How do I know if I managed to completely remove an undetected trojan?

Question

I catched a trojan that uses explorer.exe to reproduce itself in case of deletion of its autostart entry or main exe file in Programs/x.

It had already tried to contact a suspicious server over explorer.exe, blocked that via my firewall.

I:

• Removed the autostart entries from the registry
• Looked through my services if there was anything suspicious
• Deleted the trojan from Programs/
• Went through System Volume Information to find a 2 month old explorer.exe and replaced the possibly infected one.

There are no suspicious processes running now anymore (no duplicate explorer.exe) and nothing wants to connect this trojan owners sever either.

I checked my system with several anti-malware programs too.

What the trojan did:

• Started a second explorer.exe
• Always when I deleted the main trojan exe file it was reproduced (by the second explorer.exe)
• Always when I deleted the autostart entry it was reproduced by the explorer.exe too.

When I terminated the suspicious explorer.exe, which used only half as much memory as the less suspicious one from Windows, a strange thing that I know from the computers in my Informatics class happened:

A window popped up in the top left of my explorer-less desktop, titled "Personal settings for ... are ..." that obviously copied some files. Then both explorer.exes started again and the trojan was everywhere again.

• What did the trojan actually do to get explorer to rescue it?
• Is my PC clean of this newish trojan now?
• What are the other locations I should check for the trojan?
• The trjoan doesn't seem very high-level, could it have changed other system files or is the autostart entry vital for it?

Answer 1

You can never be 100% totally sure you completely removed a trojan horse. Once your security is breached, you don't know what exactly happened.

You seem to have figured it out quite well as to what it did to your system. But what if it installed a rootkit you didn't find and is invisible for your anti-virus software?

There are tons of things to think off like above example. The one and only way to be completely sure is a reinstall of the complete system.

If you're not up to that, run a few anti virus software packages etc. check all your startup settings (registry, msconfig etc) look for "strange" running processes and kill them to see what happens.

Answer 2

As it was said, without a full reinstall you couldn't be completely sure... However if you take the time to deeply inspect your system (often more time than applying a good backup/reinstall strategy...) you could have an outside chance that's something remains. So here are some free tools to do it. (by order of personal preference)

Start and finish by a sfc /scannow in an administrator command prompt to verify all the system files

Antimalware scanners

• Avira
• Kaspersky Virus Removal Tool
• Malwarebytes' Anti-Malware
• a-Squared Emergency USB Stick
• SpyBot - Search & Destroy
• PrevX (A very good heuristic scanner. It has some false positive results and doesn't remove all malware with the free version but could be useful to spot some nasties...)

For more security use multiple engines and use them from a boot media (like ubcd4win) or another (well protected) computer.

Rootkit detector

• RootkitRevealer
• RootRepeal
• Sophos Anti-rootkit
• Gmer (maybe the more powerful one but also the harder to use...)

Deep system inspection tools

• System Explorer lists processes, startups, services, drivers... And check the suspicious one with it's own database, VirusTotal or Jotti services.
• Sysinternals Autoruns
• Sysinternals ProcessExplorer
• Svchost analyzer

Bonus: An interesting video with Mark Russinovich (creator of ProcessExplorer & Autoruns) about Malware Cleaning

Answer 3

Use Lavasoft_Ad_Aware_Anniversary_2009_Professional_8.0.7, spybot search& destroy or SUPERAntiSpyware

Answer 4

(1) If it was completely undetected, you can never be entirely sure you got it all.

(2) I would recommend a Mac instead.