.topic 1001 Trojan Remover aids in the removal of Malware - Trojan Horses, Worms, Adware, Spyware - when standard anti-virus software either fails to detect them or fails to effectively eliminate them. Standard antivirus programs are good at detecting this Malware, but not always good at effectively removing it. Trojan Remover is designed to work on Windows 98/ME/2000/XP/Vista. The program is not, at present, compatible with any 64bit version of Windows. The majority of Anti-Malware Scanners are well able to detect malicious software - Trojan Horses, Internet Worms, Adware/Spyware etc. - but are not always efficient in removing them once they have been triggered. Trojan Remover is designed specifically to disable/remove Malware without the user having to manually edit system files or the Registry. The program also removes the additional system modifications some Malware carries out which are ignored by some standard antivirus scanners. Trojan Remover scans ALL the files loaded at boot time for Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Remover also checks to see if Windows loads Files/Services which are hidden by Rootkit techniques and warns you if it finds any. Trojan Remover writes a detailed logfile every time it performs a scan. This logfile contains information on which programs load at boot-time, and what (if any) actions Trojan Remover carried out. The logfile can be viewed and printed using Notepad. The 'FastScan' component of Trojan Remover is set to automatically scan for Malware every time you start your PC (you can disable this if you wish). You can also run the FastScan manually any time you wish (START | Programs | Trojan Remover | FastScan). This FastScan checks all program-loading points - it is a quick and effective check for actively-loading malicious programs. You can scan the whole drive, or any directories on the drive, by selecting Scan a Drive/Directory from the main Trojan Remover menu. You can scan individual files and directories from within Windows Explorer - simply right-click on the file/directory and select "Scan with Trojan Remover". Trojan Remover incorporates an integral Updater allowing for quick and easy Database updates. You can use the Windows Task Scheduler to schedule automatic updates (see here for instructions). .topic 3001 To start a scan of the computer for Malware, click on the Scan button on the opening Trojan Remover screen. A box will pop up showing that the scan is taking place. You can stop the scan at any time by clicking on the Stop Scan button. After answering yes at the confirmation message, the scan is cancelled. This will not affect any actions already carried out by Trojan Remover. When the scan has been completed, Trojan Remover will display the system areas that have been checked. To view the logfile showing scan information, click on the View Log button. To return to the opening Trojan Remover screen, click on the Close button. If a program or file being loaded is either not recognised, or identified as a Known Malware Filename, an Alert box will be displayed requesting what action should be taken. See also: Alerts Viewing/Printing Logfiles Scanning A Drive or Directory .topic 22000 Scan Options can be checked and modified by selecting Options from the main menu. When an option is enabled it has a green tick next to it. Where an option is disabled it has a red cross next to it. Clicking on the option either enables or disables it. Alert Level You can choose between three different Alert levels: Show alerts on confirmed Malware only [default] An alert screen will be displayed if any scanned file is detected as malicious. This is the default (and recommended) alert level. Show alerts on Malware & Files Not Found An alert screen will be displayed if any scanned file is detected as malicious. An alert screen will also be shown if a registry reference is scanned that attempts to load a file that cannot be located. This option is useful if you wish to remove an orphan registry entry left behind after a malware file has been removed. Show alerts on all Unknown Files An alert screen will be displayed for EVERY file found loading at boot-time. ** CAUTION ** - this option should only be selected by experienced users or on the specific advice of Simply Super Software. Boot-time FastScan The FastScan is the part of Trojan Remover that carries out a scan of all program-loading points when the PC is started (it can also be launched manually at any time, by selecting START | All Programs | Trojan Remover | FastScan). The FastScan is enabled by default. Right-click menu scanning With Right-click menu scanning enabled, in Windows Explorer you can right-click on a file/directory and select "Scan With Trojan Remover" to carry out an immediate scan of that file/directory. If you disable this option you will no longer have the "Scan with Trojan Remover" option available, until you re-enable the option. Verified Files List Trojan Remover maintains a database of pre-verified files. During a normal scan (but not a file/directory scan) this database is checked to determine whether a file should be thoroughly scanned or not. Scan speed is improved when this option is enabled (it is enabled by default), and the logfile produced is also smaller and thus easier to read. Running Processes scan During a normal scan for active malware Trojan Remover scans all Running Processes, including the process's loaded modules. This part of the scan can take some time. Disabling this part of the scan will reduce the overall scan speed, without a major impact on the program's ability to detect malware (as all loading points are still checked). If you do disable this option it is recommended that you periodically re-enable it and run a full scan. Extended logfile information This option is disabled by default. If you enable this option then, for every file scanned, information on the file's properties (filesize, attributes, company name etc.) is listed in the logfile. ** CAUTION ** - the logfile reports produced with this option enabled can be very large). Heuristic rootkit detection warnings When a scan for active Malware is carried out Trojan Remover performs heuristic tests for the presence of certain types of (malicious) rootkits. These tests can be disabled by selecting this option. You would normally only do this if previous scans have raised alerts on files/entries that you are certain are not part of