Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Do I Get Rid Of My Trojan Virus?


  • Please log in to reply
12 replies to this topic

#1 r_beau

r_beau

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 11 December 2007 - 01:14 PM

So I suspected I may have some sort of virus yesterday when some program sent a spoof email to all of the contact in my address book. I know it did this because several old email addresses came back undelivered.

I had AVG antivirus and Spybot programs on my computer, which I ran. Neither found anything. From the advice of a friend, I downloaded AVAST antivirus. I ran the scan and it found a Trojan Virus (file name: Win32:Spyware-gen [Trj] ) in one of my temporary internet files. I put it into the AVAST "Virus Chest" and that is where it sits now.

So, how do I get rid of it? There is a "delete file" option in the Virus Chest but I have heard and have read that simply deleting the Trojan file will not get rid of it and can cause programs to not run properly. So I have not deleted it.

Help please!!!! I want this thing off my computer.

My operating system is Windows XP and I have an Intel Inside Pentium 4 processor.

Edited to add that the virus has not seemed to effect anything else, besides sending out the spoof email through mine the one time yesterday. Everything else (internet, word processors, email, etc) is working fine.

Edited by r_beau, 11 December 2007 - 01:18 PM.


BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:13 PM

Posted 11 December 2007 - 02:04 PM

The reason for quarantining instead of deleting is to prevent deletion of a file that was misidentified as malware.
You can leave the file there for any length of time until you are sure it has been correctly identified as malware.
Then permanently delete it.
You should also run another scan with SAS.
Download and Install Super Antispyware free. Reboot into Safe mode and Run SAS. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

How to Start Windows in Safe Mode:
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Post back with results of scan and for further instructions.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 r_beau

r_beau
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 11 December 2007 - 03:20 PM

Okay, I downloaded SAS and ran the scan ... but not in safe mode. Totally forgot to do that until I just re-read your post now. :thumbsup:

I will do it again in safe mode if you need me to.

It found 146 Adware tracking cookies which it removed because they were threats. They are also listed in the quarantine.

Edited by r_beau, 11 December 2007 - 03:22 PM.


#4 buddy215

buddy215

  • BC Advisor
  • 12,619 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:13 PM

Posted 11 December 2007 - 03:44 PM

No need to rerun SAS.
It is possible that Avast solved the problem. If you have reason to still suspect malware, post back.

You can keep the cookies (third party cookies) that SAS removed from installing on your computer
by following the simple instructions in the link below.
http://www.howtogeek.com/howto/windows-vis...cookies-in-ie7/
After changing your settings in IE to block the "third party cookies" you will need to delete one last time
the ones that are now installed.

Remove temporary files, logs, cookies, etc. by using Ccleaner. Do not use "Advanced Settings" or the "Issues" button. Use only the default settings. http://www.ccleaner.com/
During install of Ccleaner you will be offered the Yahoo Toolbar. UNcheck if not wanted.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:13 PM

Posted 11 December 2007 - 03:48 PM

Yes you should scan again in Safe Mode. As the malware can remain active in normal mode and thus NOT be removed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 11 December 2007 - 06:15 PM

To expand upon what buddy215 already said; when an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the file in the vault is known to be bad, you can delete it at any time.

See the info on avast Virus Chest. Keep in mind, however, that when these files are left in quarantine, other scanning programs and security tools may flag them while in the quarantined area.

I also recommend you do the following and use the settings I have indicated. You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under "General and Startup", make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Then you should perform an Online Virus Scan like BitDefender.
(These require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component. If given the option, choose "Quarantine" instead of delete.)

No single product is 100% foolproof and can detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Therefore, when you get infected with malware, its always a good practice to run your anti-virus/anti-malware scans in safe mode, then follow up with a online scan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 r_beau

r_beau
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 December 2007 - 12:52 AM

Okay..... 3 and half hours later!!

I did EXACTLY as you described quietman (thank you so much btw!) and I am currently running the online scan with bit defender.

Results from SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2007 at 11:11 PM

Application Version : 3.9.1008

Core Rules Database Version : 3359
Trace Rules Database Version: 1358

Scan type : Complete Scan
Total Scan Time : 03:25:51

Memory items scanned : 162
Memory threats detected : 0
Registry items scanned : 6742
Registry threats detected : 0
File items scanned : 72020
File threats detected : 0

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 12 December 2007 - 08:56 AM

Looking good. :thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 r_beau

r_beau
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 December 2007 - 09:13 AM

Okay, the online scan didn't come up with anything either.

So I am safe to just hit "delete file" in the virus chest???

#10 r_beau

r_beau
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 December 2007 - 05:36 PM

So... yea. Can I just delete it then?????? (from the virus chest?)

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:13 PM

Posted 12 December 2007 - 07:11 PM

Hi wanted to be sure all is runung OK before deleting. Yes you can delete. Those files can no longer be a danger in the quarantine. They go there first as a safety net in case they were an important file for system stability.
Now after that you need to make a NEW System Restore Point. As sometimes the malware hides in system restore and the file are closed to scanning. So make a new one,perhaps give a name like clean,here's how. Then you should be good to go.

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "OK".
Click the "More Options" Tab.
Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 r_beau

r_beau
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 12 December 2007 - 07:53 PM

Thank you!!!!!

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 12 December 2007 - 10:09 PM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users