Trojan Help!

[‘°ºO*¥§âVâGê ¥*Oº°‘]

Trojan Help!If Your Infected!

Here is a little guide provided by Sin(Thx sin) to help you out if you get infected by a trojan and also are some links. Enjoy!

0==*<GUIDE>*==0

first : u need to locate the infected files (which shoud have been found by ur anti virus)

second : open start, run "regedit" , hkey_loacalmachine->software->microsoft->windows->currentsettings->run

NOTE:There ull find all the programs run at startup. delete the entrys which sdtart the virus. (may have the same name as the virus actually) look right of the entrys , at the paths. if one leads to a entry which has been discovered as a virus , delete it.

delete all files which are infected.

restart pc , scan pc again,

0==*<LINKS>*==0

• http://www.tauscan.com
  
• http://www.moosoft.com/thecleaner

0==*<ONLINE SCANNER>*==0

http://www.kaspersky.com/remoteviruschk.html

 

[‘°ºO*¥§âVâGê ¥*Oº°‘]

Start menu> Run> type netstat -a


For Example,
Run> netstat -a
It will say the following thing but depending on the user regestired to the compurer will have a different name:

Active Connections
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED
TCP ankit:1036 dwarf.box.sk:ftp-data TIME_WAIT
TCP ankit:1043 banners.egroups.com:80 FIN_WAIT_2
TCP ankit:1045 mail2.mtnl.net.inop3 TIME_WAIT
TCP ankit:1052 zztop.boxnetwork.net:80 ESTABLISHED
TCP ankit:1053 mail2.mtnl.net.inop3 TIME_WAIT
UDP ankit:1025 *:*
UDP ankit:nbdatagram *:*

Now, let us take a single line from the above output and see what it stands for:
Proto Local Address Foreign Address State
TCP ankit:1031 dwarf.box.sk:ftp ESTABLISHED

Now, the above can be arranged as below:

Proto-col: TCP (This can be Transmission Control Proto-col or TCP, User Datagram Proto-col or UDP or sometimes even, IP or Internet Proto-col.)

Local System Name: ankit (This is the name of the local system that you set during the Windows setup.)
Local Port opened and being used by this connection: 1031

Remote System: dwarf.box.sk (This is the non-numerical form of the system to which we are connected.)

Remote Port: ftp (This is the port number of the remote system dwarf.box.sk to which we are connected.)

State of Connection: ESTABLISHED

‘Netstat’ with the ‘-a’ argument is normally used, to get a list of open ports on your own system i.e. on the local system. This can be particularly useful to check and see whether your system has a Trojan installed or not. Yes, most good Antiviral software are able to detect the presence of Trojans, but, we are hackers, and need to software to tell us, whether we are infected or not. Besides, it is more fun to do something manually than to simply click on the ‘Scan’ button and let some software do it.

The following is a list of Trojans and the port numbers which they use, if you Netstat yourself and find any of the following open, then you can be pretty sure, that you are infected.

Port 12345(TCP) Netbus

Port 31337(UDP) Back Orifice

Port 27374 SubSeven

Port 901, 902, 903 NetDevil

anyway, the ports are often changed, so you cant detect them . just keep in mind, icq is 5190, http is 80, ftp is 21, edonkey is 6221 afair, the rest would be suspicious (forgot bnet port, doesnt matter)


