How do I remove this computer virus?
January 24, 2005 9:16 AM Subscribe
My mother's computer has picked up a persistant trojan virus. She's over 1,000 miles away so I can't work on her PC myself, so I've been talking her through things on the phone. AVG Free 7.0 detects the virus and claims to remove it, but it always comes back the next time she scans. The only thing she can tell me about the virus is that AVG removes a file with a mixture of English and Cyrillic letters in it. Any idea how I can help her slay this thing once and for all?
Servo: you have my sympathy, over the phone virus eradication with loved ones is one of life's little trials. What OS and Service Pack is your mum running?
I would recommend whatever virus scanner you use, do the following FIRST:
1) Disable system restore (it is the devil). Right click My Computer, go to properties, or Control Panel > System. Click the System restore Tab, check the box that says 'Disable.' Click Ok. You don't need system restore anyway, and it has a nasty habit of keeping viruses that you thought you had cleaned.
2) Boot up in Safe Mode (no networking, its not necessary IMO). Then run your AV software.
3) Start scanning. I like to use McAfee Stinger (direct link to file), its quick and dirty and cleans a number of common viruses. It won't detect or remove anything not on the list, however. But she won't need to install anything and its very easy to use.
What does AVG say the virus name is? There may be some manual removal instructions available. What is the virus' characteristic behavior, what is it specifically doing to her machine? If you can figure out what it is, Symantec, et al, offer free removal tools for individual infections.
posted by tweak at 9:33 AM on January 24, 2005
I would recommend whatever virus scanner you use, do the following FIRST:
1) Disable system restore (it is the devil). Right click My Computer, go to properties, or Control Panel > System. Click the System restore Tab, check the box that says 'Disable.' Click Ok. You don't need system restore anyway, and it has a nasty habit of keeping viruses that you thought you had cleaned.
2) Boot up in Safe Mode (no networking, its not necessary IMO). Then run your AV software.
3) Start scanning. I like to use McAfee Stinger (direct link to file), its quick and dirty and cleans a number of common viruses. It won't detect or remove anything not on the list, however. But she won't need to install anything and its very easy to use.
What does AVG say the virus name is? There may be some manual removal instructions available. What is the virus' characteristic behavior, what is it specifically doing to her machine? If you can figure out what it is, Symantec, et al, offer free removal tools for individual infections.
posted by tweak at 9:33 AM on January 24, 2005
Also, if her computer can still run IE in a stable manner, there is a free Security Check (http://www.symantec.com/cgi-bin/securitycheck.cgi) that Symantec offers. Its also pretty easy to use.
It might even work in Safe Mode With networking. Once you identify it there is a list of removal tools Symantec offers for free. These are also as easy to use as Stinger, but only work on a virus-by-virus basis.
posted by tweak at 9:38 AM on January 24, 2005
It might even work in Safe Mode With networking. Once you identify it there is a list of removal tools Symantec offers for free. These are also as easy to use as Stinger, but only work on a virus-by-virus basis.
posted by tweak at 9:38 AM on January 24, 2005
I had the same problem with Sophos recently. Apparently, the trojan was new variant of an older family of trojans, which Sophos could detect but not remove, although it did falsely report that it removed the trojan after scanning. After a week of being unable to kill the thing, a new update got it.
posted by shoos at 9:39 AM on January 24, 2005
posted by shoos at 9:39 AM on January 24, 2005
Response by poster: Ah! I forgot to say what OS she has. It's Windows 98 SE on a Pentium II 266MHz with 160 MB of RAM. The computer is from 1995 and has been upgraded and tinkered with a number of times to keep it running. She's also on a dial-up 56K modem connection if that matters to anyone.
As for the virus itself, she says she notices nothing unusual about the system's behavior and the only reason she knows there's a virus is because AVG tells her so. She doesn't know the name of it and just says it has a filename of mixed English and Cyrillic letters. The infected file is a .dll file, however. Her concern is that this is some program that is waiting to send her credit card numbers or passwords somewhere.
So far I've had her running the usual suspects of AVG, Ad-Aware, and Spybot (she also had a bunch of spyware that I've talked her through removing) in both normal and safe modes. This trojan is the last thing that's hanging on to her machine.
posted by Servo5678 at 9:50 AM on January 24, 2005
As for the virus itself, she says she notices nothing unusual about the system's behavior and the only reason she knows there's a virus is because AVG tells her so. She doesn't know the name of it and just says it has a filename of mixed English and Cyrillic letters. The infected file is a .dll file, however. Her concern is that this is some program that is waiting to send her credit card numbers or passwords somewhere.
