Detecting a trojan that is not detected by the antivirus and has bypassed your firewall is sometimes not a trivial task. But not impossible - any action leaves traces in the system. The principle of detecting a trojan is just that. I warn you right away - there will be no easy and quick solutions in the article. Sorry, that there will be few links to programs - there are a lot of names, you have to look for them manually. And not all will be useful to you. I will show how to find the trojan. But finding a trojan does not mean curing.
How to detect a trojan? Check open ports.
If there is a trojan, it is most likely needed to send some information to the hacker. So he will need to do this special channel , the entrance to which opens one of the system ports. And this port (most likely) will be one of those that are not used by the system, that is, of those reserved. Therefore, the task at this stage is simple: carefully examine the open ports and follow the processes that use these ports, and to which addresses the information is sent.
For the Windows operating system, a team can help you in this process in haste netstat with flag -an (if you use a router to access the Internet, the search principle will be a little inferior, but read to the end). Type it right now in the command console:
External address described by type IP address:internet port
However, more detailed information will be provided to you by third-party programs. I personally use utilities TCPView, Currport and Iceword. This information is not always objective, since the process may lie for the time being, and it is not a fact that the port will open right now, but it is sometimes worth checking.
How to detect a trojan? Check running processes.
The Trojan is quite capable of disguising itself as a legal process or even a Windows service. Trojans often manifest themselves in the Task Manager as a process of the type hgf743tgfo3yrg_and_what_to_there_ else_.exe: write such a trojan - how to go to the store. A trojan is able to infect a process by booting with a Windows process and parasitizing on it. There is only one way out - we need special programs for scanning running processes. One of the options for such programs is What’s running (“Watts Raning” - “What is running now“). At different times, I had to use several utilities that worked equally well. And here is their list, take a closer look:
In general, look more often at the Task Manager at the list of processes.
How to detect a trojan? Check the registry.
What will the trojan do first thing? It needs to start, and on Windows there are several directories and settings for this. And all of them are reflected in the registry settings. Windows automatically executes the instructions defined by these registry keys:
Thus, by scanning the keys and sections of the registry for suspicious entries, you can detect the infection by a trojan: he can insert his instructions into these registry sections in order to expand his activities. And in order to detect a trojan in the registry, there are also many utilities, for example:
How to detect a trojan? It may be in device drivers.
Trojans are often loaded under the auspices of downloading drivers to some devices and use these same devices as a cover. This is the sin of obscure sources of “drivers for download” on the network. Doesn’t resemble anything? And the system often warns that there is no digital signature of the driver. And not in vain.
So do not rush to install downloaded from the network and do not believe your eyes - trust only official sources. The network offers the following utilities for monitoring drivers:
- Driver detective
- Unknown Device> How to detect a trojan? Services and services.
Trojans can run some Windows system services on their own, allowing the hacker to take control of the machine. For this, the Trojan takes on the name of the service process in order to avoid detection by the antivirus. The rootkit technique is used to manipulate the registry key, which, unfortunately, has somewhere to hide:
So, we have to stock up with monitoring utilities running services. It:
- Smart utility
- Process hacker
- Netwrix Service Monitor
- Service Manager Plus
- Anvir Task Manager et al.
How to detect a trojan? Is it at startup?
What do we mean by startup? No, my good ones, this is not only a list of entries in the folder of the same name - it would be quite simple. First of all, these are the following sections of Windows:
- full list of Windows services issued by the console of the same name. Console Quick Launch Command: Run (WIN + R) – services.msc. I advise you to open, sort by Launch type and carefully examine all run Automatically service.
- folder with automatically loading drivers: famous C: Windows System32 Drivers (there were times I checked each of the drivers manually)
- anything happens, so look at the file bootmgr(for Windows XP it is boot.ini) for foreign impurities. The easiest way to do this is to call the System Configuration utility: WIN + R- msconfig - tab Loading
- and since you're here, go to the downloadable programs tab. In the Startup tab, we often look for programs that slow down the system’s startup. However, you can also find a trojan there.
msconfig on Windows XP (almost unchanged for other versions)
and here is the Configuration window for Windows 7
- and now check the Startup folder (make sure that the system is ordered to display Csystemic files and folders as well Hidden):
This is not a complete list of branches. If you want to know about programs that run with Windows, you can look at their list in the article “Dangerous registry branches“. Among the utilities with which you can monitor the boot sections, you can distinguish:
- Security autorun
- Startup tracker
- Program starter
How to detect a trojan? Check for suspicious folders.
