 |
 |
 |
 |
 |
 |
 |
 |
|
 |
 |
|
 |
| Purge-It ! Guided Tour | ||||
| Intruder Rat 2 :: The Trojan inside your PC. | ||||
 | ||||
At this point the user is off-line, neitherway there seem to be ports open, in a Listening State Port 6667 and 31337. This is very suspicious as normally no ports are open if the user is off-line. (Sometimes ports are open even after being off-line, to make sure you may want to reboot) | ||||
 | ||||
Checking the "Running Programs" Tab reveals that there is a program called "regsvr16.exe" running which normally does not run.This file resides in the system directory and has a control Panel icon. Very suspicious. | ||||
 | ||||
| We now right click on the file and choose "Delete To Recycle Bin" which will kill the file from memory and move it to the recycle bin. If you are unsure if this file is the Trojan simply close it instead of deleting it. | ||||
 | ||||
| To make sure this was the Trojan we check the Connections Tab. Veal ! no more ports listening. The Trojan has been eradicated. To remove even the last traces of this Trojans we have to find the Autostart method this Trojan used. | ||||
 | ||||
| We first check ALL the Registry Autorun keys, and see that it did not use this method of auto-restarting. We don't find any key pointing to regsvr16.exe | ||||
 | ||||
We then start over to the System Files Tab and see that it used the RUN = entry to load itself ! We simply delete the part after Run = like in a normal Text Editor. Finished !
| ||||
| Cross links | ||||
