I may have infected my computer with a trojan. Help me get rid of it.
November 18, 2011 8:19 PM   Subscribe

I absent mindedly opened an e-mail from the "United States Post Office" claiming that a package I had sent on the 12th had an incorrect address. Then I clicked on the attachment and that's when I realized I had done a very bad, stupid thing because the USPS doesn't have my e-mail for any reason. Yahoo's e-mail did a scan and it said the attachment was clean. Google tells me that this is a trojan. I'm running Malwarebytes as I type. What else should I do?

This happened about twenty mintues ago and nothing seems to be wrong with my computer. Nothing happened when I clicked on the attachment. My computer runs Windows Vista and I have Trend Micro Titantium anti-virus and Spy-Sweeper (just the anti-spyware). Both are up to date. Did my anti-virus already take care of it or do I need to do more? Thanks.
posted by Constance Mirabella to Technology (14 answers total) 14 users marked this as a favorite
Best answer: MeFite deezil's profile is a standard go-to for complete eradication of any and all nastiness of this sort. Print off if necessary, and it's really handy to have a 2nd, uninfected computer to download these programs and be sure they aren't modified or blocked by a super-sneaky virus.
posted by filthy light thief at 8:37 PM on November 18, 2011 [12 favorites]

Best answer: Here's some info about what may have been downloaded. It's from just over a year ago.

And here is something more current.

I suggest using sysinternals/microsoft autoruns to see if any of the listed processes are running.
posted by bz at 8:38 PM on November 18, 2011

Best answer: You should be able to check your Trend Micro and Spy Sweeper logs to see if they caught it. Check under an advanced option for the logs. What type of file was it? If you still have the file, you can try uploading it to VirusTotal and see what the verdict is for about 45 anti-malware scanners all at once.

Even if Malwarebytes doesn't find anything on your computer, you can try a few other scans - I like Bitdefender too. If none of the scanners find anything, you should still monitor your computer for the next few weeks - do additional scans every few days for a while.
posted by gemmy at 10:19 PM on November 18, 2011

Best answer: Also, make sure your virus definitions are all up-to-date, possibly while in safe mode with network access.
posted by filthy light thief at 1:26 AM on November 19, 2011

Best answer: What do you mean when you say that Google tells you it is a trojan? If it is that the same text has been used before, then that doesn't tell you much about the nature of the attachment. A lot of virus writers re-use previously successful cover letters because they lack the social engineering skills to create their own.

The fact that both Yahoo's scanner and your copy of Trend didn't show any alerts suggests two possibilities. Either the virus is a dud (which does happen) or it's so recent that these products aren't detecting it. I haven't used Trend, but every other antivirus product I've used defaults to announcing when it detects a virus, so I doubt that the third possibility (it was a virus, but was silently dealt with) is likely.

Gemmy's advice about submitting it to an online virus checker is excellent (I'd suggest using Jotti's malware scan as well as VirusTotal), but if this is new, then you want to submit it again a few times over the next few weeks, as the antivirus signatures get updated over time.

You might also want to submit it to a few antivirus vendors for analysis. F-Prot Avira Sophos Trend That should speed up the process of getting it detected.
posted by Busy Old Fool at 2:27 AM on November 19, 2011

Best answer: For the future, use an hourly backup system like Time Capsule on the Mac. Then if you hit something like that, you can just restore your entire system from the previous backup, and any virus you may have downloaded will disappear.
posted by musofire at 6:13 AM on November 19, 2011 [2 favorites]

Response by poster: I Googled "e-mail from post office saying incorrect address" which led me to a bunch of links on how this was an e-mail with a trojan.

I would upload the attachment for analysis but I can't find the zip file anywhere on my laptop and I'm not going to download it just so I can upload it. My computer appears to be clean and I'm going to monitor it closely for the next few weeks. I'm going to mark all the answers as Best because everyone has been helpful.
posted by Constance Mirabella at 11:46 AM on November 19, 2011

I just got this exact same email (and almost opened it too!). In case the attachment is the same as the one you got, I uploaded it to VirusTotal, and they recognized it. Here's the report.
posted by eye of newt at 4:15 PM on November 19, 2011

Here's Jotti's scan result.
posted by eye of newt at 4:19 PM on November 19, 2011

Don't just go by the result of a single program. In my experience there is malware that some programs will catch and some won't.

Malware has gotten much worse in the past few years. Not only can it be maddeningly difficult to catch and remove, but it can update itself over the internet and even download and install new malware. I've known even Microsoft Security Essentials to miss things, and after your program says the malware has been removed, make sure to reboot and run another scan -- I've seen several infestations that simply could not be removed by specific programs even though they claimed to have removed it, each reboot revealing the program had survived.