Trojan Ports

31 = Master Paradise
121 = BO jammerkillahV
456 = HackersParadise
555 = Phase Zero
666 = Attack FTP
1001 = Silencer
1001 = Silencer
1001 = WebEx
1010 = Doly Trojan 1.30 (Subm.Cronco)
1011 = Doly Trojan 1.1+1.2
1015 = Doly Trojan 1.5 (Subm.Cronco)
1033 = Netspy
1042 = Bla1.1
1170 = Streaming Audio Trojan
1207 = SoftWar
1243 = SubSeven
1245 = Vodoo
1269 = Maverick's Matrix
1492 = FTP99CMP
1509 = PsyberStreamingServer Nikhil G.
1600 = Shiva Burka
1807 = SpySender
1981 = ShockRave
1999 = Backdoor
1999 = Transcout 1.1 + 1.2
2001 = DerSpaeher 3
2001 = TrojanCow
2023 = Pass Ripper
2140 = The Invasor Nikhil G.
2283 = HVL Rat5
2565 = Striker
2583 = Wincrash2
2801 = Phineas Nikhil G.
3791 = Total Eclypse (FTP)
4567 = FileNail Danny
4950 = IcqTrojan
4950 = IcqTrojen
5000 = Socket23
5011 = OOTLT
5031 = NetMetro1.0
5400 = BladeRunner
5400 = BackConstruction1.2
5521 = IllusionMailer
5550 = XTCP 2.0 + 2.01
5569 = RoboHack
5742 = Wincrash
6400 = The tHing
6669 = Vampire 1.0
6670 = Deep Throat
6883 = DeltaSource (DarkStar)
6912 = Shitheep
6939 = Indoctrination
7306 = NetMonitor
7789 = iCkiller
9872 = PortalOfDoom
9875 = Portal of Doom
9989 = iNi-Killer
9989 = InIkiller
10607 = Coma Danny
11000 = SennaSpyTrojans
11223 = ProgenicTrojan
12076 = Gjamer
12223 = Hack´99 KeyLogger
12346 = NetBus 1.x (avoiding Netbuster)
12701 = Eclipse 2000
16969 = Priotrity
20000 = Millenium
20034 = NetBus Pro
20203 = Logged!
20203 = Chupacabra
20331 = Bla
21544 = GirlFriend
21554 = GirlFriend
22222 = Prosiak 0.47
23456 = EvilFtp
27374 = Sub-7 2.1
29891 = The Unexplained
30029 = AOLTrojan1.1
30100 = NetSphere
30303 = Socket25
30999 = Kuang
31787 = Hack'a'tack
33911 = Trojan Spirit 2001 a
34324 = Tiny Telnet Server
34324 = BigGluck TN
40412 = TheSpy
40423 = Master Paradise
50766 = Fore
53001 = RemoteWindowsShutdown
54320 = Back Orifice 2000 (default port)
54321 = Schoolbus 1.6+2.0
61466 = Telecommando
65000 = Devil 1.03

Even more Ports (no trojan)
LIST HERE (33k)

 

[lexigirl]

dam my brother,
he downloaded one and thought he could remove it without doing nething other than add/remove progs... at least i didnt get hacked. wow i was mad at him

thanks

 

[LigerZero74]

DAMM LONG POST

 

[‘°ºO*¥§âVâGê ¥*Oº°‘]

somtimes long poasts make all the differences..its a help guide..so if people need help they can turn to this!

 

[‘°ºO*¥§âVâGê ¥*Oº°‘]

and instead of just running netstat type command in first and you should get a box that comes up and stays there so u can read what the netstat says!

 

[M@rin3 SnIp3r]

Very good man. Good for all those kids that know nothing about trojans and ports. A good site to get ride of trojans is The Cleaner 1.5 found Here . well if any newbies about trojans out there and are infected go here, download the cleaner and run it. the cleaner gets ride of 99% of most trojans know today.

 

[ring]

hey savage what os do you have? because afters the windows part my os looks different than yours .
open start, run "regedit" , hkey_loacalmachine->software->microsoft->windows->currentsettings->run



it saids current version and all i see in run is optional components. i have win xp

 

[pooponastick]

~Guide for getting rid of the BackDoor.NetDevil trojan by Pooponastick~

So, uve got infected by the BackDoor.NetDevil trojan? Ive had the same problem. You can detect this trojan with the Norton Antivirus program. The trojan CAN cause bad damage to your system. I've researched stuff about it and people have said the hacker that gave it to them could turn on/off their monitors, open and close disc tray, and even take control of your mouse control. Scary stuff. He/She can practically take control of everything. When BackDoor.NetDevil runs, it does the following:

