Help with Viruses and Trojans

 
Viruses and trojans can be downloaded to your computer by visting some websites, clicking on links, or installing software. You should always install all OS patches and security updates and you should always run good virus software with up to date virus definitions.
 
If hyperlinks such as http://10.2.30.40:8180 or another number automatically appear in IMs that you send, it probably means that your system is infected with the "W32/Aplore@MM" virus/worm. Both McAfee and Symantec have web pages set up with descriptions and removal instructions. As always, please only click on hyperlinks that you know are safe, even when receiving them from people you trust.
 
If your member profile or away message has links in it that you can't delete or that get replaced automatically, such as www.realphx.com or www.talkstocks.net, you can try to follow the steps below. If you are a novice computer user, please get someone more experienced to help you.
  1. Exit AIM so other users don't get infected from you while you are cleaning your system.
  2. Go to http://windowsupdate.microsoft.com and install all of the critical updates. This will prevent the current trojans from reinfecting you once you have cleaned up the files currently installed.
  3. In IE, go to Tools/Options and reset your Home Page (or just click on Use Blank) if this setting has been hijacked.
  4. Go to the Add/Remove control panel and uninstall the following:
    •  "Bargain Buddy"
    •  "Lycos Sidesearch" (Unless you intentionally installed this program.)
    •  "Web Helper"
    •  "Win Favorites"
    •  Anything with "n-CASE" in the name.
    •  Anything else that looks suspicious.
  5. Install the latest version of Ad-Aware from http://www.lavasoftusa.com/support/download/.
  6. Launch Ad-Aware and click the Check For Updates button on it. After installing any new updates, proceed to the next step.
  7. Configure Ad-Aware to do a custom scan with all options selected, and then proceed with the scan.
  8. When the Ad-Aware scan is complete, click on Finish. Then right-click on the list of located objects, choose "Select All Objects", and click on Next. Then click OK on the confirmation dialog to remove all the objects. Ad-Aware will probably state that it needs to reboot to finish; in that case reboot now instead of waiting until later.
  9. Delete all unneeded items from the "temp" directory. If you are not sure where your system's temp directory is, launch "%temp%" from the Run item on the Start Menu. Many of the trojan files will still be in the temp directory and they may be launched in the future if they are not removed now.
  10. Launch "msconfig" from the Run item on the Start Menu, and in the Startup tab of the System Configuration Utility window that appears, uncheck all of the following:
    •  Anything that resembles any of the following items
      "Lycos Sidesearch" (Unless you intentionally installed this program.)
    "Bargain Buddy"
    "Web Helper"
    "Win Favorites"
    "Power Scan"
    "Sqwire"
    "syslaunch.exe"
    "uc"
    "n-CASE"
    •  Any item with a very strange name, such as seemingly random characters.
  11. Click OK to save the changes, and reboot when prompted.
  12. Delete the following items (or anything with very similar names):
    •  From c:\ :
    "url.txt" (file)
    •  From c:\Program Files\ :
    "Bargain Buddy" (folder)
    "Power Scan" (folder)
    "Sqwire" (folder)
    "syslaunch.exe" (file)
    •  From c:\Program Files\Common Files\ :
    "SQ" (folder)
    •  From c:\Windows\ :
    "av.exe" (file) (Unless you believe this is your own antivirus software)
    "msgcenter_lminv1.exe" (file)
    "bi.exe" (file)
    "cdt_bbi8016.exe" (file)
    "randomiser.exe" (file)
    "winfavorites.exe" (file)
  13. Delete any remaining porn links. These will be in the IE Favorites and/or in various locations on the Start Menu. Ad-Aware may have cleaned out the actual links so that only the empty folders remain to be deleted.
  14. In IE, go to Tools/Options and do the following:
    a. Reset your Home Page if it has been hijacked again.
    b. Click on Delete Files in the Temporary Internet Files section, and make sure to check the option to also delete Offline Content.
    c. Click on Clear History in the History section.
    d. Click on OK.
  15. Check the profiles one last time for each of your AIM Screen Names, to make sure that they are not once again pointing to the malicious web site, and delete any that are.
  16. That should take care of it, as long as you take the following steps going forward:
    •  Frequently install all critical Windows Updates in the future.
    •  Use a firewall, which can alert you when malicious programs are trying to use your Internet connection.
    •  Keep your antivirus software up to date and scan all of your hard drives regularly.
    •  Frequently run a program such as Ad-Aware or Spybot that can detect and remove adware and spyware.
    •  Be extremely cautious before clicking on any hyperlink that you are not certain is safe. (When in doubt, check first with the person who sent you the link.)