# 'trojan horse' in my computer - help !



## Silvera (20 Nov 2004)

Do any of you guys know how to remove a 'trojan horse' virus from a computer ?

I was abroad for many months recently and somebody using my computer may have opened a suspect email which allowed this virus in.

I have the AVG anti-virus (free version) in my computer but it doesn't seem to have done it's job in this case ?!?

I have used the AVG program, and a couple of other from the net, but the 'trojan' is still there ?

(It flashed up on my screen that my computer was infected with a trojan, thats the only reason I know about it. I'm not very knowledgable about computers).

Help !


----------



## sueellen (20 Nov 2004)

Would anything contained here help 

This previous thread mentions something similar


----------



## Silvera (20 Nov 2004)

*trojan*

Thanks suellen.

Has anybody had a similar trojan virus ?
(Mine is - C:\ WINDOWS\cwp00reap3.exe).


----------



## sueellen (20 Nov 2004)

Hi Silvera,

That is the name of the program rather than the specific trojan.  When the anti-virus warns you about the trojan does it mention any specific name rather than just trojan horse?


----------



## euroDilbert (20 Nov 2004)

I am not an expert, but I think the following is accurate :

(1) Most current anti-virus programs will not protect you against trojans

(2) The display you see saying you have a trojan, may just be a 'pop-up' ad from a company trying to get you to buy their software (or even to _actuall install_ a trojan)

(3) I am currently trying out anti-trojan software on a 30-day trial, but have since come across [broken link removed] from the very useful site www.techsupportalert.com/

It's free, but the memory-scanner stops after 14 days, and you need to scan manually from then on.


----------



## PadraigL (20 Nov 2004)

If you type in the name of the trojan into google you may get a fix.
Otherwise this is a good site to try.
www.bleepingcomputer.com/


----------



## Silvera (21 Nov 2004)

*trojan*

I have tried (with no success!)......

Adware,
Stinger,
Zonealarm,
Fluxscan,
ewido (thanks euroDilbert, it wouldn't work for me. Said it needed Windows 2000 or higher - I have Windows ME.)

It is definetly IN my computer, not just a pop-up ad.
When I start up, my AVG resident shield shows a red display which says 'Trojan Dropper', and gives the option to "Heal" - which I do - but it is still there when I start up next time ???


----------



## euroDilbert (21 Nov 2004)

*Re: trojan*

TrojanHunter is the one I am trying. Works well for me.

The web page says it should work with ME - so maybe it might help.


----------



## Silvera (21 Nov 2004)

*trojans*

Ok, I've tried the TrojanHunter program that you recommended.

I downloaded it, ran the full system scan, it showed up 2 x Trojans and then asked if I wanted them 'cleaned' -which I proceeded to do.

I then ran another full scan and most of the trojans are reappearing ??! ........Aghhh !!

This is getting really frustrating !!!

The trojans are -

Trojan Horse Backdoor.Agent.2.H
Trojan Horse Downloader.Nex.B
Trojan Horse Startpage.11.J
Trojan Horse Dropper. Krepper. F
Trojan Horse Startpage.7.BM
Trojan Horse Dropper. Agent.Y


Somebody Helllllllllpp please  !!!!!!!!


----------



## Silvera (21 Nov 2004)

*trojans*

I've just ran a fourth full system scan, and as the scan is proceeding, my AVG resident shield has shown up on the screen several times warning of the Trojan Horses listed above.............however the TrojanHunter program has just completed and states 'no trojans found' (it did exactly the same 3 times before that?!!) ??????????


Aghhhh !!!!!!!!


----------



## sueellen (21 Nov 2004)

Hi Silvera,

Sorry to hear you are still having problems.  If you run your full list thru Google the following comes up for just the first on the list  

You could look at this [broken link removed] and see if it helps.

HTH.


----------



## gerry (21 Nov 2004)

*Re: trojans*

Have at look [broken link removed] for possible solutions or post a thread and someone around the world will have an answer !


----------



## dannymur (21 Nov 2004)

*Re: trojans*

check out this: Avg New remover tool

requires restart in safe mode.

some help here, also:

www.newbie.org/help/messages/34444.html


----------



## ClubMan (22 Nov 2004)

*Re: trojan*

* I have tried (with no success!)......

