"Deep in the sea are riches beyond compare.
But if you seek safety, it is on the shore."

What to do you if you are attacked or hacked : Part Two

Net traffic
One very important thing to do is to run from command prompt (without quotas) "netstat -an". This will give out ALL connections in and out of your computer. Naturally, before you do it, close all other programs (but not your firewall!) and connections. Check out for ANYTHING that has been marked as "Listening" or "Connected" and DOES NOT HAVE 0.0.0.0:0 as IP address. There might be couple things that are "Listening" but are at IP 0.0.0.0:0, meaning that they are listening in your computer for your computer...this is long thing to explain so just IGNORE THEM, they are NOT trojans!!! If you spot something ELSE that is listening or connected, figure out what port it is using, like if the IP is 123.456.789.111:666, then the port used is 666 and the IP is 123.456.789.111. What ever you discover here, write it up to piece of paper for further reference.

Trojan inside?
First thing what to do after you have secured your connection, is to run full antivirus. Scan all files, inside compressed files, etc. etc. and make sure you have the latest virus definitions. If you dont, get them but dont close your firewall, just open a small hole for the program that gets the updates and then again disconnect. If you are using FAT16 or FAT32 as your file system in all your partitions, then you might concider also running F-Prot for DOS. The point of running it is, that you boot to DOS using a clean bootup disk. Then run the F-Prot for DOS in DOS...this way it will be able to check and remove viruses it discovered from all files and you can be sure that IT has not been tampered with. Remember to check its settings too, so it scans all files, compressed files and uses heuristics...and that it has latest virus definitions installed! If the virus scan finds out something, then it usually can fix it on the spot. If not, well...then we have a bigger problem. An other program to concider is Swat It, its a free trojan/bot remover.

Its always a good idea to check your HDD:s atleast twice, using different antivirus programs. Paranoid person might check using three different antivirus programs and one antitrojan program. You can never be to carefull with trojans. Remember, that getting a clean result from antivirus/antitrojan program(s) does NOT mean you are clean! Not a chance! Most new trojans arent detected by even latest definitions files of antivirus and antitrojan products! You can check my links section for links to antivirus and antitrojan programs.

If you are not sure is a particular file a trojan or not, try Google and what comes up with that name. If you get saying its a trojan, then delete the damm file on your computer! You you cant do it (the file is in use), then 1) disconnect 2) use Ctrl + Alt + Del to kill ALL programs 3) try to delete it again. If you still cant delete it, then you need to boot to DOS (if you are running FAT16/32) and delete it from command prompt. On NTFS filesystem, you need to try other means like booting from WindowXP cdrom to NTFS command prompt and delete it from there. If you dont get more information of the file from the internnet, then concider renaming it to something like xxx.old that way you can restore it later if you noticed its not harmfull. ANYTHING suspicious...use Google to check for more information about it. It WILL save you, your system administrators and others a LOT of time and effort.

If you are using NTFS file system, please note that it is possible to hide a trojan inside "alternative data streams" so it is practicly impossible to detect. Only TDS-3 (not freeware) can look inside alternative data streams for trojans, if you dont have it as you antitrojan tool then I suggest going to my "Windows2k/XP page for more details and help on this issue.

Also, try running Ad-Aware (with recent sigfiles and proper settings ofcourse, DONT use the default settings and default sigfile or you will NOT find anything) and see what comes up. Remove what you can find, there is no reason to have spyware on your computer. Besides Ad-Aware, I recommend that you run Spybot its a bit similiar program.

Active programs

Check what processes you have running. You can do this with "Ctrl + Alt + Del" on Win95/98/ME and "Ctrl + Alt + Del" / "taskmanager" / "process" on WindowsNT/2000/XP. Check for anything strange like "backdoor.exe" or "app.exe" or "tool.exe", "service.exe", "help.exe", "system.exe", "windows.exe" or anything that has some lame name on it. It is very hard to spot what should be running and what not if you are not familiar with the programs. However, if you are, its pretty easy to spot new programs and locate them after that using "seach" tool in Windows (and when you search, remember the settings so that it actually searches ALL files on your system, not just visible files!). You can also check what programs have been changed by seaching for program that where last changed in a week or so and limit your seaches to .exe files, this will hopefully tell you about possible installed trojans. If you dont know what a particular file is, again, use Google to find out. It will safe you a lot of time and trouble.

Please note that some trojans can also "tap" into existing programs so checking what programs are running does not necessary spot the trojan! Some trojans can also be hidden so that they do not show in Ctrl + Alt + Del on Win95/98/ME. If you want to be sure what is running in your computer, you need a tool like What's Happening which is freeware. It will show you every program and dll that is running. Only program that you need to be running in Windows95/98/ME is explorer.exe. Others are stuff like antivirus, firewalls and such so they "might be" needed or then not. Please note that some trojans name themselfes like explore.exe or exporer.exe, if you find any such program running, terminate it, it is very likely that it is a trojan.

-Markus Jansson