Advice on recovering from a Trojan attack

Well, I’m pretty angry at myself at the moment. I just let a Trojan wreak havoc on my D: & E: partitions (on a 250GB HDD) and now everything is gone. It seems AVG has found and deleted the culprit (found in msconfdrv.exe, the name was “Trojan horse Generic.ODZ”), but I’m worried that there may be residual effects.

Should I take this opportunity to reformat? Or is it safe for me to start moving things back in? Better yet, is there some way for me to possibly recover the lost files? I’ve checked for data recovery programs and services, but I’m not sure I’d be willing to shell out hundreds for them.

100% Safe - Reformat
100% Saved Time - Just scan and then move back in.

I’m sure there are some file-restoration tools that will let you restore files as a trial or whatever.

Check out “Hirens Boot CD” it might have the tools you need.

Go to and grab counterspy trial. That mixed with avg will ensure you’re clean. No use rebuilding until you’re sure that C: is ok. I’m not sure about the behavior of that particular trojan, but either it just deleted the files, or it was really nice and shredded them too. If it just deleted them from the table of contents of the drive and you haven’t written a lot to it, then I’d see about using “Filescavenger” on it. It’s not free, but I’ve used it a couple of times to recover stuff employees tried to wipe off their laptops when they quit. Pretty much gets everything back.

Just depends on if your data is worth cash to you or not.

Grab Hitman Pro, its a batch program that will install and run a list of Spyware killers automatically.

The trouble with Trojans is that they can often leave little “sleeper cell” files in various places on your computer that eventually regenerate the whole thing when accessed enough. Some of these are accessed right at boot, and then act to preserve themselves so that when you run another scan, they are immune. Running active protection can help, but one way to be as thorough as possible without reformatting is to run the best viruscan stuff you can from a Live CD.

Now, the most active way to do this is with a BartPE live cd, with a bunch of antivirus tools, since you can just remove the viruses right off. But if you aren’t used to that kind of thing, BartPE can be kind of daunting to build. Alternative to that, you can download an iso of Knoppix ( ). Now, since I’m lazy, I’m going to refer you to an O’Reilly article for the rest:

The thing with using Knoppix is that by default, it won’t write to an NTFS (WinXP) filesystem. So you can either make it do so, or just let it output a list of the troublesome files it finds and print it off (or email it to yourself and print the email if knoppix can’t handle your printer). Then you can delete the files manually from safe mode.

I’m paranoid, so what I would do is drop all my data files (MP3s, documents, saved games, etc) and organized them into DVD (verify after write) or if a bit lazy, on another hard drive (non-bootable!)

Nuke it all, and let god sort 'em all!

No antivirus is 100%, it’s just not possible. They can only scan for known signatures. If it is a small distribution trojan (put a file up for 1 day, pull out after), you could very well go undetected. There are after all, largely-disseminated viruses that go undetected for a long time (example, sony rootkit)

I recommend you muster ~1000 ships and march on their city. Get Odysseus if he’s available, and don’t fall for his “I’m insane” routine.

  • Alan

Before I started using a router (when I figured that directly connecting to the net wasn’t a big deal, and that only paranoid people used firewalls), I got backdoored by something which set up my computer as a remote mp3 server and warez drop. Considering I was sitting on a 100mbit connection at the time, I noticed this when my harddrive was practically running redhot and blowing smoke (as maxxing my net connection was something that ate my drive alive).

I removed it manually as fast as I could, using information available on the net for dealing with such an issue. I then bought a router before putting my machine back on the net. I also formatted and reinstalled, to be safe.

So… yeah. Format.

That reminds me, if you’re going to try and not reformat, definitely run rootkit revealer (easy to find on google).