{"id":8,"date":"2008-06-04T13:01:00","date_gmt":"2008-06-04T07:31:00","guid":{"rendered":"http:\/\/guganeshan.com\/blog\/?p=8"},"modified":"2009-12-18T13:59:43","modified_gmt":"2009-12-18T08:29:43","slug":"infected-with-a-tro","status":"publish","type":"post","link":"https:\/\/guganeshan.com\/blog\/infected-with-a-tro.html","title":{"rendered":"Infected with a Trojan"},"content":{"rendered":"<ol>\n<li>Do you see one or more of the following files getting created in the  root of every drive you access?:\n<ul>\n<li>autorun.inf<\/li>\n<li>autorun.ini<\/li>\n<li>fun.exe<\/li>\n<li>download.exe<\/li>\n<li>coursework.exe<\/li>\n<li>crazya.exe<\/li>\n<li>oalvm.com [EDITED ON 10th JUNE]<!--more--><\/li>\n<\/ul>\n<\/li>\n<li>Do you see any of the executables mentioned above (the ones with the .exe or .com extension) running in the &#8216;processes&#8217; list of the task manager?<\/li>\n<li>Do you get an &#8216;Open with&#8217; dialogue box when you double-click a drive in &#8220;My Computer&#8221;, instead of it getting opened?<\/li>\n<li>Do you see any of the above mentioned executable files in the &#8220;C:\\Documents and Settings\\All Users\\Application Data&#8221; folder?<\/li>\n<li>Do you see the words: &#8220;gods must be creazy&#8221; in the title bar of Internet Explorer? yeah you read it right, it must be written as &#8220;crazy&#8221; but the creator has written it as &#8220;creazy&#8221;! \ud83d\ude42<\/li>\n<\/ol>\n<p>Then its time to panic! (a little). Because the computer is infected with a Trojan&#8230;<\/p>\n<p>I am used to the practice of suspending anti-virus software to conserve memory (specially when using memory intensive software like Microsoft Visual Studio) and got the computer infected with a Trojan when I shared my thumb drive with another person!<\/p>\n<p>I thought its just a poor old Trojan that I can remove in a second using the existing anti-virus software, but it didn&#8217;t even detect it.<\/p>\n<p>Terminating the process named crazya.exe was impossible (I even tried the &#8220;<strong>TaskKill<\/strong>&#8221; DOS command repeatedly in a loop with the \/f option to force the termination, but no use.<\/p>\n<p>The biggest surprise came when I Googled the file name &#8220;crazya.exe&#8221;&#8230; I got only 7 results in Google!. Out of which, 1 is from a Chinese web site, and 1 from Sri Lanka itself. That meant trouble for me because it means, either it has no cure or its a new Trojan. But I confirmed its a Trojan only from those 7 results I found (Non of them had a tool to clean it&#8230; but one of them mentioned the well-known <a href=\"http:\/\/en.wikipedia.org\/wiki\/HijackThis\" target=\"_blank\">HijackThis<\/a> diagnostic tool)<\/p>\n<p>One site named it as: <strong>&#8220;Trojan horse Generic8.GHY&#8221;. <\/strong>And another one said its from the malware group named: <strong>&#8220;Trojan.agent.gen&#8221;<\/strong>.<\/p>\n<p>Anyway, what I did to get rid of it was:<\/p>\n<ol>\n<li>Ran <a href=\"http:\/\/en.wikipedia.org\/wiki\/HijackThis\" target=\"_blank\">HijackThis<\/a> (its a free diagnostic tool)<\/li>\n<li>In the list of processes and registry entries it lists, I selected all the entries that had the word &#8220;crazya.exe&#8221; (other executable names were not there for me)<\/li>\n<li>Clicked on the &#8220;<strong>Fix Checked<\/strong>&#8221; button<\/li>\n<li>Deleted the files I mentioned, manually from the root of every drive<\/li>\n<\/ol>\n<p>That&#8217;s it&#8230; it was gone.<\/p>\n<p><strong><span style=\"color: #ff0000;\">Warning:<\/span><\/strong> They recommend users to create a <a href=\"http:\/\/en.wikipedia.org\/wiki\/HijackThis\" target=\"_blank\">HijackThis<\/a> log from the tool and to post it in anti-adware\/malware forums to let the experts diagnose the problem. If you don&#8217;t know what you are doing, you might delete important registry entries using the excellent <a href=\"http:\/\/en.wikipedia.org\/wiki\/HijackThis\" target=\"_blank\">HijackThis<\/a> tool.<\/p>\n<p>[EDIT: In another PC, HijackThis tool alone was not enough, and I had to restart the PC in &#8216;Safe Mode&#8217; and delete the files (mentioned at the beginning of the post) in the root of every drive. Because the files were running in memory.]<\/p>\n<p>Hope this helps someone<\/p>\n<p style=\"font-weight: bold; color: #ff0000;\">UPDATE [on 10th February 2009]:<\/p>\n<p>I tried the latest &#8220;<strong>Kaspersky Anti-Virus 2009<\/strong><span style=\"font-weight: bold;\"> Free 30 Day Trial<\/span>&#8221; with an infected thumb drive, and the software detects and deletes the Trojan files. Hope this helps someone (download and try the Kaspersky Anti-Virus 2009 free trial from &#8220;trials&#8221; page here: <a href=\"http:\/\/www.kaspersky.com\/trials\">http:\/\/www.kaspersky.com\/trials<\/a><\/p>\n<p>And thank you very much for the comments.<\/p>\n<!-- AddThis Advanced Settings generic via filter on the_content --><!-- AddThis Share Buttons generic via filter on the_content -->","protected":false},"excerpt":{"rendered":"<p>Do you see one or more of the following files getting created in the root of every drive you access?: autorun.inf autorun.ini fun.exe download.exe coursework.exe crazya.exe oalvm.com [EDITED ON 10th JUNE]<!-- AddThis Advanced Settings generic via filter on get_the_excerpt --><!-- AddThis Share Buttons generic via filter on get_the_excerpt --><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,6],"tags":[28,19,29,68],"class_list":["post-8","post","type-post","status-publish","format-standard","hentry","category-featured-articles","category-privacy-and-security","tag-anti-virus","tag-security","tag-tips","tag-troubleshooting"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/posts\/8","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/comments?post=8"}],"version-history":[{"count":13,"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/posts\/8\/revisions"}],"predecessor-version":[{"id":35,"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/posts\/8\/revisions\/35"}],"wp:attachment":[{"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/media?parent=8"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/categories?post=8"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/guganeshan.com\/blog\/wp-json\/wp\/v2\/tags?post=8"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}