So far I've had her running the usual suspects of AVG, Ad-Aware, and Spybot (she also had a bunch of spyware that I've talked her through removing) in both normal and safe modes. This trojan is the last thing that's hanging on to her machine.
posted by Servo5678 at 9:50 AM on January 24, 2005
Well, then forget the warning about System Restore. Stinger still works in Win95 tho. Not sure about my other recommendations.
posted by tweak at 9:54 AM on January 24, 2005
posted by tweak at 9:54 AM on January 24, 2005
What is the name of the infectd DLL file? Sometimes viruses create a custom DLL and a google search might reveal its origin. It sounds a little like W32.Badtrans.B@mm.
posted by tweak at 9:59 AM on January 24, 2005
posted by tweak at 9:59 AM on January 24, 2005
Response by poster: I'll walk her through Stinger and the Symantec check this evening. Hopefully that will do it. The last two AVG updates have been no help, it seems.
Searching with Google was my first idea but without knowing what I'm looking for, the road hit a dead end very quickly.
posted by Servo5678 at 10:00 AM on January 24, 2005
Searching with Google was my first idea but without knowing what I'm looking for, the road hit a dead end very quickly.
posted by Servo5678 at 10:00 AM on January 24, 2005
http://forums.majorgeeks.com/showthread.php?t=35407
I had a trojan that I couldn't shake a couple days ago. I used the advice from this forum, and it cleaned it in a couple minutes, after I had been working at it for hours.
posted by FunkyHelix at 10:49 AM on January 24, 2005
I had a trojan that I couldn't shake a couple days ago. I used the advice from this forum, and it cleaned it in a couple minutes, after I had been working at it for hours.
posted by FunkyHelix at 10:49 AM on January 24, 2005
http://forums.majorgeeks.com/showthread.php?t=35407
for the lazy like me :)
posted by petebest at 11:39 AM on January 24, 2005
for the lazy like me :)
posted by petebest at 11:39 AM on January 24, 2005
See if your mom can load VNC, free software that allows you to remotely control her pc, and you could clean it up. Slow over dialup, but still usable. I'd also load adaware and spybot, both free spy-, ad- mal-ware killers.
posted by theora55 at 1:36 PM on January 24, 2005
posted by theora55 at 1:36 PM on January 24, 2005
She could also try using pandascan or house call - both offer free online scanning/removal tools (both use activeX so will need to access the sites via IE).
If all else fails google the name of the virus and places like sophos should have instructions on how to remove the infected file manually. Or try the forums at wilders security (they're good bunch of people who are very helpful)
posted by squeak at 1:45 PM on January 24, 2005
If all else fails google the name of the virus and places like sophos should have instructions on how to remove the infected file manually. Or try the forums at wilders security (they're good bunch of people who are very helpful)
posted by squeak at 1:45 PM on January 24, 2005
If you're unfamiliar with Computer Cops (http://castlecops.com/), they are terrific, FREE, and will, over a period of a couple days, completely walk you through how to clean your mother's computer of a trojan or any virus, really.
The forum you want to check out is HijackThis. Read through their posting guidelines, walk your mom through downloading a copy of HijackThis and I promise, her troubles will be resolved.
posted by peacecorn at 2:25 PM on January 24, 2005
The forum you want to check out is HijackThis. Read through their posting guidelines, walk your mom through downloading a copy of HijackThis and I promise, her troubles will be resolved.
posted by peacecorn at 2:25 PM on January 24, 2005
I've had two similar situations. On one, Etrust Anitvirus wouldn't find it, but it was obviously there. I tried AVG, it found it, said it removed it, but didn't. I tried this with system resotre turned off, in safe mode, etc and still it wouldn't work. What did work was I looked at the programs that got loaded in startup using msconfig.exe and found some strange one. I removed this program from the startup and then ran AVG again and it was gone.
I ran into a similar situation with some spyware on another computer. SpyBot would detect it (the antivirus software wouldn't) but couldn't remove it. Again, I found a wierd program in the startup list, and removing it did the trick.
In the years I've been doing this, I've never run across something that a reboot in safe mode and turning off system restore didn't allow the antivirus to fix until these two situations.
posted by gus at 6:43 PM on January 24, 2005
I ran into a similar situation with some spyware on another computer. SpyBot would detect it (the antivirus software wouldn't) but couldn't remove it. Again, I found a wierd program in the startup list, and removing it did the trick.
In the years I've been doing this, I've never run across something that a reboot in safe mode and turning off system restore didn't allow the antivirus to fix until these two situations.
posted by gus at 6:43 PM on January 24, 2005
This thread is closed to new comments.
posted by swordfishtrombones at 9:31 AM on January 24, 2005