Adware,
Stinger,
Zonealarm,
Fluxscan,
ewido (thanks euroDilbert, it wouldn't work for me. Said it needed Windows 2000 or higher - I have Windows ME.)

It is definetly IN my computer, not just a pop-up ad.
When I start up, my AVG resident shield shows a red display which says 'Trojan Dropper', and gives the option to "Heal" - which I do - but it is still there when I start up next time ???*

You really need to understand a bit about viruses, trojans, adware etc. and then understand what tools tackle which problem (e.g. you mention _ZoneAlarm_ above but it is a firewall and not a virus scanner or the like) before plunging in and expecting to correct the problem(s). It might be worth reading some of the tutorials on Howstuffworks.com, for example How computer viruses work, How firewalls work etc.

*(1) Most current anti-virus programs will not protect you against trojans*

This is not true. A trojan is just (potentially) a particular class of virus. Most antivirus programs will protect you from trojan infections. Of course it also makes sense to run a firewall in order to protect against the operation (e.g. unauthorised connections into/out of your PC) of a trojan should one slip through. Of course, in its purest sense, a trojan is simple a program which claims to do one thing but actually does another.


----------



## Silvera (22 Nov 2004)

*trojans*

I have been trying what people have recommended to me clubman.


dannymur,
what do you mean by restarting in 'safe mode' ?

do you mean with the 'system restore' function disabled ?

I have done this and run a full AVG scan, which tells me that I have 3 trojans. When I click on 'move to virus vault' as recommended, my computer tells me these files 'cannot be deleted/removed' ????????????


----------



## XXXAnother PersonXXX (22 Nov 2004)

*Re: trojans*

If you cannot delete or move the files it's probably because they are in use. You have to stop the processes first, and then delete or move them.

To stop the process, do ctrl-alt-delete to activate the task manager. See what processes are running, and stop the ones causing the problems.

(This mightn't work)


----------



## ClubMan (22 Nov 2004)

*Re: trojans*

_Google_ will explain the technical terms thrown up above but I'll probably be berated yet again for suggesting that people understand what they're doing before doing it... :rolleyes


----------



## car (22 Nov 2004)

*berate*

*Google will explain the technical terms thrown up above but I'll probably be berated yet again for suggesting that people understand what they're doing before doing it... :rolleyes *

I think people that berate when you go back to basics know how to do things automatically,eg _google_ for solutions, and dont subscribe to the KISS principle and think theyre being treated condascendingly.  Your solutions/answers/directions are excellent and do subscribe to the KISS principle as any good support persons solutions would and should do.

But... do you have to keep using the :rolleyes  smiley.  Now, thats really condascending.  A smiley should be a   or a :lol  and thats it. hrumph.


----------



## dannymur (22 Nov 2004)

*Re: trojans*

firstly, disable System Restore:



Update the virus definitions.

Restart the computer in Safe mode.



note!!!!  [If your computer has been infected with some worms and Trojans, the System Configuration Utility will not work. In this case, using the F8 key will be the only option.]



> To use the F8 method:
> 
> Restart the computer.
> 
> ...



Run a full system scan and delete all the files detected as Trojan horse. 

Delete any values that were added to the registry. 

Windows 95/98/Me only: Remove any references to the infected files, which the Trojan added to the Win.ini and System.ini files. 

Clear the Temporary Internet Files folder, if required.

see also here for Win ME:

[broken link removed]

last resort!!

try this


----------



## ClubMan (22 Nov 2004)

*Re: berate*

* Now, thats really condascending.*

No - condescending would be drawing attention to other people's spelling mistakes.


----------



## car (22 Nov 2004)

*condescending*

  I'll let you away with that one.


----------



## euroDilbert (23 Nov 2004)

*Re: Trojans*



> (1) Most current anti-virus programs will not protect you against trojans
> This is not true. A trojan is just (potentially) a particular class of virus. Most antivirus programs will protect you from trojan infections. Of course it also makes sense to run a firewall in order to protect against the operation (e.g. unauthorised connections into/out of your PC) of a trojan should one slip through. Of course, in its purest sense, a trojan is simple a program which claims to do one thing but actually does another.



Sorry ClubMan, but I have to disagree. Trojans have behaviour different from viruses. Some Anti-virus programs may stop some of them, but they can take many forms.


