How do I know if I managed to completely remove an undetected trojan?
- by ubuntuisbetter
I catched a trojan that uses explorer.exe to reproduce itself in case of deletion of its autostart entry or main exe file in Programs/x.
It had already tried to contact a suspicious server over explorer.exe, blocked that via my firewall.
I:
Removed the autostart entries from the registry
Looked through my services if there was anything suspicious
Deleted the trojan from Programs/
Went through System Volume Information to find a 2 month old explorer.exe and replaced the possibly infected one.
There are no suspicious processes running now anymore (no duplicate explorer.exe) and nothing wants to connect this trojan owners sever either.
I checked my system with several anti-malware programs too.
What the trojan did:
Started a second explorer.exe
Always when I deleted the main trojan exe file it was reproduced (by the second explorer.exe)
Always when I deleted the autostart entry it was reproduced by the explorer.exe too.
When I terminated the suspicious explorer.exe, which used only half as much memory as the less suspicious one from Windows, a strange thing that I know from the computers in my Informatics class happened:
A window popped up in the top left of my explorer-less desktop, titled "Personal settings for ... are ..." that obviously copied some files.
Then both explorer.exes started again and the trojan was everywhere again.
What did the trojan actually do to get explorer to rescue it?
Is my PC clean of this newish trojan now?
What are the other locations I should check for the trojan?
The trjoan doesn't seem very high-level, could it have changed other system files or is the autostart entry vital for it?
Thanks in advance,
Your trojan paranoid friend
(Getting linux in a week)