PLEASE HELP ME, I JUST GOT A TROJAN...PLEASE HELP!!!?
I am fairly sure I know what the file is, I just can't delete it...The file is
GOR_E753G65Z. This may not be the file, its just what I think it is because I cannot delete it, move it, or change it in any way. It is on my desktop. My windows virus thing popped up and said that I have a Trojan, but it can't help me unless I buy OneCare or something...I have ad-aware and mcafee, neither have recognized it!!! What steps do I take to get rid of it? I run an XP, Media center edition. The most recent program i downloaded was GIMP (www.gimp.org). I downloaded it as GIMP 2.6.0 instead of 2.6.1 if that makes a difference. Last night, my computer was singing.... No one was there. The lyrics were incomprehensible. I am competent with a computer.
GIMP is the GNU Image Manipulation Program...Its generally very clean.
Asked By: Braedon L - 10/17/2008
It's probably best to print this answer, as you have a nasty virus that requires user interaction to remove entirely...
You'll need it on paper, as it requires you to have no internet access at some stages.
Either that or take your computer to the cleaners or reformat and restart...
Ah... He deleted his answer and gave me a thumbs down...
I don't get why people get annoyed about giving good advice.
I'll make sure you get his answer too:
Firethreat is not as good as it makes out to be...
It doesn't detect viruses that are not yet defined, as Sophos will notice anything unusual that FT tends to miss.
And remember that the guy who recommended it works for a commercial magazine touting a commercial product that the magazine has an interest in...
There's a certain amount of bias in that, n'est pas?
There are some good Virus writers out there and they know about FT and how to get around it - best way is to learn about it and follow the instructions to the letter.
Most rootkit Trojans are yet to be defined.
But follow his advice anyway, as it's worth having since you have a pretty poor anti-virus system going.
Download Threat-Fire or, preferably, AVG (as it's one of the best).
Though I recommend AVG or Kalinsky. (both free)
Shame he didn't tell you how to get rid of False Critical Registry entries...
Again - These programmes, such as Clamwin, will not be able to remove certain Registry entries as they are "False Criticals" and the virus will restart on reboot, no matter how many times you run the software...
This is a job that takes some time and patience and ensuring that the right parts are removed, so every trace of the virus is purged.
The name of the file suggests that it may be a Root Virus Trojan.
Most likely, in fact...
(ps - if you need any help with any of this, email me...)
They're brand new kits and I was one of the first 20 to get one, doing the work I do.
That's from Symantec - the world's largest Virus definitions database. (questionable...)
Here's what to do.
Don't pay for the programme to remove, as it most likely (knowing the people who made it) won't and you'll have to pay for something that you can do for free.
You got the virus for free, why not get rid of it for free.
You made a mistake, now you're sorting it out - Properly.
Google a programme called Sophos RootKit.
Okay, I've done it for you, it's here:
Turn off the System Restore through Windows Help.
Delete the last one or two, from the date of infection.
Download it and run it after a full virus scan with whatever it is you use (AVG is one of the best free ones...)
It'll show you where all the Trojans infections are.
You may not be able to remove the virus from the present state...
This is the best way:
Run it in Safe Mode or close all the non-critical processes and run it.
F8 (or F5) at boot-up, "safe mode (no networking)" select from menu, load all device drivers as normal.
To close processes (and you may notice the filename running here, so be able to delete it - I assume your getting the message you can't cos it's in use.) Cntrl Alt Delete to bring up Task Manager and then Processes and close the ones that look suspect.
Be warned that unless you know what you're doing, you could cause your computer to crash this way...
When you have all the locations, because the Trojans not in memory (which is why you can't delete it and if you do, because it's a sophisticated one that infects the registry, it'll just come back again), you can use Regedit to get rid of all the values that it uses to reload itself every time your PC starts up again.
It may not be able to remove some of the values automatically, as they'll be "critical windows processes".
All you need to do is either delete the string in the Registry, or set it to zero in the binary edit or as the text edit.
Restart your computer once you've deleted all the files and Registry entries that this virus has created.
Turn on System Restore again.
You'll be clean, again, until next time it happens.
I had a virus like this recently - it worked and has worked for every Trojan (like the one you've mentioned) which will, on removal, restart themselves.
Just for the record - stay away from sites which have gimp in the name...
Anything like that tends to be bad news - if you're going to do something naughty, do it safe.
Answered By: Saccade - 10/17/2008