See www.anti-trojan-software-reviews.com/ or www.irchelp.org/irchelp/security/trojanterms.html

BTW, I'm not arguing about terminology here. I just think you need to protect against both. Personally, I think you need at least 3 levels of security + Common Sense.

(1) Firewall
(2) Anti-Virus
(3) Anti-Trojan

A real PITA, but that's the way the online world is these days.


----------



## Dr Moriarty (23 Nov 2004)

*Re: Trojans*

_Moi_, frankly, I just took dannymur's 'last resort' advice, downloaded the free trial version of 'Trojan-a*se-whupper', ran it, and it cleared up the problem that my workplace's (no doubt expensively-bought) AntiVirus systems were signally failing to get rid of...

Bingo! — problem solved; thanks again, dannymur!  

Dr. M.


----------



## ClubMan (23 Nov 2004)

*Re: Trojans*

*Sorry ClubMan, but I have to disagree. Trojans have behaviour different from viruses. Some Anti-virus programs may stop some of them, but they can take many forms.*

Fair enough - I stand corrected.


----------



## setanta (23 Nov 2004)

*Re: condescending*

i admit to knowing very little about trojans etc but upon reading this i checked with my virus checker and discovered that a number of backdoor trogans appear to have been discovered and protected against in the past week. one today. I have two adware thingys that show up when i scan and  norton cant delete them but they dont appear to be doing any harm. they are there because of kazaa which i have since removed (despite  wailing and tantrum throwing etc). Should i just leave them alone. they are there for nearly a year now and appear harmless. Also noticed that pop-ups have ceased since i deleted said Kazaa.


----------



## car (23 Nov 2004)

*2 cents on the adware software*

I have a home pc, that for a while I havent bothered to clean to see what kind of malware would get in.  
Ive used both mozilla and IE on a win2000 install on a broadband connection without a firewall or AV software..  
Last weekend, I ran adaware 6 first and then spybot and both found a few stray dogs hanging around. Spybot found some that Adaware didnt. I then ran AVG which found nothing.
However, now thinking it was clean, I ran a full version of a product called x-cleaner.  It has an adware cleaner on it, it found 2 adware programs that the other 2 didnt.  I ran spywareblaster and it found none.  What does this tell me?  One piece of adware SW isnt enough as there must be as many adware programs are there are removal tools.  My recommendation would be to run as many as you can get your hands on if youre worried.
Theres a biggish list of removal tools on this link, I'll update the clean pc post with this link for posterity. here.


----------



## dannymur (23 Nov 2004)

*Re: Trojans*



> Bingo! — problem solved; thanks again, dannymur!



Ná habair é. 

glad somebody was helped by my hastily put-together post on the dreaded capall Trojan  

Some day i might need a Doctor


----------



## Dr Moriarty (23 Nov 2004)

*Re: the dreaded capall Trojan*

...is back, I'm afraid!
Tenacious little buggers, aren't they?  

_(Hope you don't need my services, dannymur — I'm only the 'of-Philosophy' kind of Doctor!)_


----------



## ajapale (23 Nov 2004)

*'false positive' results in trojan hunt?*

Have you considered the possibility that you might be getting 'false positive' results in your trojan hunts?

Google Search Strategy ("false positive" trojan)

ajapale


----------



## Silvera (25 Nov 2004)

*trojans*

Thanks a million for all the help folks !!!
It's much appreciated !

I downloaded a trojan remover that dannymur(?) listed and when I re-scanned with my AVG virus protection all seemed well.

However,
About an hour later my Sygate Firewall appeared on screen telling me that "somebody is scanning your computer" ???

So when I looked in the Sygate log listing, it shows that somebody is trying to accesss/scan my computer.

It has just done it again - said "Port Scan Logged" ???

What does this mean ?
Is somebody trying to use my computer to make premium rate calls or what ?

It lists the attacking IP address.
Is it possible to find out where this address is from ?

Cheers,
Silvera.


----------



## ClubMan (25 Nov 2004)

*Re: trojans*

*What does this mean ?
Is somebody trying to use my computer to make premium rate calls or what ?*

Not necessarily. It could be innocuous. Or it may not be. It may be a suspected or it may be an actual . At least your firewall seems to have caught it just in case. A lot of network/internet activity happens unbeknownst to the user and not obviously related to end user/on screen activity. When seemingly mysterious activity such as this crops up then it's worth investigating it to determine the cause and, if it's innocuous and required for normal functioning of the system, to reconfigure the firewall to allow the relevant traffic in or out or both. If in doubt keep it out though. That's a key approach when securing a PC/LAN - lock it down and only permit traffic if absolutely required.

