19 {{ upvoteCount | shortNum }}
19 {{ upvoteCount | shortNum }}

Got Trojan, need a little help!

by Michael Lee
16 replies
Hi guys,

I got hit by a Trojan. I was scanning my computer using Spybot, and it found Win32.autorun.temp. I tried to delete it from Spybot but it won't get removed.

So I browse and found that I can go to regedit in Windows and delete the registry value "Taskman" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\".

Would just like to confirm if I can really delete that registry value without any negative consequences. Better safe than sorry, as they say.

Would appreciate your advice.

Thanks a lot,
Michael
#trojan
  • Profile picture of the author Mike Baker
    I wouldn't judge what Spybot has to offer solely on its own. I highly recommend having both an anti-spyware program as well as an anti-virus program. I recommend downloading the trial version of either Kaspersky Internet Security or avast! Internet Security and then scan your computer again. If the same file comes up as infected, then either of those program will be able to deal with it.

    For manual removal you can visit this thread outside of Warrior Forum: Manual Removal Guide for Win32.AutoRun.tmp - Safer-Networking Forums
    Signature

    {{ DiscussionBoard.errors[2973960].message }}
  • Profile picture of the author Mikey D
    After you check out Mikescoc's link:

    You will want to also install Malwarebytes Anti-Malware - Its free and a great program to run alongside SS&D - This will help you in the future. In fact, it may even help remove your current trojan.

    Malwarebytes Anti-Malware - Free software downloads and software reviews - CNET Download.com
    {{ DiscussionBoard.errors[2973991].message }}
  • Profile picture of the author Michael Lee
    Thanks, Mikescos and Mikey. I have actually scanned it first using Malwarebytes Anti-malware; it found Trojan.dropper but it was successfully removed. Then I used Spybot and that's how I found Win32.autorun.temp. After that, I scanned using Avast but it didn't find any threats.

    I already went to the Manual Removal thread and that's where I found the Registry value removal. Just want to confirm if I can go ahead and not incur any problem in the future.

    Thanks!
    Michael
    Signature
    (Free) How To SLEEP Your Way To Unstoppable Riches & Success | (Free) 1 Weird Trick To Create Miracles | 100+ Free Self-Help Books | "I was shocked when your site converted at 5.1%!" - 20DayPersuasion Affiliate
    {{ DiscussionBoard.errors[2974013].message }}
    • Profile picture of the author HH89
      Originally Posted by Michael Lee View Post

      Thanks, Mikescos and Mikey. I have actually scanned it first using Malwarebytes Anti-malware; it found Trojan.dropper but it was successfully removed. Then I used Spybot and that's how I found Win32.autorun.temp. After that, I scanned using Avast but it didn't find any threats.

      I already went to the Manual Removal thread and that's where I found the Registry value removal. Just want to confirm if I can go ahead and not incur any problem in the future.

      Thanks!
      Michael
      Michael,

      I found this thread and registered here just to reply to you.
      I believe there is a bug in Spybot that is causing it to detect a F/P trojan "Win32.AutoRun.tmp" in that location you mentioned whenever you use MBAM to quarantine/delete a file.

      I've posted about it here on the MBAM forums:forums.malwarebytes.org/index.php?showtopic=71140

      I strongly suggest you take a look, before proceeding any further. Hopefully you haven't deleted any registry files yet.

      I too use MBAM, Avast and Spybot. And scan regularly with all three tools. Ever since my Spybot has started detecting "Win32.autorun.tmp" in Taskman; I have scanned with MBAM 5 times, Avast once, and Eset online scanner 2 times. All those scans have come up clean. Only Spybot is detecting this.

      For me, the detection first popped up after I used MBAM to quarantine a program installer file which I downloaded (that MBAM had classified as a PUP - potentially unwanted program).

      I have been able to reproduce this bug in Spybot on another computer as well. All you have to do is just use MBAM to quarantine a file, and right afterwards Spybot will start detecting "Win32.AutoRun.tmp" in the registry value winlogon\taskman. I believe a recent update for Spybot might have introduced this bug, as there have been a lot of threads made on this exact detection in the exact same location just this month.

      Also, what ever you do. Do not delete taskman from the registry. Heres why: forums.spybot.info/showthread.php?t=60684

      The guy who posted in that thread, deleted his. And it screwed up his computer.


      Kind regards,
      - HH89
      {{ DiscussionBoard.errors[3074116].message }}
      • Profile picture of the author WD Mino
        DO NOT DELETE taskmanager.

        Keep in mind when scanning files any potential file can be an associated extension.Anti malware programs are good but sometimes they do show files that are not actually corrupted.

        Here is the best thing to do download a program called http://www.superantispyware.com/ (freeware) it finds things mb does not I use it and it is fantastic. install the program but do not execute it other then to update initially.
        then manually restart your computer
        hit f10 when it is finished doing the p.o.s.t. (this is where the splash screen comes up showing your make or model and or the ram and processing speed etc before it goes to windows loader.

        You will get a screen that allows you to select safe mode. restart in safe mode and then run super anti spyware your viruses and or spyware should always be removed from safe mode. safe mode is a restrictive directory mode specifially created to fix and troubleshoot operating systems.

