Trojan Found - Do I need to do a complete reinstall?

[Tim]

I updated my virus detection file and found two viruses on my computer:
VBS/Psyme & Exploit-MhtRedir.gen. From what I read, these are trojans that
can download some other piece of software that wouldn't get detected by my
AV detector. If that's the case, my computer might now have some lerking
demon - a keystroke monitor / uploader etc. Should I do a complete
reinstall to be safe?

On the other hand, I would imagine that the trojan author would have his
secondary piece of software delete the trojan to cover his tracks. Any
thoughts?

Thanks!

 

[Tom R]

Turn off system restore, instructions here:
http://www.pchell.com/virus/systemrestore.shtml

Then I would run at least one of these
free online virus scan programs,

RAV
http://www.ravantivirus.com/scan/

Panda:
http://www.pandasoftware.com/activescan/

BitDefender
http://www.bitdefender.com/scan/license.php

HTH,
Tom

 

[Tim]

Does WinXP's go-back feature do a complete rewrite of all prior files or do
a check on all prior file checksums? My guess is not. So your solution
wouldn't work for a Trojan that modified some file unrelated to the OS, say
a plug-in or an application file. How can I be certain that no file has
been compromised?

BTW, I have Win2K. Thanks again.

 

[Jason Wade]

I updated my virus detection file and found two viruses on my computer:
VBS/Psyme & Exploit-MhtRedir.gen. From what I read, these are trojans
that can download some other piece of software that wouldn't get
detected by my AV detector. If that's the case, my computer might now
have some lerking demon - a keystroke monitor / uploader etc. Should I
do a complete reinstall to be safe?

yes

On the other hand, I would imagine that the trojan author would have his
secondary piece of software delete the trojan to cover his tracks. Any
thoughts?

Thanks!

no, usually trojans do not automatically delete themselves.

They make themselves as difficult to delete as possible. Some even prevent
you from backing up so that you can't delete them without losing
everything.

If you think you have a trojan, you need to get it off your system ASAP.

If you do reinstall, I suggest installing linux alongside windows. You'll
have a backup OS for times when windows gets messed up.

That's what I did.

good luck and safe computing

 

[Tim]

no, usually trojans do not automatically delete themselves.

They make themselves as difficult to delete as possible. Some even prevent
you from backing up so that you can't delete them without losing
everything.

If you think you have a trojan, you need to get it off your system ASAP.

If you do reinstall, I suggest installing linux alongside windows. You'll
have a backup OS for times when windows gets messed up.

That's what I did.

good luck and safe computing

I have a major amount of time invested in the installation of programs, OS
updates etc on my system. I'd hate to go through the process again! If I
install a software firewall like ZoneAlert to tell me if something is
accessing the internet without my permission, will that suffice?

From my understanding, viruses make themselves hard to delete. But a trojan
delivers an incidious payload. And I would think that after it did so, it
would delete itself to cover up its tracks. What are the chances the trojans
left something behind if they were still around to be found?

Thanks.

 

[madmax]

I updated my virus detection file and found two viruses on my computer:
VBS/Psyme & Exploit-MhtRedir.gen. From what I read, these are trojans that
can download some other piece of software that wouldn't get detected by my
AV detector. If that's the case, my computer might now have some lerking
demon - a keystroke monitor / uploader etc. Should I do a complete
reinstall to be safe?

On the other hand, I would imagine that the trojan author would have his
secondary piece of software delete the trojan to cover his tracks. Any
thoughts?

Thanks!

Try installing some anti-trojan software that has been mentioned in
other posts.Also what program are you using for your mail?
If you are using the one supplied by MS,try a different one.
-max

 

[Roger Parks]

I have a major amount of time invested in the installation of programs, OS
updates etc on my system. I'd hate to go through the process again!

Been there; bite the bullet! The only way to avoid this is to have periodic
images (backups) so that if you discover that you're infected today, you can
back up to a week ago or so. Even then, you may have been infected a month
earlier - the AV and AT's signatures generally "lag" behind the actualy
introduction into the wild.

At this point, IIWY, I'd create a little document somewhere listing the
rebuilding steps - in sequence. Export your account IAF's if you use
O.E., have all of your ISP account and password info. on that document
next to the point that you need it; for example, create your network connection.

Get all of your registry tweaks together. In some cases, export the actual
registry data and have all of your .regs together. ETc.

If you ever wanted to run two or three partitions (e.g. small system partition,
a second, ecrypted partition to put your mail, personal stuff in) then now
is the time to do it. The advantage here is that if you blow your opsys,
you still havn't lost your personal stuff.

If I
install a software firewall like ZoneAlert to tell me if something is
accessing the internet without my permission, will that suffice?

Yes, in theory - if it was a single, simple, isolated program somewhere. But
if it has infested your kernel and/or browser, then it could both betray you
(keylogger) as well as slow down your system.

Go here: http://www.firewallleaktester.com/tests.htm

As you can tell, the new ZA pro is a pretty good FW, but it alone can't
block many exploits. IF you supplement ZA or LnS with a behaviour monitor
(e.g. SSM ) BEFORE you're infected, then you'd probably not have been
infected in the first place - but could block it as you propose. Probably
too late now.

SSM: http://maxcomputing.narod.ru/ssme.html?lang=en

(FWIW, I've blocked all of these exploits with a combination of Outpost
Free, Sygate PF, and SSM. But I'd guess that the new ZA (or new Look N Stop)
in combination with SSM could also do it).

From my understanding, viruses make themselves hard to delete. But a trojan
delivers an incidious payload. And I would think that after it did so, it
would delete itself to cover up its tracks. What are the chances the trojans
left something behind if they were still around to be found?

These distinctions between Trojan and Virus behaviour are invalid (IMHO).
Anything goes.

Good Luck.

 

[FromTheRafters]

I updated my virus detection file and found two viruses on my computer:
VBS/Psyme & Exploit-MhtRedir.gen. From what I read, these are trojans that
can download some other piece of software that wouldn't get detected by my
AV detector. If that's the case, my computer might now have some lerking
demon - a keystroke monitor / uploader etc. Should I do a complete
reinstall to be safe?

This is a prime example of why it is sometimes necessary to do what
is otherwise considered overkill. This is a judgement call - that you
must make.

On the other hand, I would imagine that the trojan author would have his
secondary piece of software delete the trojan to cover his tracks. Any
thoughts?

If the intruder wanted to make sure that the intrusion was not detected,
he would indeed do as you suggest. Not all intruders would bother to
try and cover their tracks though.

You could use every type of scanner imaginable to scan your system
for indications of actual intrusion. If no additional indications are found
you could assume that the intrusion was not successful and carry on as
if nothing had happened. If you are not comfortable with that, then the
only way to be sure is to break it down - and rebuild it.

On my home computer, I might be comfortable with making such an
assumption. But if I were responsible for an employer's computer or
network - I would not be at all comfortable with it. This is why it is a
judgement call that *you* must make.