*It lists the attacking IP address.
Is it possible to find out where this address is from ?*

Possibly - enter the IP address into the _IPWHOIS Lookup_ form here (third form down in the middle column) and see what it resolves to. Does the log mention what port the activity is on?


----------



## Silvera (28 Nov 2004)

*trojans viruses malware.........*

I'm at my wits end with this computer of mine !!!!!!!!!!

I've downloaded so may 'spyware removers', 'trojan removers' etc etc etc etc..............and there is still something in the system !!!!!!!!!

The latest program I have downloaded is SpyBot and it informs me that I have 44 infected files (the last program told me I have/had 21) - BUT it would not remove the infected files unless I paid a fee !!!!!!!

Most of the infected files seem to be "Program Files\common files\" that are also used by other programme files in my computer.

E.g. one infected files was listed as "C:\ Program Files\avoe\att"
When I looked up the file it is a legimate system installed in my computer since I bought it ??????? 

I reckon I may call in a professional (though I can't really afford to) !

or should I take out the hard drive and bring it to a computer specialist (thats if I can extract the drive with ease) ?????


----------



## Silvera (28 Nov 2004)

*trojans viruses malware.........*

.......and on top of everything else the viruses are blocking my access to my Yahoo email accounts AND I keep getting pop up notices that my internet access is only available through 'Port 1900' or 'Port 8080' etc etc etc

(And Esat were no help when I phoned them.)


----------



## Max Hopper (28 Nov 2004)

Given the number of uninvited gremlins, , you must be a big one for 'free' software.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->Is there a lesson to be learned here? Why are you are affronted by a programmer's request for payment to rid your computer of problems of your own doing? The freebie applications are simply extracting their price, too.<!--EZCODE BR START--><!--EZCODE BR END--><!--EZCODE BR START--><!--EZCODE BR END-->It's time to stump-up the dosh and realise that nothing in this life is without a cost.


----------



## ClubMan (28 Nov 2004)

If I was having such problems and could not eradicate them then I'd seriously consider backing up any important (data) files (having scanned them for viruses etc.) and doing a complete reinstall of the operating system and applications from the original installation CDs. Then I would ensure from the start that I had adequate (firewall, virus, adware etc.) protection.

*and on top of everything else the viruses are blocking my access to my Yahoo email accounts AND I keep getting pop up notices that my internet access is only available through 'Port 1900' or 'Port 8080' etc etc etc*

Are you sure that this is actually a virus and not simply your firewall doing its job? Firewalls will generally lock down all access from/to your PC (and even "self contained" _TCP/IP_ activity within your PC!) and only allow it when specifically told. After installation of a firewall there is generally a period of tuning/configuration required in order to allow necessary traffic (e.g. for web browsing, email etc.) while keeping everything else locked down.

*(And Esat were no help when I phoned them.)*

To be fair, general support for PC problems is not really their responsibility unless you have purchased such support from them.


----------



## car (29 Nov 2004)

*files*

*Most of the infected files seem to be "Program Files\common files\" that are also used by other programme files in my computer.

E.g. one infected files was listed as "C Program Files\avoe\att"
When I looked up the file it is a legimate system installed in my computer since I bought it ??????? 
*

Max has a very good point here.

You have enough savvy to check what an infected file is before you delete it, but now you think its a valid file and you dont know whats going on, youre probably thinking your spyware cleaner isnt working properly.

Some adware writers use modified versions of installed exes and dlls to do their dirty work.  That way, it puts the sh*ts up the inexperienced user when you go to delete the files. ie, You.  

If youre going to use freeware, be prepared to have to clean regularly.   If youre getting regular problems and your free cleaners aint doing the job and you dont have enough knowledge to deal with your pc problems, shell out and pay for a professional version of whatever will do the job for you.  Treat it no different then if you had a problem with your car.


----------



## ClubMan (29 Nov 2004)

*Re: files*

*Treat it no different then if you had a problem with your car.*

And in this case you may need a full service/overhaul (e.g. a reinstall) rather than just an oil change (e.g. cleanout of parasites)!


----------

