Through my own stupidity, I recently acquired a trojan on my Windows PC. The fact that it was billed as a “Cable Modem Speed Uncapper” but consisted of nothing more than one EXE (obviously compiled in Visual Basic) should have tipped me off. However, something seems to be wrong with this thing. When I first ran it, it gave me an error that it could not find “inet.ocx” and shut down. I deleted it, and thought that was the end of that.
The next time I turned on my computer, I saw the same message: “could not find inet.ocx” My best guess is that this trojan copied itself deeper into my system when I executed it, and is now trying to establish a connection on the internet on startup so it can send my passwords, files, credit card numbers, etc. to whoever wants them. I have a personal firewall and an antivirus program running, so I know it hasn’t done anything REALLY bad yet, but I still want it gone.
So my question is: what can I do to finally remove this thing from my computer? It doesn’t seem to be very sophisticated, so I would guess that all I need to do is to kill the file that it is attempting to execute on startup. This presents a problem however: it is not in the “Start Up” directory under the Start menu, and I don’t know where I could find it. Does anyone have any ideas?
No, my virus program (Norton) didn’t catch it. And it wasn’t BO or NetBus - those are too smart to display things like error messages when they can’t find a needed component. This was just a home-cooked VB trojan. I resolved my problem when I found the changed EXE in c:\windows and zapped it. I don’t think any damage was done. Yes, I should have known better.
If you’ve still got the original file, you could see if Norton or McAfee are interested in in recieving a copy (with due notice, of course). They might help you out directly.
BTW, it’s called a “Trojan Horse,” not a Trojan. I read your first sentence and envisaged a giant (well, for most of you) condom unrolled around your PC.
The program is somewhere, trying to run each time Windows starts. Your Windows Registry will contain a piece of information to tell where it is. You can edit the registry by clicking Start, Run, entering ‘regedit’, and hitting OK.
Once in the Registry Editor, open the folder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and see if it’s listed there. Those are programs that run each time you start, and you’ll see several entries for the little things in your System Tray.
If it’s not there, there are a couple of other places like this within the Registry. If you know the file name of the .exe file you got, you can do a search.
Will the anti-virus people have the time to care about a Trojan Horse like this?
If you want to send a copy to Mcafee, the address is virus_research@nai.com. We recommend that people put samples in a password-protected ZIP file with the password “infected” before sending them to us.