my computer got infected by a troyan, explorer is acting strange, there is a delay, when i double-klick a file, interne explorer windows pop-up, showing a werd link(it's a dead link, so it just openes up a window |: [ ). Lavasoft Ad-Aware is able to find that bastard thing, but is unable to quarantine it or remove it. this is the first infection of that type, so i dont have the slightest idea, what to do, so, if somebody got more xp, please help me. i know, its not even nearly an ut topic, but i'm sure there are some S/W freaks amongs you :].
It's always important to note the Viruses/Trojans name. This way, you can check the internet about information what it does and what you can do to get rid of it.
Without any concrete information, you should do the following:
The fact that the infected file(s) could not be moved to the quarantine directory as well as these annoying popups are a hint that some process is running which has these files in use. Because of this, the first step should be to identify this process.
Here's how to do this:
- First, quit all running programs (including those in the SysTray in the lower right corner - usually, you have to right-click on the symbols to find the Exit function).
- Open the Task-Manager by holding down left CTRL + left SHIFT and pressing ESCAPE at the same time.
- In the Task-Manager, choose the Processes tab (you can select further details to be displayed from the View menu of the window).
- Now the difficult part: Many processes are from Windows itself (like svchost.exe, services.exe, spoolsv.exe, explorer.exe, sched.exe, etc.). You need to find the process that doesn't belong to the system. Sometimes, these processes have stupid random names like "uizegi" or something alike. In the end, you'll need some experience to tell which ones are suspicious, I'm afraid. In case of question, you can also search the internet for information about a process (with Google, for example).
- If you found the suspicious process, note the name and try to kill it with the function provided by the Task-Manager (in rare cases, this is not possible, but usually, it should work). If you are successful and killed the correct process, you might have disabled the Trojan temporarily, which is important before trying to remove it.
Next thing to do is to locate it on your harddrive. You can either retry to find it with AdAware or some similar tool or do it by hand. For the latter case, there are several things you should check:
- Click at START and choose EXECUTE. In the text box, enter "msconfig" and click OK.
- MSconfig should open if you have it installed. In its window, choose the rightmost tab called SYSTEMSTART. There, you can see all programs that are executed when Windows boots. Try to find a corresponding entry to the process you have identified in the further step. If you find one, note down the complete COMMAND and PATH for it. The COMMAND entry might hold the exact location where the program resides on your HD (but more likely, it will be omitted because the program is in your search-path). The PATH entry gives information where to find the entry in your registry (for removal).
- Click at START and choose EXECUTE. In the text box, enter "regedit" and click OK.
- In the Registry Editor, navigate to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" (and maybe other Run-entries like "RunOnce" or "RunServices", etc.) and check the entries inside there. If you see a start-entry for the suspicious process or anything different that is highly suspicious, you can delete it, if you like. But be warned that it can cause problems if you delete an entry that is needed by the system. Once again, you need to have some knowledge about it, sorry.
- Many Viruses/Trojans hide in temporary and/or user-directories. So it's always a good idea to delete the contents of temporary dirs. One way to do it is right-clicking C: (in the Explorer or at the desktop under My Computer), choosing Properties and selecting "CleanUp" (or something similar - sorry, I have a German Windows and don't really know the English names). Unfortunately, this cleanup-function usually doesn't delete ALL temporary files, so I recommend to do it manually. First of all, you should be sure that Hidden- and System-files are displayed by the Explorer (you can configure it in the Folder Options). Then navigate to "C:\My Documents\Local Settings\Temp" and manually delete all contents. Additionally, you should open the Internet Options of your Internet Explorer (e.g. by choosing Internet Options from Control Panel) and clear the complete Cache and Offline Files.
- Last thing is to check C:\WINDOWS, C:\WINDOWS\system and C:\WINDOWS\system32 for any suspicious files. Here, again, you need to be an expert to tell which files should be there and which shouldn't. Searching the internet might help here, too. My hint: Sort the files by date (by clicking the date label of the column). In most cases, the malicious files have very recent dates, which makes it easier to find them in the long list. But beware to delete any important files that are needed by the system. This may cause instability or crash the whole system with the need to reinstall windows in the worst case! Maybe, the information gathered in the other steps helps you to identify the file you're looking for.
Well, I hope, I could provide some help for your problem. If you think you've found it (and maybe even removed it), be sure to do a system-restart and check if the files/processes are not created/started again. Some Viruses/Trojans have special mechanisms to keep themselves alive and prevent removal.
}TCP{the_kay wrote:This (or this) should solve your problem...
Oh, great! Next time when I read something about a Linux user who's missing some drivers for his hardware, I'll just write:
"This should solve your problem..."
thanks for the detailed info coco, i've been editing the msconfig and registry quite often, so this shouldnt be a problem. i'll try to check on log files, maybe there the name of the mf is! if i dont find it there, i'll try to do what you wrote(seems to be alot of work )
Tam pod kostanjevim drevesom,
izdala si me,
izdal sem te,
brez da bi trenila z očesom.
}TCP{the_kay wrote:This (or this) should solve your problem...
Oh, great! Next time when I read something about a Linux user who's missing some drivers for his hardware, I'll just write:
"This should solve your problem..."
Coco.
Hehe, nice idea. But, c'mon, just let me have my fun
Besides it's not the fault of GNU/Linux or the free software developers if there are missing drivers. It's the hardware manufactor, who:
1. Cares only about Windows
2. Only releases proprietary drivers (and mostly only for Windows)
3. Don't release the hardware specifications (which makes it very hard / impossible to write drivers. If you don't have the hardware specs, programming a driver gets so much more difficult...)
THC_54j0 wrote:lol kay, that was so weak ok, i like the idea of open source, but im just to lazy 4 linux ^^
Hm, I don't like much the idea of Open Source, I like more the idea of free software. And I'm not using the Linux-System, I'm using the GNU/Linux-System
By the way: At the beginning it may be a bit hard and you may need some help, but after a year or so, you see how it was worth it. I'm working so much more effective and learned much more about computers than I could ever have done with windows
}TCP{the_kay wrote:Besides it's not the fault of GNU/Linux or the free software developers if there are missing drivers. It's the hardware manufactor
And just similar it's not the fault of Windows that there are so many idiotic bastards outside who code Viruses or Trojans to harm other users. The Linux/GNU/whatever users are just lucky that these criminals aim at the platform that is used by 90% of the users.
i runed spybotSD, ad-aware, nod32, trojan remover and WinPFind. they found about 60 infections alltogether, i hope the main thingy was among them if it shows up again, i realy dont know what to do |: [
Tam pod kostanjevim drevesom,
izdala si me,
izdal sem te,
brez da bi trenila z očesom.
}TCP{the_kay wrote:This (or this) should solve your problem...
I've never got any viruses...
Very nice links. I got ubuntu working on a puter I have. Still figuring out some stuff but this was the 1st Linux I was able to get working. I hope you don't mind me bugging you with questions. (I'm sure I will have many) Very nice though Kay.
. if i see it again, ill printscreen it 
