go back | Article Listing | |
Document Viewer
Recovering from a Trojan Horse or Virus
Posted: 2005-09-06 14:41:10
Summary: Recovering from a virus, rootkit, or trojan can be quite difficult, here are some tips to help you out.

It can happen to anyone. Considering the vast number of viruses and Trojan horses traversing the Internet at any given moment, it?s amazing it doesn?t happen to everyone. Hindsight may dictate that you could have done a better job of protecting yourself, but that does little to help you out of your current predicament. Once you know that your machine is infected with a Trojan Horse or virus, what can you do?

If you know what specific malicious program has infected your computer, you can visit one of several anti-virus web sites and download a removal tool. Chances are, however, that you will not be able to identify the specific program or that the removal tool will not actually be able to remove the virus. Unfortunately your other choices are limited, but the following steps may help save your computer and your files.

1. Call IT support
If you have a Technical Liaision (TL) or an IT support department/person at your disposal, notify them immediately and follow their instructions. If you do not, please contact the KU Help Desk at 785-864-0200.
2. Disconnect your computer from the Internet
Depending on what type of Trojan horse or virus you have, intruders may have access to your personal information and may even be using your computer to attack other computers. You can stop this activity by turning off your Internet connection. The best way to accomplish this is to physically disconnect your cable or phone line, but you can also simply "disable" your network connection. We recommend that you NOT disconnect the power or turn off the computer as this may prevent you from recovering your files and may destroy evidence.
3. Back up your important files
At this point it is a good idea to take the time to back up your files. If possible, compile all of your photos, documents, Internet favorites, etc., and burn them onto a CD or save them to some other external storage device (such as a file server). It is vital to note that these files cannot be trusted since they are still potentially infected.
4. Install an anti-virus program and scan your machine

Since your computer is infected with an unknown malicious program, it is safest to install an anti-virus program from an uncontaminated source such as a CD-ROM. You will have to visit your local computer or electronics store to a purchase the software. There are many to choose from, but all of them should provide the tools you need.

After you install the software, complete a scan of your machine. The initial scan will hopefully identify the malicious program(s). Ideally, the anti-virus program will even offer to remove the malicious files from your computer; follow the advice or instructions you are given.

If the anti-virus software successfully locates and removes the malicious files, be sure to follow the precautionary steps in Step 7 to prevent another infection. In the unfortunate event that the anti-virus software cannot locate or remove the malicious program, you will have to follow the next steps.

KU offers all Students, Staff, and Faculty Sophos Anti-Virus at no charge. To download Sophos Anti-Virus Click Here.

5. Reinstall your operating system

If the previous step failed to clean your computer, the only available option is to reinstall the operating system. Although this corrective action will also result in the loss of all your programs and files, it is the only way to ensure your computer is free from backdoors and intruder modifications. Before conducting the reinstall, make a note of all your programs and settings so that you can return your computer to its original condition.

It is vital that you also reinstall your anti-virus software and apply any patches that may be available before you reconnect to the network/internet.

6. Restore your files
If you made a back up CD in Step 3, you can now restore your files. Before placing the files back in directories on your computer, you should scan them with your anti-virus software to ensure they are not infected.
7. Protect your computer
To prevent future infections, you should take the following precautions:
  • Keep your system patched and up to date
  • Use updated Antivirus
  • Use Strong Passwords
  • Share Files Correctly
  • Minimize Network Services
  • Use some type of firewall
  • Backup your important files

Read 7 Steps to Securing Your Windows PC for more about protecting your computer.

To ensure that you are doing everything possible to protect your computer and your important information, you may also want to read some of the articles in the resources section below.

Recources/References

US-CERT Computer Virus Resources
http://www.us-cert.gov/other_sources/viruses.html

Before You Connect a New Computer to the Internet
http://www.us-cert.gov/reading_room/before_you_plug_in.html

Home Network Security
http://www.us-cert.gov/reading_room/home-network-security/

Home Computer Security
http://www.us-cert.gov/reading_room/HomeComputerSecurity/

Understanding Firewalls
http://www.us-cert.gov/cas/tips/ST04-004.html

Good Security Habits
http://www.us-cert.gov/cas/tips/ST04-003.html

Continuing Threats to Home Users
http://www.us-cert.gov/cas/alerts/SA04-079A.html

Windows Update
http://windowsupdate.microsoft.com/

Protect Your PC
http://www.microsoft.com/security/protect/default.asp

Increase Your Browsing and E-Mail Safety
http://www.microsoft.com/security/incident/settings.mspx

Source
Portions by Michael D. Durokta
US-CERT
http://www.uscert.gov/
RSS Feeds
KU Jayhawk Information Technology Security Office
A Division of Information Services
The University of Kansas
Lawrence, KS 66045
785/864-9003
 Contact Us : Copyright © 2007 by the University of Kansas : DMCA