How do I know if I managed to completely remove an undetected trojan?

I catched a trojan that uses explorer.exe to reproduce itself in case of deletion of its autostart entry or main exe file in Programs/x.

It had already tried to contact a suspicious server over explorer.exe, blocked that via my firewall.

Removed the autostart entries from the registry
Looked through my services if there was anything suspicious
Deleted the trojan from Programs/
Went through System Volume Information to find a 2 month old explorer.exe and replaced the possibly infected one.

There are no suspicious processes running now anymore (no duplicate explorer.exe) and nothing wants to connect this trojan owners sever either.

I checked my system with several anti-malware programs too.

What the trojan did:

Started a second explorer.exe
Always when I deleted the main trojan exe file it was reproduced (by the second explorer.exe)
Always when I deleted the autostart entry it was reproduced by the explorer.exe too.

When I terminated the suspicious explorer.exe, which used only half as much memory as the less suspicious one from Windows, a strange thing that I know from the computers in my Informatics class happened:

A window popped up in the top left of my explorer-less desktop, titled "Personal settings for ... are ..." that obviously copied some files. Then both explorer.exes started again and the trojan was everywhere again.

What did the trojan actually do to get explorer to rescue it?
Is my PC clean of this newish trojan now?
What are the other locations I should check for the trojan?
The trjoan doesn't seem very high-level, could it have changed other system files or is the autostart entry vital for it?

ubuntuisbetter

Posted 2010-03-13T11:20:47.393

Reputation:

Answers

You can never be 100% totally sure you completely removed a trojan horse. Once your security is breached, you don't know what exactly happened.

You seem to have figured it out quite well as to what it did to your system. But what if it installed a rootkit you didn't find and is invisible for your anti-virus software?

There are tons of things to think off like above example. The one and only way to be completely sure is a reinstall of the complete system.

If you're not up to that, run a few anti virus software packages etc. check all your startup settings (registry, msconfig etc) look for "strange" running processes and kill them to see what happens.

S.Hoekstra

Posted 2010-03-13T11:20:47.393

Reputation: 2 231

As it was said, without a full reinstall you couldn't be completely sure... However if you take the time to deeply inspect your system (often more time than applying a good backup/reinstall strategy...) you could have an outside chance that's something remains. So here are some free tools to do it. (by order of personal preference)

Start and finish by a sfc /scannow in an administrator command prompt to verify all the system files

Antimalware scanners

Avira
Kaspersky Virus Removal Tool
Malwarebytes' Anti-Malware
a-Squared Emergency USB Stick
SpyBot - Search & Destroy
PrevX (A very good heuristic scanner. It has some false positive results and doesn't remove all malware with the free version but could be useful to spot some nasties...)

For more security use multiple engines and use them from a boot media (like ubcd4win) or another (well protected) computer.

Rootkit detector

RootkitRevealer
RootRepeal
Sophos Anti-rootkit
Gmer (maybe the more powerful one but also the harder to use...)

Deep system inspection tools

System Explorer lists processes, startups, services, drivers... And check the suspicious one with it's own database, VirusTotal or Jotti services.
Sysinternals Autoruns
Sysinternals ProcessExplorer
Svchost analyzer

Bonus: An interesting video with Mark Russinovich (creator of ProcessExplorer & Autoruns) about Malware Cleaning

fluxtendu

Posted 2010-03-13T11:20:47.393

Reputation: 6 701

Awesome answer. If I had votes left, I'd upvote this. Nice Google owl btw :) – Alex – 2010-03-13T21:23:19.197

Use Lavasoft_Ad_Aware_Anniversary_2009_Professional_8.0.7, spybot search& destroy or SUPERAntiSpyware

Armen Mkrtchyan

Posted 2010-03-13T11:20:47.393

Reputation: 179

Care to explain a bit more? Like: why these tools, and why that exact 8.0.7 version number? – Arjan – 2010-03-13T15:39:43.773

-1

(1) If it was completely undetected, you can never be entirely sure you got it all.

(2) I would recommend a Mac instead.

Alex

Posted 2010-03-13T11:20:47.393

Reputation: 2 094

+1 for the first point, -1 for the Mac fanboy comment. He even said he's getting Linux in a week. – Sasha Chedygov – 2010-03-13T12:01:49.790

It's not a fanboy thing; I was a Windows expert for 15 years before I finally tried a Mac. It took me a couple of months to unlearn my habits, but then I was totally sold on the concept and the execution. Linux on the desktop just isn't there yet. I use it currently in the server room, which unfortunately really is its place in life at the moment. Mac OS has the same UNIX underpinnings, but with a much more consistent, well-thought-out UI. – Alex – 2010-03-13T12:14:05.500

2I prefer linux to mac because functionality is more important to me than beautiful UIs. I also prefer open-source to Apple's DRM hell.

It was completely undetected by anti-virus programs, doesn't mean I haven't detected it.

Sorry but this answer didn't help me alot, especially for the Mac part. – None – 2010-03-13T12:43:00.767

@ubuntuisbetter, what you'd expect when using the name "ubuntuisbetter" and signing your question with "Getting linux in a week" yourself...? – Arjan – 2010-03-13T13:13:28.747

An answer containing something useful, I wouldn't care about fanboy recommendations then. – None – 2010-03-13T13:17:19.747

@ubuntuisbetter: The functionality in Mac and Ubuntu is very similar, as they're both Unix-based systems, and there's more third-party proprietary software available for the Mac. Moreover, I haven't run into any Apple DRM hell on my desktop, although I will agree some people don't like Apple's control on the iPhone. There are reasons to prefer either Mac or Ubuntu, but functionality and DRM are really not good reasons to prefer Ubuntu. – David Thornley – 2010-03-13T14:54:44.397

I'm not here to discuss about Mac with some Apple fanboys here, sorry. – None – 2010-03-13T15:10:21.447

@David: Agreed. @Ubu: We're not fanboys, we're IT professionals. You might want to look at this question, and the accepted response (and who wrote it, and the comments on it). http://superuser.com/questions/119001/

– Alex – 2010-03-13T21:22:33.113

@Ubuntu is better: Would it make you feel better to know that I'm posting this comment from my Ubuntu laptop, and my earlier comment was from my Ubuntu desktop? I don't think I quite qualify as a Mac fanboy. That being said, I of course agree that Ubuntu has advantages, but they aren't functionality and DRM. – David Thornley – 2010-03-14T22:39:43.477

I think ubuntuisbetter is right here. This answer adds nothing to help. The comments do a little to insight, but again, not about the question. I would edit it and try to be little more helpful if I were Burke. But it's a humorous answer anyway, shouldn't be taken all that seriously just because it looks like a fanboy. – cregox – 2010-03-22T17:39:29.723