A couple of days ago NIS (Norton Internet Security - fully updated) warned me that it had detected the infamous "downloader" virus on my pc. It said that it couldn't remove the virus. As soon as the warning popped up, the NIS icons vanished from the windows tray (XP, with all the updates) and I had to manually restart the machine.
When XP loaded, I did an NAV scan (the pc was noticeably slow now), but it didn't find any viruses. So I formatted the primary hard-drive, installed a fresh copy of XP and was in the middle of installing updates for XP and other programs (quicktime, photoshop etc.) when the same bloody message popped up. So, I thought maybe the virus had got onto the secondary hard-drive just after it infected the primary - and so even though i'd formatted the primary HD, the virus (residing on the secondary HD) had infected the primary HD.
So I formatted both HDs and installed XP again - low and fkn behold, NIS tells me that the virus is still on the primary HD (again, the pc was noticeably slow).
What have I got to do to get rid of this bloody virus (short of nuking the HD)?
Any help/advice'd be much appreciated.
Honestly, downloader trojans are quite near impossible to remove. Everyone here may disagree with me, but I have dealt with all types of viruses, and they are 100% different today than they were just two years ago.
First, disconnect your internet, and restart windows in safe mode (restart and tap F8 when it is booting then choose "Safe Mode" from the advanced startup options). Now open My Computer and check your "Folder Options" (from Tools menu in Windows XP) and ensure under the "View" tab that "Show hidden files and folders" is checked, and uncheck "Hide extensions for known file types" and "Hide protected Operating System files (recommended". Click yes that you are sure about that one--viruses love to hide themselves in every way possible, so we must find every last one of them in addition to the downloader, otherwise one will call upon all the others and you'll have done all of this for nothing.
Next, what you have to do, and be extremely careful when you do this, is determine WHEN you obtained the virus. Now search your windows\system32 folder (or winnt\system32) and find every file that was added/changed withen TWO minutes of each other. It helps to arrange items by date so you can easily sort out the baddies. These files would usually have no "version" tab if you checked their properties, or if they did, it would be blank or garbage.
Rename these files and move them to another folder (do not delete them OR put them in recycle bin). Next, check your user temp folder. This should look something like C:\Documents and settings\(username)\Local Settings\Temp. Once there, delete all data from this folder, and remove it from recycle bin as well.
Almost done. Now look in your windows folder (usually C:\Windows or C:\winnt) and look for the "Prefetch" folder. Delete everything in it (this folder is usually fine but can be recreated automatically upon restart, except this time without the viruses possibly sneaking back in).
Finally, go to system properties (from control panel or right click my computer and left click properties) and look at the System Restore tab. Disable system restore completely. After the hour glass goes away, turn it back on. This will make System restore delete all previous data, but the viruses were in there as well.
Remember, if you miss any one of these steps, it is possible that EVERYTHING will return. These downloader trojans are Bitc^es, so you have to eradicate every last peice of them and their downloaded buddies too. Msconfig is good to use if you are familiar with processes, but not required because it doesn't matter as long as the processes do not exist on your PC. If you don't use msconfig, you may get some errors upon restart. That's fine. Just run a registry cleaner utility and it'll fix it.
Restart your PC WITH YOUR INTERNET STILL UNPLUGGED. Let it boot normally (not safe mode). Run some apps, see how your PC works. If you suspect the virus is still lurking around, then we have the worst kind of virus--the polymorphic kind. Here's how you outsmart it:
1. Restart in safe mode WITH command prompt.
2. When you get the DOS menu, hold ctrl+alt+del once and check task manager's processes tab.
Ensure that show processes from all users is checked, and look for problematic processes. The following processes are the names of valid system file processes: svchost.exe, lsass.exe, smss.exe, csrss.exe, winlogon.exe, System, System Idle Process, cmd.exe/command.com, and taskmgr.exe. If explorer.exe is running (note this only applies to safe mode command prompt), our virus is the most clever type. Any other processes are probably bad. End them and see if they return. If they do, you have a valid system file that is infected. If this is the case or explorer.exe is running, continue on. Otherwise, you should be okay.
Very dangerous stuff here, do not restart your PC until you know the file copied--the one we're fixing to deal with. Alright, in the DOS screen, type cd\windows. Next, type del explorer.exe. If you get an "access denied" message, type attrib -r -s -h explorer.exe, press enter, then retype the del explorer.exe and press enter. Our infected system file is now gone--however, this is a critical system file so we need a clean copy of it back on your C:\Windows again.
Alright, now we need to copy the file back from the C:\Windows\ServicePackFiles\i386 folder. In the DOS prompt, type cd\Windows\Servic~1\i386 and press enter. Now, type copy explorer.exe C:\Windows and press enter. Okay, pull task manager back up (ctrl+alt+del) and end any tasks that are not on that list above. REMEMBER THIS ONLY APPLIES TO SAFE MODE COMMAND PROMPT, other processes are needed withen windows in normal mode. Finally, we should be okay. Exit task manager, and in the command prompt type exit and press enter, and/or restart your PC. Now you should be fine.
This is the only method I have used that works 99.9% of the time, all other methods, as well as EVERY SINGLE ANTIVIRUS out there, fail at removing pre-existing downloader trojans. If you fit the (less than) 0.1% category, rootkits are involved. There I have very little advice for you, because the OS itself will hide everything malicious no matter what you do. Try a rootkit remover if you want, but they have the same problems that antiviruses do--reactive updates rather than proactive ones. I'd backup data and format if that happened, though I have yet to see this situation of the hundreds of PCs I've worked on...
Sadley, no antivirus program is able to remove every trace of the virus, they all leave something behind it seems. I use a free antivirus app, but only to alert me if it detects a virus in which case I will remove it myself anyway.