        Once the scan is done restart and run scan in normal mode all should be well.
        don't ever delete the task manager your computer will just stop functioning.
        Cheers
        -Will
        Signature

        "As a man thinks in his heart so is he-Proverbs 23:7"

        {{ DiscussionBoard.errors[3074225].message }}
        • Profile picture of the author wanna-succeed
          Getting rid of Viruses is a pain in the rear end.
          In the past 6 years iv'e only had 1 virus....The rest were caught in time by my anti-virus program, Laspersky which is by far the ebst there is of the public ones.
          Anyway, I dont know if you understand all the advice people have given you here but if you feel that it's too complicated, don't deal with it directly, that is a disater waiting to happen.
          Iv'e leart the hard way not to mess with my computer in areas I don't fully understand.
          Taking your computer to a pro shop only takes a day or two and you know you're getting it back in top shape.
          If you mess around with it yourself, you probably will fix most of your problems but once in a while youmight change something small in your definitions and\or setting and cause severe damage.
          I don't mean to scare you or anything, just a word of caution....for you and everyone else...
          Signature

          No sig, good day m8...

          {{ DiscussionBoard.errors[3074241].message }}
  • Profile picture of the author Mike Baker
    If on Win 7 or Vista, your best bet is to open reg edit by going to Start -> Search. Type in "regedit" without quotes. In the list you will see regedit. Click on it to open it. If you get the security prompt click Yes. Once open click on File -> Export. Navigate to a location you will remember and type in a name for the file. (Sorry I forgot to mention we are backing up your registry). Click Save and you are done. You can safely navigate to the file location in your registry to delete it. If there are any problems afterwords, you can simply import the backup to restore the previous state.

    If on Win XP, I believe you go to Start -> Search. In the new window you want to select All Files & Folders. Make sure your C drive (or whatever drive you have Windows running on) is selected in the Look In drop down menu, and type "regedit.exe" in the "All or part of the file name" field. Click Search and before too long it will show the file (It should be found in C:\Windows\). Double-click on it to open it and follow the steps outlined above.

    Previous versions of Windows should be the same if not similar to XP.
    Signature

    {{ DiscussionBoard.errors[2974077].message }}
  • Profile picture of the author King Shiloh
    Banned
    WARNING: Do not delete any program you are not sure of its function.

    I believe there's a computer engineer or software specialist in your locality, please contact him.

    Meanwhile, you already have a lot of good suggestions here.

    I use Avast anti-virus and it has been telling me that my system is secure and I believe it.

    I strongly recommend it because I'm using it. After all, it has a free version!

    Please again, when you see pop up telling you that one program is not responding or one malicious program has infected your system, don't be in a haste to click on "delete" because you may end up making your system to crash or freeze.
    {{ DiscussionBoard.errors[3074861].message }}
    • Profile picture of the author Pierre!
      And my little addition to this thread:

      Always - ALWAYS - Scan in SAFE MODE. Or you are just wasting time.

      It is standard to include stealth technologies in viruses today. SAFE MODE prevents non-essential code from loading during the boot process. This leaves the viral evidence 'laying out in the open' on your hard drive - no code has loaded to thwart AV/AM scanning.

      You access SAFE MODE by pressing the <F8> key during the boot process. Power on your computer and start to tap the <F8> about every 1/2 second BEFORE the Windows load banner start... you should get a Black and White text screen. I use SAFE MODE or SAFE MODE w/ Networking so that I can update signature files as needed.

      HTH
      Signature
      Internet Safety Tips - The Essentials
      Internet Safety Tips – “The Essentials” – Examples Of Attacks
      Check out this chapter, then sign up to download YOUR copy!
      {{ DiscussionBoard.errors[3076211].message }}
      • Profile picture of the author Jill Carpenter
        LOL, title of this thread might be deceiving :p.
        Signature

        "May I have ten thousand marbles, please?"

        {{ DiscussionBoard.errors[3076269].message }}
        • Profile picture of the author jhess56
          definitely run deep scan with malwarebytes
          Signature
          Real Time Lead Gen Facebook G+
          {{ DiscussionBoard.errors[3076281].message }}
        • Profile picture of the author CyberSorcerer
          Originally Posted by avenuegirl View Post

          LOL, title of this thread might be deceiving :p.
          I figured there would be someone here that thought like I do.
          {{ DiscussionBoard.errors[3076325].message }}
  • Profile picture of the author Jake Gray
    Hi there,

    I'd recommend doing the following:

    - Scan your Computer using Malwarebytes (Malwarebytes.com)
    * Please post report here after, I will take a look at it.

    We will move on from there,

    Jake
    {{ DiscussionBoard.errors[3076270].message }}
  • Profile picture of the author johnyeo90
    Avast wasnt really good in virus detecting..you should use norton cause it really good..AVG and Kaspersky made your computer to start-up late!
    Signature
    How to Cure Hemorrhoids Now
    {{ DiscussionBoard.errors[3076787].message }}
    • Profile picture of the author HH89
      The Spybot team has now confirmed this as a F/P, and are going to be fixing the detection in the next update:

      forums.spybot.info/showthread.php?p=391951

      Best of luck guys.

      Kind regards,
      - HH89
      {{ DiscussionBoard.errors[3082507].message }}
  • Profile picture of the author Hexor
    Try installing malwarebytes and after that, let the malwarebytes scan for you. Malwarebytes Anti-Malware is a surprisingly effective freeware antimalware tool. It's a relatively speedy malware remover, with the quick scan taking about 8 minutes even with other high-resource programs running. The heuristics engine proved on multiple computers during empirical testing that it was capable of determining the difference between false positives and dangerous apps.
    {{ DiscussionBoard.errors[3082518].message }}

Trending Topics