dho1115...
A trojan horse is one form of virus, which typically opens
a backdoor into your system through which control can be
initiated for various purposes.
Many viruses cannot be simply removed by an antivirus
program, since, once initiated, they often create files
and entries in critical areas like the Windows registry
and thus become embedded in multiple locations.
This takes a careful and skilled step-by-step process to
eliminate completely. One excellent program for finding
entries in multiple locations is HijackThis, which scans
your system and creates a log file which knowledgeable
geeks can comb through and advise you about what changes
to make on your system. Download it from the home page:
http://www.spywareinfo.com/~merijn/downloads.html
Once you've created a log from HijackThis, you can also
copy and paste it into this log analyzer at IamNotaGeek:
http://hjt.iamnotageek.com/
It will give you a URL you can copy and paste here or
elsewhere for futher analysis. It will also underscore
links to references which contain familiar entries, and
also bold certain items as questionable entries to be
deleted.
Short of all that, however, even if McAfee is unable to
delete or quarantine the file(s), it should have given
you the name of it. Given the specific name, it may be
possible to locate precise directions for eliminating
it. Additionally, there are several online antivirus
programs which may do a better job than McAfee at
finding and eliminating viruses:
Free online & downloadable virus scans:
AntiVir:
http://www.free-av.com/
BitDefender:
http://www.bitdefender.com/scan/licence.php
Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx
Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp
Trend Micro and AntiVir are known to pick up on things which
are sometimes missed by others. I use AntiVir, which is
especially useful in flagging and preventing attempted hidden
downloads of viruses and other malware from malicious sites.
AntiVir needs to be downloaded. Trend Micro works online.
Before, or after running HJT, you can download or use
the online versions of the following programs. Installing
and running these first may eliminate some problems from
the HJT scan:
Lavasoft AdAware:
http://www.lavasoft.de/
SpyBot Search and Destroy:
http://www.safer-networking.org
SpywareBlaster ("immunizes your system"):
http://www.javacoolsoftware.com/spywareblaster.html
I use all of the above religiously - just like washing
the car.
In short, the answer to your question, as asked, is yes.
I'm going to post this into the answer space and will
continue to work with you by way of the Clarification
process until the virus is eliminated or it's clear
that there's no way to remove it. Just let me know
where this takes you.
A user's guide on how to use the Clarification function
is on researcher skermit-ga's site, here:
http://www.christopherwu.net/google_answers/answer_guide.html#how_clarify
Please do not rate, and thereby close this answer until
you are satisfied that the answer cannot be improved upon
by way of a dialog established through the "Request for
Clarification" process.
sublime1-ga |
Request for Answer Clarification by
dho1115-ga
on
18 Jul 2005 08:11 PDT
Hello;
If I download or use any of the antivirus programs you recommended,
will I have to disable my McAfee? Can I download and run, say, Hijack
This or AntiVir without having to disable my McAfee Online Security
features? The reason why I ask this is because, when I bought and
downloaded McAfee, I had to disable my Norton Antivirus program, which
was, at that time, installed in my computer. Otherwise, the McAfee
won't run properly (it actually told me I had to disable my Norton
Antivirus program). Will I have to do the same with these programs you
recommended? Thank-you for your help.
|
Clarification of Answer by
sublime1-ga
on
18 Jul 2005 10:52 PDT
dho...
It's a good idea to avoid running any two comprehensive
antivirus programs at the same time. There is a tendency
for them to detect each other's activity as potentially
malicious, since they operate with a considerable degree
of freedom, on an intimate level with all the files on
the system.
And "disable" is the best word here. Uninstalling antivirus
programs can sometimes be a more complex prospect than that
of simply disabling them, and many people have run into
system problems after uninstalling them. If, instead, you
simply go into the configuration of the program you don't
want to use and prevent it from loading with Windows, it
can be much simpler. Another option is to right-click the
icon for the program in the system tray and exit or disable
it that way. Temporarily disabling it in this way is good
enough for, say, running an online antivirus scan at Trend
Micro's site, but if you decide to install a full program
like AntiVir and use it regularly, you'll want to prevent
any other antivirus from loading with Windows. If you're
not exactly sure where in the program to disable it from
loading with Windows, rather than digging through the help
files (which is usually a good thing to do), you can often
shorten this process by using a program like WinPatrol to
review what's loading at system startup and disable what
you want to. WinPatrol is also extremely useful in getting
to entries created by malicious programs, and preventing
them from loading, as well. Plus, you'll love Scotty the
watchdog:
http://www.winpatrol.com/
HijackThis and SpywareBlaster can usually be run without
making any changes to your current antivirus program.
SpywareBlaster doesn't even need to continue running -
it makes changes in your system which effectively prevent
certain exploits from occurring and then you can exit the
program. However, the author of HijackThis notes on his
main page:
"McAfee is at is again, unfortunately. Yes, I am aware
of the fact that McAfee detects HijackThis 1.99.1 as a
generic worm. For the fourth time. Yes, I am aware of
the fact that McAfee detects the StartupList standalone
as an mhtml exploit webpage. This makes respectively the
fifth and sixth time McAfee has mistakenly detected one
of my programs as some brand of virus. And I'm getting
pretty tired of this. Am I supposed to email each and
every new version of a program I publish to McAfee so
they can verify that UPX compression does not
automatically equal a scary virus??"
http://www.spywareinfo.com/~merijn/index.html
So, in your case, disable McAfee before running HJT.