A good indication I've found of whether you have malware is to gun msconfig and check the startup list. If you have anything in that list that looks like a random jumble of characters it's almost certain to be malware. The acid test is to uncheck those entries and reboot, and see if a different random jumble of letters has been mysteriously added to the list. Because of this, I've known several pieces of malware to kill msconfig outright when it's started, in such a way that it looks like the program wasn't launched. That is also a pretty sure indication something is wrong.

When friends get caught by malware, unless I'm lucky and either MSE or MalwareBytes removes it, I usually end up having to make backups for them and restore from factory software. It is time-consuming but certain unless the factory restore image itself has been compromised -- I haven't seen that happen yet, but you just know someone's tried it. Many manufacturers (Compaq and Dell for certain) provide a factory-default image you can restore from by hitting F8 while Windows is booting (keep pressing it from when the boot logo appears until the text screen shows up), then choosing to Repair your computer. The System Restore option is usually the one that gives you access to the factory disk image, usually stored on a separate, sometimes invisible, disk partition.

There are supposed Linux LiveCDs that can scan for malware, which would have the advantage that there's nothing the program can do to actively defend itself from detection. Might be worth looking into. Apparently Kaspersky has a rescue disk that might fit the bill: http://support.kaspersky.com/faq/?qid=208282173 Note that Kaspersky is commercial software; I don't know if a registration key is needed to use this, I just found it on a Google search.
posted by JHarris at 7:17 PM on November 19, 2011

I think that some of the Linux LiveCDs aren't labeled as such, but only as bootable virus/malware scanning CDs.

As for the Kaspersky CD/DVD/USB drive product, if this is the same thing (Softpedia link, a trusted shareware/freeware site), then it looks like that is one of the products Kaspersky offers for free (Softpedia list of Kaspersky products, many of which are trial-ware, but there are some freeware items further down the list).

And remember, if you can download and burn bootable discs from a known clean computer, do so.
posted by filthy light thief at 8:19 AM on November 20, 2011 [1 favorite]

Eye of Newt's report makes it clear that this is, as I suspected, is a fairly new virus, Note that according to VirusTotal Trend and many others don't recognise it yet and the vendors who do are mostly just saying 'Yup, it's a virus' since they haven't had time to analyse it yet. For example, Comodo refers to it as 'Heur.Packed.Unknown' which means that they can see the executable is encrypted in a virusy way and they're figured out a signature, but that's as far as they've got. Sophos have figured out that it contacts some servers in Russia, but not a great deal more.

Anyway, Constance Mirabella, if Eye of Newt received the same email as you and you executed this attachment, then you are infected. Get thee to Deezil's profile or ask a geeky friend to work their way through it. Sorry to be the bearer of bad tidings.
posted by Busy Old Fool at 10:58 AM on November 20, 2011

As luck would have it I had it rescue a friend's system today.

The first thing I did, besides basic information gathering (asking him what happened) was to run the Kaspersky rescue disk on it. I had some trouble connecting to the internet to update it; apparently the Gentoo Linux distribution it ran on didn't recognize the wireless card, so I had to go somewhere with wired internet I could connect to. It took a while for it to update, and about two hours to run through a full hard drive scan once the update was complete.

It seems to have found all the malware (several bits -- apparently it was busy in the short period of time it was installed). It was one of those fake anti-virus things, and apparently as part of its schtick it deleted everything on his desktop and many things from his start menu, including his entire Accessories folder.

This is the point where if I had followed the directions in deezil's profile I would have made a mistake. I was able to use System Restore to regain most of the lost files without a reinfestation. Not all malware chooses to infest System Restore; in fact, I've never seen any that has, although my experience with malware is far from encyclopedic. It might use a restore point to hide, but I don't know if it's in authors' current ability to infest a restore image.

It helped here in that, if System Restore had reinfested the machine, since I had a known way to remove it I could have rerun the scan and removed it again, although with the slapdash way it deleted files I probably would have made use of the factory restore partition instead.
posted by JHarris at 3:32 AM on November 23, 2011

I've (hopefully) solved a similar problem today on an XP machine.

There were no desktop icons in one of the user accounts (that the virus had been run from) and many of the start menu items were missing. The folders were all still there, but many were empty.

The start menu items had been moved to c:\Documents and Settings\User\Local Settings\Temp\smtmp\1 and could be copied into the user's start menu folder. Note that Local Settings is hidden, so it might not appear as an icon, but if you type that into the address bar it may well be there. (This had confused me for a while; i had to search the disk for lnk files until i found where they were.)

This article seems to be about something similar: Trend Micro Link

The desktop icons had all disappeared but looking at the folders in explorer they were there. One of deezel's recomendations fixed this, i think it was SmitfraudFix.

I've run the rest of the the tools in deezel's profile too, and several things have been picked up too.
posted by kg at 4:10 PM on November 27, 2011

« Older Can two pseudo introverts have a good time in NOLA...   |   I want to fall asleep on my own giant Totoro Newer »
This thread is closed to new comments.