For a trojan, it is common to change system folders and files. There are several ways to check this:
- FCIV - a command-line utility for calculating MD5 or SHA1 file hashes
- SIGVERIF - Verifies the integrity of critical digitally signed Microsoft files
- TRIPWIRE - scans and reports changes in critical Windows files
- MD5 Checksum Verifier
How to detect a trojan? Check network activity of applications
A trojan does not make sense if it does not start network activity. To check what kind of information is leaking from the system, it is necessary to use network scanners and packet sniffers to monitor network traffic that sends data to suspicious addresses. A good tool here is Capsa network analyzer - An intuitive engine will present detailed information to check if the trojan is running on your computer.
To understand how to determine that a computer is infected, you need to understand the types of viruses and their interaction on the system.
You will be interested: The process in the "Task Manager" does not end: what to do?
Unfortunately, with the development of technology, malware has been actively improving. So, viruses can “cover” entire state systems that are protected by special methods. But even such a defense can not resist some of the "villains."
Malicious software differs by distribution methods and functionality. Previously, they could only be picked up via storage media such as a floppy disk. Now most of them come to our PC via the Internet.
There is no standardized classification of viruses, as they sometimes have ambiguous characteristics. Therefore, defining them in any group is not easy.
There are programs that affect certain areas of the system. Viruses can reach files, boot services, source codes, scripts, etc.
There is a classification according to the mechanism of infection. For example, there are “pests” that are added to the executable file, or those that spoil a document that cannot be restored. There are also viruses that "live" separately from everyone, constantly affecting the PC system.
Further, malicious software can be divided into the affected operating systems. It has long been developed special viruses for Windows, Android, iOS, Linux, etc.
There are virtual “cybercriminals” who can use special technologies inside your system. So it will even be difficult for you to figure out how to determine if your computer is infected.
Specialists share viruses by the language in which they were written. And also there are softwares that use additional functions in the system. They can spy, collect the necessary information, record user actions, etc.
You can warn about notifications that your computer is infected. What to do in this case?
Of course, the most popular antivirus programs have long been the main helpers. But recent malware developments have become so advanced that security programs may not be able to handle all. Therefore, it is important to follow some recommendations in order not to catch the virus and not to think afterwards how to determine that your computer is infected.
Try not to use privileged accounts unnecessarily. This refers to a Windows administrator type account. If the virus receives its data, you can say goodbye to all your data and to the system as a whole.
Remember that running suspicious and little-known programs from untrusted sources also leads to infection. You should be wary if the system tries to change its files on its own.
It is also worth taking care of the potentially dangerous functionality of the system. Of course, it’s better not to climb unknown resources and look at the address bar. Use trusted distributions.
If you often work with important data, it is better to drop them on an external drive or make backups. You can capture an entire system image with deployment.
Signs of infection
The main signs of infection include an increase in outgoing Internet traffic - the rule is fair for both individual users and corporate networks. If at the same time there is no active Internet activity (for example, at night), then this means that someone else is conducting it. And, most likely, for malicious purposes. If there is a firewall, an infection signal may be attempts by unknown applications to open Internet connections. Numerous advertising “pop-ups” when visiting websites can signal that an ad system is present in the system.
Frequent freezes and malfunctions in the computer can also be caused by the fact of infection. However, in many cases, the cause of the failure is not virus, but hardware or software. If similar symptoms appear on several (many) computers on the network at once, if the network traffic increases sharply, then the reason most likely lies in the spread of the next network worm or Trojan backdoor over the network.
Indirect signs of infection can also be symptoms and not computer. For example, bills for phone calls or SMS messages, which actually were not. This may indicate that a “telephone Trojan” is wound up on a computer or in a mobile phone. If there are cases of unauthorized access to a personal bank account or facts of using a credit card, this may be a signal of a spyware program that has been introduced into the system.
It is possible that a set of anti-virus databases is outdated - you need to download the latest updates and check your computer. If this does not help, then antiviruses from other manufacturers may help. Most well-known anti-virus companies release free versions of their products (trial versions or one-time “cleaners”) - it is recommended to use this service. If a virus or trojan is detected by another antivirus, in any case, the infected file should be sent to the developer of the antivirus that did not detect it. This will help to more quickly add it to updates and protect other users of this antivirus from infection.
