How to remove a trojan detected

Discussion in 'Trojan Defence Suite' started by Raptor, Jun 24, 2004.

Thread Status:
Not open for further replies.
  1. Raptor

    Raptor Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Dumb question.....but I just want to be sure. I installed and ran TDS3 and it detected a few Trojans on my computer. To remove them do I just right click on the detected Trojan and Delete file? Is there anything else I should be doing? I would appreciate the help. Thanks.
     
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hello Raptor, welcome to the forum...

    Nope, not a dumb question at all.

    First, you need to determine that they actually are trojans.

    I suggest go to that window where the reported trojans are, Right Click and Select 'Save as Text'. You will see a path where it saves it.

    It asks if you would like to view this file now, say yes.. Then copy/paste report back here for someone to give an opinion on..

    alternatively you could select "Submit File" to send back to DCS team.

    Make a note of the file name, check your Task Manager [Ctrl/Shift/Esc, if running XP] and see if it's a running process. If so, Right click on the file and select End Process and await for an answer in here. If it's actually running process, selecting delete file probably will not work, as file in use.

    But let the experts help you with it. I am fortunate enough to have never had to make that decision. :)

    See my pic.. got a report [this is a Test File for checking my Firewall, but because it behaves like a trojan, it is detected, but note the [Not a Trojan], TDS is only alerting on the fact it's trojan-like.

    Cheers, TAS
     

    Attached Files:

  3. Raptor

    Raptor Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Thanks for the prompt response Tassie. Assuming the file on my computer is a confirmed Trojan. Then to remove it do I just right click and Delete file or something else needs to be done?? I have already deleted some of them since I was postive they were Trojans (AVG detected them also), so I just want to be sure if I need to do anything else after they have been deleted?
    Help greatly appreciated. Thanks.
     
  4. Raptor

    Raptor Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    ...Just to elabourate a little more...do I need to do things like, Empty Recycling Bin, reboot etc.
    Thanks.
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Check to see if they were running processes in Task Manager.

    If so, stop them. Then, as long as you are SURE they are trojans, try delete.

    Just hold off from empting bin for a bit [the scan may redetect them in there, but at least you know what they are].

    Reboot.

    Check TM again, if files back running, then something is being regenerated.

    Rescan and see if anything found, this time do the right click and Save as text as I posted above and copy/paste/post it back in here.

    If you do get an re-occurence, post back here and further advice will be given.

    You may be requested to do a HijackThis log file to post [but NOT in this thread] to be checked by experts to help further.

    Also, seeing you say they were detected by AVG, it's quite possible then they are, but you can do a search google using the filenames of the detected files. In any case, do above, repost back here.

    Unfortunately, I am way past bedtime, so am off. Hopefully someone in here will help further. Actually they WILL help in here. :D

    Cheers, TAS
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    PS:

    Go here... Upload the file to Kaspersky's, it will tell you :D

    http://www.kaspersky.com/scanforvirus

    and.....

    http://www.sysinfo.org/startuplist.php

    type in the file eg: xcsbv.exe in search..

    It give a bit of a rundown on what each is...

    The status column indicates what it is in relation to start-up..

    Y=Yes, normal to run
    N=Not necessary
    U=User's choice, can disable or leave.
    now...

    X=It's malware, spyware, virus/trojan related... but.. you need to verify before simply killing the process. But at least it's a start..

    ?=unknown.

    Also.. go to any Anti-virus vendor's pages and put in the file name in search.. they will soon tell you..

    HTH
    Cheers, TAS
     
  7. Raptor

    Raptor Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Thanks for all the info TAS. Here is the log:

    Scan Control Dumped @ 21:40:36 24-06-04
    Suspicious Filename: Dual extensions
    File: c:\documents and settings\jjaaj\my documents\tv\trillian-v0.74d.exe

    Suspicious Filename: Dual extensions
    File: c:\winnt\system32\lexpps.old.exe

    I am not too sure about the lexpps.old.exe. Is this a trojan. Should I delete this?

    Thanks again.
     
  8. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hello Raptor

    LOL.. no worries mate.. that first one.. trillian... you have Trillian chat program [as do I].. and that's ONLY alerting you to the fact it has "dual" [more than 1] EXTENSIONS... Nothing to worry about...

    Now, the reason TDS [same as WormGuard will also] is alerting on that, is because some nasties can come in the form of 'dual' extensions [meaning that the full point/full stop/ [.] is show in the file.. as in trillian-v0 [ . ] 74d [ . ]exe.

    Someone sends you email.. says have a look at this funny pic.

    EG: funny.jpg.exe [see, dual extensions] you take no notice of the .exe and only "see" funny.jpg without thinking, and click and wham.. infected... as the TRUE extension is really .exe not .jpg.

    You maybe saying, ok I am not "that" dumb I would see that, but.... sometimes the dual extensions will be accompanied by LOTS of spaces between the .jpg and .exe [funny.jpg LOTS of spaces--------- .exe] so if you see that in the preview/window pane... the lots of spaces "pushes" the .exe OUT of your view.. you only see funny.jpg. Understand.

    Now... the last one.. lexpps.old.exe ... looks like it *could* be from a Lexmark Printer [do you have that] Once again it's merely alerting you to the Dual Extensions, nothing else.
    But the fact it's living in your system 32 folder you need to try to find out.

    OK.. found something...

    http://computing.net/windowsme/wwwboard/forum/33835.html

    Now it appears to be Lexmark printer as I thought, AND it looks like it had been renamed... but in the process not done in usual manner.

    Sometimes to stop something from running but you do not want to delete you simply add ".old" on end.

    In your case it looks like the .old was added in between. Same result.. just not the usual way.

    If you did have Lexmark [or still do] and everything is fine.. just leave it.

    HTH.

    Cheers, TAS
     
  9. Raptor

    Raptor Registered Member

    Joined:
    Jun 24, 2004
    Posts:
    5
    Thanks mate. Appreciate the help.
     
Thread Status:
Not open for further replies.