It copies itself to the %system% folder. The file name my vary but most likely it will copy itself to KERNEL32.DLL(which it did for me). Its adds a value that refers to the dropped file to one of the following regitry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run(Look for the KERNEL32.DLL File)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

When the hacker creates a BackDoor.NetDevil server file, there are many functions that can be added:

-Display a fake error message to conceal its true nature.
-Choose the ports that are used by the backdoor to communicate with the hacker. By default, it uses port 901 for direct control, port 902 for communicating logged keystrokes, and port 903 fo file transfer.
-Use different notification methods to send info to the hacker about the compromised computer.
-Attempt to kill running firewall and antivirus processes.

When the trojan runs, it allows the hacker to remotely take control over your computer and do the following:

-Obtain full control of te file system
-Upload files to and download files from the host computer.
-Run files of the hacker's choice
-Kill running processes
-Display messages
-View the contents of the screen
-Log keystrokes
-Take control of your mouse, open and close the CD-ROM drive, turning the monitor on and off, and so on.

Steps on how to get rid of BackDoor.NetDevil

1. Update the virus definitions.
2. Run full system scan to find th infected file(s).
3. Click Start, and click Run. Typer Regedit and click OK. The Registry Editor opes. Navigate in turn to each of these keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

4. In the right pane for each key, delete the infected file u found with your antivrus program.
5. Exit and restart your computer
6. Run Full system scan again and if u find 0 infected files, your good.

PM me for more questions and thanks for your cooperations





~Pooponastick~
Plz sticky this, i bet it will help alot of people. Thank you.

 

[pooponastick]

Sorry for putting Guide for getting rid of trojans but this is onlyfor the BackDoor.NetDevil Trojan. Sorry.

 

[Korittke]

good guide, but wrong section. also theres a mistake:
"most likely it will copy itself to KERNEL32.DLL"
the file is named KERNEL32.DlI, in windows font it looks like 2 l's, but its a L and a i.
moved to somewhere, i dunno yet ^^

 

[Forged]

Good tutorial and stickied.

 

[ivan-diablo2]

I just installed The cleaner !! I hope it's ok and whit no viruses cuz i am planing to use it as main anti virus !! Also do u know eny good antin viruses for 64 ram i dont wanna slow down my game!!!

 

[LiveWire]

Uh i got trojanned hwo the **** am i suppose to delete it if it ****ing closes my antivirus constantly.... im gonna just ****ign reformat if everythin else fails....

 

[oneyedMan]

Dont cry... Go to google.com and seach for Trend cillin pc online ... run the free online virus scanner and then post the name of the trojan

 

[Some_Dumb_Guy]

holy sh** i have that on my comp maybe that is why it constantly does that holy sh** i had no idea where do i get that virus scanner???

 

[RoaCh of DisCord]

Since there are SO many stickies, and these two were very related, I decided to merge them. So yep...just clearing up a bit of space..

 

[Some_Dumb_Guy]

ummm i am just wondering but all those steps that u said didnt show the kernel.dll on anything in there and i cant find wher it is and it wont let me delete it wich suks but just wondering wut should i do???

 

[RoaCh of DisCord]

No offense, but your typing is horribly hard to read.

Secondly...if you only have kernel.dll you're safe. Now If you have two that look a like...you have a trojan.

Basically, if It won't let you delete this file, you are probably trying to delete an important system file (kernel.dll). The file mentioned above is

kernel.dLI

notice the difference?

Anyway, If you only have one, you're fine.

If you believe you are infected...hold control, press and hold alt, then delete. If you see kernel.dLI anywhere, end task it. If not, it isn't running and you're ok.

If you see it, once you have endtasked it...you can now delete it. MAKE SURE YOU ARE TRYING TO DELETE kernel.dLI and not kernel.DLL

 

[finstagfunk]

What sites contain trojan files?