If nothing is found, then before proceeding with the search for an infected file, it is recommended to physically disconnect the computer from the Internet or from the local network, if it was connected to it, turn off the Wi-Fi adapter and modem (if any). In the future, use the network only if absolutely necessary. In no case do not use Internet payment systems and online banking services. Avoid access to personal and any confidential data, do not use Internet services for which you need to enter a username and password.
Why do trojans spread at all?
If hackers create small, harmless viruses simply as entertainment, then Trojans usually require a lot of development time and serve very clear purposes. They are firmly settled in your computer and begin to transfer your personal data to the "owner".
For example, a trojan can intercept your personal correspondence, catch passwords from Internet banking or an electronic wallet, copy correspondence in any desktop messenger, and spy on your work.
One of the popular trojans is WindowsLocker, which blocks the desktop with the requirement to transfer a round sum of money to the hackers account or send a paid SMS.
You can catch a trojan almost anywhere. For example, on a social network, they can hack your friend’s account and send a link with the text like “Hello, look what you found!” - of course, you are sure that your friend wants to show you something interesting, open the link, and at that moment your the computer becomes infected with a virus.
You can also catch a trojan on any site when downloading files - programs, music, documents. Therefore, you should always use only trusted and official sources.
How to protect your computer from a trojan?
- Firstly, whenever possible, you do not need to work under the administrator.
- Secondly, if you keep important and confidential information on your computer, it is better to work with files using the file manager, which displays hidden folders and files as well.
- And thirdly, you need to use an antivirus. Always and without fail.
Almost any trojan can detect a regular, free antivirus. True, sometimes, getting into a PC, the virus immediately blocks the operation of the antivirus. In such cases, you will need additional software.
We want to immediately draw attention to the fact that the removal of trojans and worms is often impossible to complete until the end without the help of a specialist.
These programs are so deeply rooted in the system that without extensive experience in detecting and cleaning trojans, it is impossible to get rid of viruses on their own.
Removing trojans is a task that is far from always easy. Malicious programs, as a rule, settle deep in the computer, make changes to the code and are firmly fixed on the device, which is why their destruction can become a real problem. But there are no unsolvable problems. The vast majority of malware, in one way or another, can be eliminated. But how to do that?
In order to answer the question of how to remove the trojan, you need to consider how the anti-virus software works. Often, the principle of operation of such programs is the same plus or minus. Differences may be hidden in the details:
- Specific interface
- Various set of functions,
- Different malware search algorithm,
- Differences in databases, etc.
How to check if there is a win32 trojan on a computer?
In order to determine the presence of an “infection” on the computer and then delete the trojan, the antivirus program is first installed and a key is selected if the program is paid. After which it starts and a menu appears.
Next, select the appropriate menu item, offering to scan your computer for viruses. As a rule, each antivirus has two of them: quick scan (scans the computer for a short time, but very superficially) and in-depth (it takes a long time, but the device is scanned deeply and every file and folder is scanned).
When installing a removable hard disk or flash drive, the program also offers their scan. Checking files for trojans in this case is carried out only on a portable device, while the computer is not affected.
As soon as the anti-virus program is completed, it will show the results and suggest what to do with the files that it considered threatening user data or the correct operation of the device. It could be:
- Removing Trojans.
- Move malicious file to quarantine.
As a rule, the vast majority of antiviruses work on this algorithm. The only thing is that the interface may differ and it will only be necessary to find the location of certain commands. However, it should be noted that not a single antivirus provides one hundred percent protection and guarantees the definition of such software. Therefore, if a computer has caught a trojan, cleaning a PC with just one program is usually not enough. Professionals use additional utilities for the most reliable determination.
How to get rid of a trojan?
So, let's say an antivirus has detected viruses on your computer and offers cleaning up trojans. Of course, you can try to remove the program or file with your regular antivirus. Однако нередко при выполнении функции «удалить» или хотя бы «перенести в карантин» можно столкнуться с системной ошибкой.
Это значит, что вирус прячется, и не хочет так просто уходить с вашего компьютера. In such cases, you need to resort to special programs.
For example, Trojan Remover may help. This is a wonderful program that has saved more than one million people from trojans. The utility has quite a lot of power, but it has disadvantages. Firstly, it is available exclusively in English, and secondly, you will have to pay for it. True, she has a free trial period of 30 days. During this time, it is quite possible to clean out all the trojans.
