I catched a trojan that uses explorer.exe to reproduce itself in case of deletion of its autostart entry or main exe file in Programs/x.

It had already tried to contact a suspicious server over explorer.exe, blocked that via my firewall.

I:

• Removed the autostart entries from the registry
• Looked through my services if there was anything suspicious
• Deleted the trojan from Programs/
• Went through System Volume Information to find a 2 month old explorer.exe and replaced the possibly infected one.

There are no suspicious processes running now anymore (no duplicate explorer.exe) and nothing wants to connect this trojan owners sever either.

I checked my system with several anti-malware programs too.

What the trojan did:

• Started a second explorer.exe
• Always when I deleted the main trojan exe file it was reproduced (by the second explorer.exe)
• Always when I deleted the autostart entry it was reproduced by the explorer.exe too.

When I terminated the suspicious explorer.exe, which used only half as much memory as the less suspicious one from Windows, a strange thing that I know from the computers in my Informatics class happened:

A window popped up in the top left of my explorer-less desktop, titled "Personal settings for ... are ..." that obviously copied some files. Then both explorer.exes started again and the trojan was everywhere again.

• What did the trojan actually do to get explorer to rescue it?

• Is my PC clean of this newish trojan now?

• What are the other locations I should check for the trojan?

• The trjoan doesn't seem very high-level, could it have changed other system files or is the autostart entry vital for it?

Thanks in advance, Your trojan paranoid friend (Getting linux in a week)