3
1
I catched a trojan that uses explorer.exe to reproduce itself in case of deletion of its autostart entry or main exe file in Programs/x
.
It had already tried to contact a suspicious server over explorer.exe, blocked that via my firewall.
I:
- Removed the autostart entries from the registry
- Looked through my services if there was anything suspicious
- Deleted the trojan from
Programs/
- Went through System Volume Information to find a 2 month old explorer.exe and replaced the possibly infected one.
There are no suspicious processes running now anymore (no duplicate explorer.exe) and nothing wants to connect this trojan owners sever either.
I checked my system with several anti-malware programs too.
What the trojan did:
- Started a second explorer.exe
- Always when I deleted the main trojan exe file it was reproduced (by the second explorer.exe)
- Always when I deleted the autostart entry it was reproduced by the explorer.exe too.
When I terminated the suspicious explorer.exe, which used only half as much memory as the less suspicious one from Windows, a strange thing that I know from the computers in my Informatics class happened:
A window popped up in the top left of my explorer-less desktop, titled "Personal settings for ... are ..." that obviously copied some files. Then both explorer.exes started again and the trojan was everywhere again.
- What did the trojan actually do to get explorer to rescue it?
- Is my PC clean of this newish trojan now?
- What are the other locations I should check for the trojan?
- The trjoan doesn't seem very high-level, could it have changed other system files or is the autostart entry vital for it?
Awesome answer. If I had votes left, I'd upvote this. Nice Google owl btw :) – Alex – 2010-03-13T21:23:19.197