Despite its powerful functionality, Trojan Remover weighs very little - only 12 MB. You need to download and install the program by constantly clicking “Next”. You will see a window where you need to check the box next to "Check for updates." In this case, the computer must have an Internet connection.
Click on Update to download updates. Now the program is ready to use. Run the installed program, click Continue and select Scan - the computer will start checking for trojans.
If the program really detects any serious viruses, it will report their presence and offer to remove it.
Each time you start the device, the software will automatically check it, studying the most significant and weak points of the OS. If you choose to disinfect or delete files, most likely the computer will restart. Therefore, before you start checking and deleting files, first save all important data and close the browser.
Another program with which you can remove the system trojan is SUPERAntiSpyware. Its main advantage is free distribution in full functionality. You need to download the program from the official site, run the file. If you want the fastest installation, select Express Install, but nothing will change there in the settings. Therefore, it is better to choose Custom Install.
Installation is, in principle, very simple. At the end of it, a window appears with an offer to buy a professional version, but you need to refuse. Now run the program, perform the update by clicking on the Check for Updates menu. Wait until the anti-virus database update is completed, then close the window.
To fully scan the system, click on Complete Scan, check the box next to Enable Rescue Scan, then click on Scan your Computer. Then you confirm your intentions.
Checking for trojans on a PC takes quite a while - 64 GB of a solid state drive, for example, is checked for about 15 minutes. At the end of the check, you will see the result. All detected problems are flagged. If you do not know what kind of file or program it is, feel free to delete it. You can do this by clicking on the Remove Threats button. After the virus removal is completed, the computer will reboot, and after that the cleaning is completed.
You can also detect and remove trojans using the Spyware Terminator program. Its main advantage is the support of the Russian language.
Download the program, perform a normal installation. You will be asked to buy the “best defense”, but you can just click on “OK” and skip this step.
After installation, the main program window will appear. To start the detection and treatment of viruses, you need to select the Scan tab and select Full Scan. If the program finds something, you click on the "Delete" button. For removal, the program usually asks to close all browsers.
In this article, we examined the main ways to clean the computer of trojans. The more you know about this problem, the more difficult it will be for Trojans to get into the computer.
Below we give the main points in protecting your computer from any malware.
- Do not open links that look suspicious. Even if friends sent them to you. It is likely that the attacker opened your friend’s account. Ask a friend about the link that he allegedly sent. If he did not, tell him to change the password and, of course, do not open anything.
- Install any antivirus. It can be a free program, the main thing is that it constantly updates its virus databases. Therefore, do not disable permission to update and from time to time manually run checks.
- Do not ignore the notifications that the antivirus sends you. If the program says that the site should not be trusted, it is better to listen.
- Turn on the display of hidden files in Explorer or use file managers.
- Turn on the feature to see the extensions of any files.
- Do not open the contents of disks and flash drives without checking the antivirus. In addition, if there are hidden or system files on removable media, it is better not to open them - they are almost certainly infected.
If it seems to you that the computer is unstable, run a full antivirus scan. If you are downloading files that you don’t know the purpose of, also check them with antivirus.
What if the programs do not help?
Such a situation is quite common when even with special programs Trojans cannot be removed. They simply remain in their places even after repeated removal. Then there are only two options:
- try manually finding the location of the file and delete it with Shift + Del
- take the PC for diagnosis and treatment to our service center.
Remember that trojans are a serious virus that not only interferes with the computer, but can do real harm:
- intercept personal information
- help hackers access your wallet or bank card
- copy and transfer to the "owner" important documents, up to photocopies of passports.
Therefore, if it seems to you that the computer is working poorly, and antiviruses are constantly screaming that threats have been detected in the system, it is better to refer the computer to our professionals.
The system is in danger
Many people wonder: how to determine if your computer is infected. The answer is simple. You will probably guess that something is wrong with the system according to existing signs.
The wake-up call is:
- The appearance of unexpected messages or images on the screen.
- Regular reproduction of sounds, which can randomly occur at any time.
- Self-activation programs.
- Connecting some utilities to the Internet without your knowledge.
- Sending incomprehensible messages (spam) from your email address to your friends.
- System freezes or slows down.
- A huge number of system errors and notifications.
- Inability to boot system.
- The disappearance of personal data: files, folders and archives.
- Incorrect browser operation.
