condition was not connected to the network. This can be done by creating a checksum of all program files (with the CRC or MD5 or other mechanisms). Because the Trojans often included in the directory where the operating system is (\ WINDOWS or \ WINNT for Windows or / bin, / usr / bin, / sbin, / usr / sbin in the UNIX family), it is suspect files are in that directory. Many files that can be suspected, especially the program files that have names similar to file a “good” (like “svch0st.exe”, from which should be “svchost.exe”, a file that is run by many operating system services Windows) can be suspected as a Trojan Horse.

Antivirus

Last way is to use an antivirus software, which includes the ability to detect Trojan combined with a firewall that monitors all transmissions in and out. This way is more efficient, but more expensive, because most antivirus software is integrated with the firewall has a more expensive price than the above two ways (which tend to “free”). Indeed, there are some free tools, but still takes time, effort and money to get it (download it from the internet).

also visit our other blogs at http://askingsolution.blogspot.com/
find the best tricks and tips for your computer

Advertisements

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s