Help with trojan, please.

Hello all,

I’m hoping that one of the computer gurus can help with the following situation:

A close friend called yesterday to say that someone in a different area code called her cell phone and described, in detail, some family photos that he’d emailed me (and only me.) Mostly these were old vacation pics, of the grand canyon and such.

When I opened WinTasks, there was an entry that was running with the word “Trojan” in the description; WinTasks killed it, but only after I opened the viewer. I didn’t have time to write down what the full description was, or I’d post that info.

I currently run Sygate firewall, the full suite of Norton, WinTasks Pro, and I sweep with AdAware and Spybot weekly. After I saw the trojan thing, I downloaded Trojan Hunter and one or two more programs. None of them, after deep scanning, came back with a problem. Now, when I open WinTasks, that trojan thing shows up for a split second before it disappears (WinTasks doesn’t list it in the block list.)

At this point, I don’t know what to do. Someone was able to view my friend’s photos, find his cell phone number, and who knows what else. Other than a format/reinstall, are there any suggestions?

Running WindowsXP Home, SP2.

I am by no means an expert on malware but here is something that’s easy to try. Fo to Start, Run, and type msconfig. Check the Services and Startup tabs and see if there’s anything that looks like your Trojan. If so turn it off and reboot.

It is possible that a clever malicious program knows how to run under the radar of Task Manager and msconfig, but it’s worth a try.

As far as removing it entirely, I can’t help you there.

download HiJackThis. Run it.
Boot into safe mode to begin your deletions etc.

That’s god-awful advice. Or, at the very least, it’s terribly incomplete.

Someone who knows what they’re doing would probably already have run HijackThis.

And someone who doesn’t really know what they’re doing—like the OP—should never just start deleting HijackThis listings without getting advice from someone who knows how to read a HijackThis log.

To the OP:

Run download and run HijackThis, then post the log here, or (even better) on a tech message board, and hopefully someone more knowledgeable will be able to point out where your problem lies.

Well, this is going to sound pretty dumb, but I finally figured it out (after basically all day of deep scanning the system.)

WinTasks was reading NetZero’s dialer as the trojan, because they named it exec.exe, which matches the W32/Spybot-Z trojan. My registry shows no sign of the trojan, and the computer seems to be secure (I added ZoneAlarm just to be on the safe side.)

Thanks for the help, though.

Well #1 if your friend kept that phone number…give it to the police and describe what happened.

#2 if the police do not want to nitpick your machines time to go scorched earth. Blow out partitions, write zeros to every location and reload from scratch. You most likely do not want someone poking around in your machine like that. IF they came up with a friends phone number they can find more if you give them the chance.