Of course, these are far from all the signs that can occur during infection. There are a lot of variations: from large pornographic banners to completely shutting down the PC.
What to do if the computer is infected with a virus? If you were able to determine that a "worm" has settled in the system, then you need to immediately take a series of actions.
It is important to immediately refuse bank payments and electronic wallets. Do not switch to any important accounts and financial systems.
If the PC does not have an antivirus program, it is advisable to use at least its online version. So you can quickly scan the system and find out what "surprises" are hidden there.
It is best to turn off the Internet and the local network. So that the virus couldn’t “call” someone for help, or “hide” for a while on the World Wide Web. If the antivirus program finds malware, it will automatically decide what to do with it: it can be removed immediately or quarantined.
By the way, often some security programs cannot cope with such problems, so others will have to be installed. But this, in turn, is also not entirely safe. Therefore, try to make sure that the antivirus program “settles” on the computer. If it prevents you from working, you can turn it off. But he knows how to determine if your computer is infected.
If no option has helped, it’s worth moving on to decisive action.
Of course, if you do not understand the computer at all, it is better to immediately call the wizard, which will "treat" your PC. If you have at least superficial knowledge about the system, you can try to find the virus file yourself. You can only come to this option if you encounter an ordinary worm or trojan.
If you understand that this is a complex malicious program that is not so easy to pull out of the system yourself, you can try using third-party programs. In some cases, you will need to connect the HDD to another PC or boot the system from disk.
Viruses are a nuisance that probably happened to every user. Attackers around the world are trying to steal personal data or just play a trick on an inexperienced user.
If you have a simple malicious file in front of you, then most likely an antivirus program will be able to find it. She will cure or remove it on her own.
If you got a trojan or a worm, then you can deal with it yourself by looking for it in the system files or the root directory. To find it, use any file manager that can sort all the files in the system by date.
If a real “villain” is wound up in the system, then only real specialists can cope with it. So, they will help not only to remove it from the PC, but also to save your personal data. If documents are not important to you, or you don’t have anything on your computer, you can simply reinstall the operating system.
How to find an infected file
Detecting a virus or trojan on a computer can be a difficult task that requires high qualification, but it is also quite trivial - depending on the complexity of the virus or the Trojan, on the methods that are used to hide malicious code in the system. In “severe cases” when special methods are used to mask and hide infected code in the system (for example, rootkit technology), it is not possible for a lay person to find an infected file. This task will require special utilities, possibly connecting a hard drive to another computer or booting the system from a CD. If you encounter an ordinary worm or a trojan, then you can sometimes find it in fairly simple ways.
The vast majority of worms and trojans should gain control at system startup. For this, in most cases, two main methods are used:
- writing a link to an infected file in the autorun keys of the Windows registry,
- copying the file to the Windows startup directory.
The most “popular” startup directories in Windows 2000 and XP are as follows:
- \% Documents and Settings% \% user name% Start Menu Programs Startup
- \% Documents and Settings% All Users Start Menu Programs Startup
If suspicious files are found in these directories, they are recommended to be immediately sent to the antivirus developer company with a description of the problem.
There are a lot of startup keys in the registry, the most “popular” of them are Run, RunService, RunOnce and RunServiceOnce keys in the registry branches:
Most likely, several keys with spoken names and paths to the corresponding files will be found there. Particular attention should be paid to files located in the Windows system or root directory. You need to remember their name, this is useful in further analysis.
An entry in the following key is also “popular”:
By default, this key contains the value “% 1 ″% *”.
The most convenient place to host worms and Trojans is the system (system, system32) and Windows root directory. This is due to the fact that, firstly, the display of the contents of these directories in Explorer is disabled by default. And secondly, there are already a lot of different system files there, the purpose of which is completely unknown for the average user, and it is very problematic for an experienced user to understand whether a file called winkrnl386.exe is part of the operating system or something foreign.
It is recommended to use any file manager with the ability to sort files by the date of creation and modification and sort the files in the specified directories. As a result, all recently created and modified files will be shown at the top of the directory, and they will be of interest. The presence among them of files that have already been encountered in startup keys is the first alarm bell.
More experienced users can also check open network ports using the standard netstat utility. It is also recommended that you install a firewall and check the processes that drive network activity. It is also recommended to check the list of active processes, while using not standard Windows tools, but specialized utilities with advanced features - many trojans are successfully masked from regular Windows utilities.