Friend with Trojan

[Markoman01027]

Hello everybody,

A friend of mine has a trojan installed on his PC. Ran a Trend Micro Virus Scan and it detected that his PC has a Trojan installed on it. I hit "delete" but it said that the file is in use by Windows. So I CTRL+ALT+DEL and once I see the processs list come up, the whole box disappears.
I ran a spybot search and destroy scan and removed all instances of spyware on his PC and removed all of the spyware software installed via add/remove in the control panal.

So after the reboot, the spyware is gone, but the trojan is still inside the system. I cannot end task the process, because once I do the 3 finger salute, the box disappears.

Maybe this will work in safe mode? He has a Dell, P4 1.8Ghz, with 512MB of RAM, and running Windows XP home edition.

I tried to run MSCONFIG from RUN, but I would just click "OK" and nothing else would happen.

I don't see any control over his computer, but he is getting a lot of pop ups, messages, etc.

Any help would be appreciated.

[Redo40]

What's the name of the Trojan?

Definitely try safe mode to see if you can stop it from running.

[Cricket]

Have you tried a trojan scanner like The Cleaner by Moosoft?

Cricket

[Markoman01027]

Next time I am over his house, I will download The Cleaner. NAV didn't detect it, as it was the 2002 version.

Not sure what the Trojan is. But Trendmicro couldn't remove it because the file was in use, and if I tried to end process the offending file, it wouldn't let me.

Will post back next time I am over his house.
Thanks for the input guys!

[Railbird]

I'm assuming you are using Windows XP on this system... I haven't done any troubleshooting of a trojan that wasn't on Windows 98, but I'll state what I know and maybe you'll be able to take this information and use it.

The trojans I dealt with would usually make several copies of themselves. The registry, autoexec.bat or config.sys, and in the system.ini

The trick would be to look in the system.ini under the RUN= line, and look to see what executable was listed there
(Some of these had many spaces after the RUN= to make it look like there was nothing there, but if you scrolled over to the right, you'd find a file name)

Once you get the name of this file, Start -> run -> REGEDIT
Go to SEARCH
and enter the name of the executable you found there
Delete any occurrences of this file name in the registry

Next, go to Start -> run -> sysedit
Look in the win.ini system.ini, config.sys, and autoexec.bat search for that same executable and delete any references in these files.

Now, here's the real kicker -
Before you delete the actual file that is being run from the hard drive, look at the file's creation date.
Go to Start -> Find -> Files and Folders

Search your entire C: drive for any files that were created on the same date, and if any are the same exact file size, you want to delete those as well. They are known to make several copies of themselves with several different names.

It always took me several tries to use this method, but it guarantees that you'll get it deleted. If you miss just one reference or one copy of the trojan and restart, it will put itself back in all the places that you deleted it from.

Hope the above wasn't all jibberish to ya... Take it for what it is ;-)

[Markoman01027]

Thank you for your reply Railbird. I used that method before on removing Sub7 manually. I will try running in safe mode, ending the offending file and then running the cleaner. If that safely removes it. Then I will check the registry, win.ini, system.ini for any instances of that file(s).

Thanks!