A Trojan horse infected my computer--Need help fast!

First, the specs for my computer:
Dell Inspiron 6000 laptop running Windows XP with latest service pack.

My computer has been infected with a Trojan horse that I have learned through a few minutes’ research on Google is related to a rogue anti-virus/anti-spyware program. Below is a screenshot of what I saw moments before all hell broke loose:

http://www.2-spyware.com/remove-spyware-protect-2009.html

Now whenever I try to open any program on my computer, I get a message about it being infected and that I should run an antivirus program. When I click “Yes” to the prompt, Internet Explorer (not my default browser, this was my first clue that something fishy was going on) opens up to a site that wants to sell me antivirus software for $60. This is obviously a scam, but I can’t seem to get around it. I tried to go to Google from the page displaying the purchase offer, but Explorer gives a warning that that site (Google!) is trying to infect my computer.

I managed to power down the computer by pushing and holding the power button. I restarted it and managed to get McAfee running before the Trojan took hold and again informed me that every program file I have is infected. Now I am posting this from the business office at my apartment complex, as my computer is pretty much locked up with all of the warning messages.

So far, the sites I’ve found discussing it all say there is a program available to remove the Trojan horse. But I can’t seem to get any program on my computer to open up without a “This file is infected. Do you want to run your antivirus program?” prompt showing up. I have a thumb drive on me. Can I download the removal program to that and run it on my infected computer?

Any help is much appreciated :slight_smile:

Ok, I’ll be an asshole and bump my own thread. But only because I’m desperate.

First of all you should read the sticky thread at the top of this board. You will find some reliable anti-malware programs listed there. I like the one by Malwarebytes. It has done the trick for me every time. However, it is possible that the virus will block its usage. If that’s true, download HijackThis from here, run it, get a log and post it at the Malwarebytes’ forum or here. Someone will talk you through the process. Oh yes, if you haven’t already done so, disconnect your infected computer from the Internet – unhook your Ethernet cable or disable your wireless. Download using another computer for now. And it you can, start backing up all your key files in case you need to reinstall your OS. Good luck.

I know of the programs in the sticky. My concern was that I was unable to open ANY program on my computer, due to the virus. I mean, it seemed like every one would result in a popup warning that said “ is infected. Do you want to run your antivirus software?” I was thinking the solution would have me go into the BIOS or somesuch. Thank you for responding, though. :slight_smile:

Have you tried booting up in safe mode? That may give you enough relief to run the anti-malware programs. Don’t forget to disconnect from the Internet. It can vary by computer, but you usually can get into safe mode by hitting the F8 key after the computer starts its bootup process.

Whoops… Just re-read the part about booting in safe mode in the sticky. I had thought of that, but I didn’t know exactly what Safe Mode did. I didn’t know if it would let me access the programs that the virus had blocked. I’ll try it though. Thanks again.

Do what it says here http://boards.straightdope.com/sdmb/showthread.php?t=538187

I had the exact same one.


It wasn’t that hard to remove for me once I did it in safe mode (I literally went looking for the files and just deleted them. I also edited my start menu with CCCleaner to stop it restarting (there was a junky something sysguard.exe I had to kill)
I also found some 234uijsuui.exe type files just sitting nowhere in particular on my c: drive and as they had the date of the infection I deleted them too.

Good luck
Someone more knowledgeable will be along shortly I’m sure

Good lord - where did all those replies come from???

Actually, I do have one more question: Will installing the various anti-spyware programs listed in the sticky cause problems with my existing program, McAfee?

Change the Malwarebytes program extension from *.exe to *.com. and run it in safe mode.

First get rid of the virus. You always uninstall the anti-malware programs afterwards if you like. As viruses go, yours don’t sound too serious.

I wondered what that malware did. My dad picked it up, but between running everything on a limited account (so it couldn’t infect anyone else’s) and running Malware Bytes in safe mode, I got rid of it pretty quickly. I then decided to install Process Guard (google it), which will prevent unauthorized programs from starting without asking you. I don’t know why such an idea didn’t come standard with Windows anyways.

I was infected with the same piece of nastyware a couple of weeks ago. getting rid of the sypware was easy,getting rid of the rootkit it installed was not! What I had to do to clean it up is detailed in the second link that madrabbitwoman posted. I ended up needing to use the tatical nuclear option with a program called Combofix.exe. It worked but the program can cause your system to stop working if used improperly.
Good Luck
P.S. you will know if you have a rootkit by trying to log into your online banking, if you get redirected to a phishing attempt that tries to steal your personal info your still infected.

Update: I did everything that the sticky said to do. Malwarebytes seems to have found the problematic files (15 of them). I then ran the Panda rootkit removal program and it came up clean. I think I might have averted disaster, will all of your help. I appreciate it :slight_smile:

I had a terrible time removing Trojan Win32/FakeSpyPro from my PC despite me having Adaware, AVG and several other anti syware/malware programs on my laptop.

It would reinstall on every boot and redirected my browser.

In the end I used a small program called XDelbox which did the trick.

http://www.xdelbox.com/

Give it a try.