Don't neglect the process of rebooting after disabling
the program from starting with Windows, if you're not
able to find a way to disable or close the program
while remaining in Windows.
The activities of AdAware and Spybot Search & Destroy may
also be detected as unfriendly, but, again, only by certain
antivirus programs. AntiVir, e.g., has no problem with any
of these programs.
It's generally advisable to read up a bit on the programs
you're planning to use. The authors are usually well aware
of conflicts, based on feedback they receive from the users,
and make note of potential problems on their websites or in
the ReadMe files that accompany the program, and which they
offer to let you read following installation.
sublime1-ga
|
Request for Answer Clarification by
dho1115-ga
on
19 Jul 2005 08:51 PDT
Hello;
I tried to download Hijack This @ http://www.spywareinfo.com/~merijn/downloads.html
and I could not find the link to it. There is just some headline that
talks about how cwshredder or hijack this closes immediately after
opening.
The funny thing is, it seems my internet appears to be running OK
(maybe there is a problem I haven't uncovered yet?) and I seem to be
able to get on. One question I do have is this: Is it safe to make
purchases and do other things over the internet that involves giving
out your personal information if there is a virus or trojan horse
still in your computer? Can a virus or trojan horse steal your
personal information?
|
Clarification of Answer by
sublime1-ga
on
19 Jul 2005 14:46 PDT
dho1115...
While it requires a modest amount of reading to locate the
download links for HijackThis on that page, there are 7 links
for the latest program and 3 to an older version. That page
contains 5 light-blue boxes with brighter blue headers, and
the links for downloading HijackThis are in the 5th, or last,
box on the page, with the heading "Official downloads". The
second program listed for download, after Startup List, is
HijackThis. The first download link is from merijn.org, right
after the red type that says "Currently at version: 1.99.1":
http://www.merijn.org/files/hijackthis.zip
The ability to remove a virus from your computer, with or
without assistance, will require a level of attention to
detail while reading which exceeds that needed to locate
the download link in that page.
You say you seem able to access the internet okay, and
"maybe there is a problem I haven't uncovered yet?"
but you haven't answered my question about whether your
McAfee antivirus program provided you with the name of
the virus which it was unable to delete or quarantine.
Nor do you indicate whether you've run any of the other
antivirus or malware detectors I suggested, and whether
they indicated an ongoing infection, or a problem they
were unable to handle.
Then you ask:
"Is it safe to make purchases and do other things over
the internet that involves giving out your personal
information if there is a virus or trojan horse still
in your computer? Can a virus or trojan horse steal
your personal information?"
Certainly there are viruses which will not interrupt
your ability to connect with the internet (though
others will). And certainly there are viruses which
will install a keylogger onto your system, so that,
even if you're entering your personal information on
a secure webpage, the keylogger can track every stroke
on the keyboard from within your own computer, and
relay this information to a hacker. While this is
only one kind of virus, and your system may not be
infected with that specific type, I would not make
that assumption. It is wiser to err on the side of
caution and discontinue browsing the internet and
sending email until you've identified and removed
any virus which has been indicated on your system.
sublime1-ga
|
Request for Answer Clarification by
dho1115-ga
on
19 Jul 2005 21:22 PDT
Hello:
I think I finally got the two trojans out of my computer. I ran McAfee
again to get the names of the trojans. One of the trojans was
"Exploit-byte Verify" and the other was "Exploit-Byte Verify,
gene...". Anyways, I downloaded Hijack This and created a log (which
was quite long) and pasted it to I am not a geek, which highlighted
some codes red and labelled it as "X" (certified malware.
So, I downloaded both Lava Soft Adware and Spyware Blaster (and
enabled all of its features) and, to make a long story short, I
believe the trojans are cleaned from my system.
Thanks for helping me through all this. I really appreciate it!
|
Clarification of Answer by
sublime1-ga
on
19 Jul 2005 23:11 PDT
dho1115...
Thanks very much for the rating and the tip!
The easiest way to know for sure that the viruses are gone
is to run a full scan again with whatever antivirus program
you've now settled on. If you're still using McAfee, run that.
Exploit-byte Verify seems to find its way in by way of a java
file which can be snuck in by way of a hidden download from a
malicious site. One of the components of AntiVir, called Guard,
actively notifies you of these hidden download attempts, and
prompts you to delete or deny access to the files the moment
they're downloaded. This is one of the main reasons I prefer
AntiVir over many other programs.
The java files are typically downloaded to:
C:\Documents and Settings\YourWindowsLogonName\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
At the very least, if your antivirus program has an entry
in the context menu when you right-click on a Windows folder
in Windows Explorer, it's good to run a scan on this directory
from time to time (once a day is not too often).
I'm very pleased to have been able to assist you in eliminating
these viruses. Feel free to call on me again, if necessary.
sublime1-ga
|