ItsGeekToMe.co
The official home of It's Geek to Me on the web!
Issue #320: September 8, 2013
Q: My computer was recently hit with Trojan.Gen2. Any time it’s on I get a constant stream of virus alerts. Currently using Symantec plus the standard windows firewall and full security on Explorer. Symantec says it is successfully quarantining them but they never stop coming. Running Symantec Eraser is only way I have found to stop them. They drop into a file name and location that I cannot find on my computer (C:\users\bare\appdata\locall\temp\dwhxxx.tmp) I don’t see any degradation in computer performance so I am not convinced the virus is impacting anything other than being a total nuisance. Suggestions please?
– Barrty B.
Niceville, Florida
A: Well, you’ve got a dandy one there, Barrty. Trojan.Gen.2 is the nightmare stuff people think of when they think of malware, all rolled into one tidy package. I don’t think the pop-ups you are experiencing are necessarily the virus being detected. One of the functions of the virus is to generate a stream of pop-ups that are usually advertisements. That’s actually one of the more benign things this malware does. The real threat comes from what you don’t see. Trogen.Gen.2 contains remote-access functions and a complete spyware suite, including a keystroke logger. With these tools, it is capable of stealing sensitive information such as account numbers and passwords, which can then be used to either access your accounts or the information can simply be sold on the black market. The person who released the virus can also log on to your computer from anywhere in the world and take control of it, running it as if he was sitting right in front of it.
As you might expect, malware with those kinds of capabilities is well-protected, and can be quite difficult to remove. Nevertheless, your regular scanner should have detected and removed it. Since it’s reappearing, it appears you are being continually re-infected, which means either you’re repeatedly visiting an infected website, or you’re running an infected program on your computer. Is it possible that you have an infected website as part of your home page configuration? Newer versions of Internet Explorer can be configured with multiple home pages, which each open in a separate tab. Check carefully and make sure any sites that auto-load are trustworthy. Also check all toolbars and browser helper objects that load with IE to make sure that none of them are rogue agents. You can get to the list in IE by going to Tools->Manage Add-Ons. In the box marked “Show” select “All add-ons” then review the list. Any that you don’t trust or can’t identify should be disabled. Make note of what you disable, because if you find out later you need something, you can always come back in and re-enable it.
You might want to take the extra step of taking your system off the Internet and rebooting it in Safe Mode. Having no Internet connection severs any remote control abilities, and running in Safe Mode removes most of the mechanisms that many types of malware use to hide themselves. Once you’re up in Safe Mode, run a complete system scan, and let your antivirus do its job. Hopefully it will remove all traces of this very nasty bug from your machine. Then you can reboot normally, and hook back up to the Internet.
TIP OF THE WEEK: Virus E-mails – I recently received an e-mail from a friend warning me about an e-mail that appears to come from UPS about a package that couldn’t be delivered. The warning stated that opening the e-mail would release a virus onto my computer. The reality is that the e-mail in question is just a single example of thousands of e-mails that can and do spread malware. Rather than rely on warnings about specific e-mails, it is far more effective to learn the warning signs of the types of e-mail that spreads malware, and moreover, be vigilant when you open any e-mail – even if it appears to come from someone you know and trust. In the case of the e-mail mentioned above, the e-mail contains an attachment that claims to be an invoice. Careful examination of the attachment shows the file to have an extension of .exe, which means executable program – a sure sign of trouble for anyone unwary enough to run it. For more tips on avoiding troubles with e-mails, see the extra content from this week’s column on my website at ItsGeekToMe.co.
Bonus Web-only Content:
E-mail is a very common vector for malware infections to find their way into your computer. Knowing a few relatively simple things can arm you against this threat, and perhaps make the difference between avoiding an infection or not. Read and heed the following tips, and just maybe you’ll avoid becoming a victim.
- Never, EVER open any file attachment that arrives in an e-mail from a stranger, even if the e-mail claims the attachment is an invoice, packing list, or photo. Also be wary of phishing e-mails that appear to come from your bank or credit card company, telling you that your account has been locked, or that the company needs to “verify your account information”. Absolutely no legitimate financial company will ever request your account information via e-mail!
- If file attachments arrive from acquaintances, double and triple check the file extension. If it’s .exe, never, EVER open it. It it’s anything else, verify with the sender that it’s legitimate BEFORE attempting to open it. Look carefully at the file extension, and remember that only the characters after the LAST dot are the actual extension!!! If you see a file named Invoice.docx.exe, it is NOT a document — it is an executable program, probably a virus payload.
- If you’re one of those types of people who forwards around jokes, inspirational stories, etc, to a list of people, use the BCC: field. Never enter a list of e-mail addresses in either the TO: or CC: fields. Doing so exposes the e-mail address of everyone on the list, to everyone you’re sending the e-mail to. E-mail addresses should be protected as if they are unlisted telephone numbers. You wouldn’t send a list of those to all your friends, would you?
- If you forward an e-mail from someone who didn’t follow rule 3), REMOVE the list of e-mail addresses from the body of the e-mail before you send it, to protect the addresses from further exposure. After all, you don’t know where the e-mail will eventually get sent.
- Never, EVER enter your, or someone else’s e-mail address into a web form that says something like “Share this page with a friend”. Chances are, they are harvesting e-mail addresses to sell to SPAM lists. If you want to share a site with a friend, copy the link out of your address bar, compose a message to the person you want to send it to, and paste the link into the body of the message. (Of course, if the person is wise, they will check with you before clicking on the link!).
- If an e-mail encourages you to “forward this to everyone in your address book”, that’s an almost sure sign you’re dealing with something you should NOT forward to everybody. If it’s not a malware payload, it’s probably an urban legend e-mail circulating for the umpteenth time. When you forward these, you’re just propagating junk mail. You can check out the veracity of wild claims in such e-mails at Snopes.com or UrbanLegends.com.
- By the way, just for the record, nobody anywhere has ever, or will ever pay you cash for each e-mail you read or send. Period. So don’t fall for that one when you read it!
Until next week – good luck and happy computing!
– Geek
Leave a Reply
You must be logged in to post a comment.