a malicious rootkit. Warnings on running Anti-Malware programs When you run a scan with Trojan Remover, it first checks for the presence of certain other antivirus and anti-spyware programs. This is because if another anti-malware program is running it may prevent Trojan Remover from accessing (and therefore detecting, and disabling) any file that the anti-malware program itself already detects as malicious. It is always recommended that you temporarily disable any other anti-malware program when you run a scan with Trojan Remover. Even when you have already disabled your anti-malware program, Trojan Remover may still show a warning that the program is present. In such cases you can choose to disable this option. Random filename generation protection When you start Trojan Remover it first creates a randomly-named copy of its main program, then launches this copy. This is part of Trojan Remover's defences against malicious process-killers which try to prevent anti-malware programs from running. Some process monitors see this behaviour as "suspicious" and warn on it. If this happens you can select the option to disable random filename protection. Trojan Remover's main program will then always be directly started, using the same executable filename. Note: this option is not available in Windows Vista or above as random filename generation is not used. Forget current window position When you re-position Trojan Remover's main window, the program remembers this window position in future runs. Select this option to have the program 'forget' the current window position. The main window will be immediately returned to the center of the screen. If running on a multi-monitor system, the main window will be placed in the centre of the primary monitor. .topic 15000 You can scan a selected Drive or individual Directory by clicking on the button on the main Trojan Remover menubar. If you have not already done so, you will be prompted to first run a Scan for active Malware (you can skip this if you wish). The Scan a Drive/Directory screen shows drive and directory selection boxes. Highlight the directory you wish to scan and click on the 'Start Scan' button to carry out the scan. If you select a drive that is not accessible (e.g. a CDROM drive with no disk in it) then an error message will be displayed. You can select the default Action to be carried out if a Malware file is detected using the Action selection box (or by selecting 'Options | Action To Take…' from the menubar). The Actions available are: Prompt User For Action With this selection chosen, if a Malware file is detected an alert screen will be displayed and the Scan paused until you have determined what action you wish to carry out. Automatically Rename Malware Files If a Malware file is detected, the file will automatically be renamed and the Scan will continue. Note: if the Malware is located in an archive file, then the file will not be automatically renamed. Report Only No action will be taken on any Malware detected. Details will be reported, and recorded in the logfile. .topic 12010 Right-click your mouse on the drive or directory you wish to scan and select the option 'Scan with Trojan Remover' (note: if you select a drive which is not accessible, for example it has no disk or CD in it, you will receive an error message). The Trojan Remover program will be started and the Drive/Directory Scan screen displayed. The first time you run a Drive or Directory Scan you will be prompted to select the filetypes you wish to scan for. Your selection is saved and used in the future. The screen will show which directory is to be scanned. If you do not wish to scan sub-directories of this directory, uncheck the box marked 'Check sub-directories'. Pressing the 'Start Scan' button will start the scan. Details of the progress of the scan will be displayed. The scan can be stopped at any time by pressing the 'Stop' button. You can also pause the scan at any time by pressing the 'Pause' button. The scan will be paused until you either press the 'Resume' button to restart it, or press the 'Stop' button to cancel it. Should a file be located which appears to be malicious, details are shown. If the default Action is to Prompt the User, a new screen will appear showing you details of the alert, allowing you to choose one of the following options: Leave this file in place Selecting this option will close the alert screen, and return you to the Drive/Directory scan. No action will be taken on the file. Disable this file by renaming it The file will be renamed so that it cannot be executed. If a file is suspicious, this is the best option to choose. You can then send a copy of the file to an anti-virus or trojan-scanner company (like Simply Super Software) for further analysis. A record of this rename operation will be written to the Trojan Remover logfile. Note: if the file has already been renamed by Trojan Remover, or it is an Archive (i.e. Zip) file, then this option is not given. Delete this file (use with caution) You should only select this option if you are absolutely positive that the file being scanned is Malware. A copy will NOT be sent to the recycle bin. Once you answer YES to the confirmation message the file will be deleted. A record of this file deletion will be written to the Trojan Remover logfile. THIS ACTION IS IRREVERSIBLE. Once you have selected the desired option clicking on the OK button carries that operation out; the scan then proceeds (unless you choose to stop it). NOTE: when Trojan Remover scans archive files, it creates (and later deletes) temporary directories. Whilst scanning you may notice these temporary directories being created and deleted. This is normal and is no cause for concern. .topic 12000 Right-click your mouse on the file you wish to scan. You should see the option 'Scan with Trojan Remover'. Clicking on this option will start Trojan Remover and carry out an immediate scan on the highlighted file. Should the file scanned appear to be a malware file, you will be presented with three different options: Leave this file in place Selecting this option will close the file-scan screen, and return you to the main Trojan Remover program. No action will be taken on the file. Disable this file by renaming it The file will be renamed so that it cannot be executed. If a file is suspicious, this is the best option to choose. You can then send a copy of the file to an anti-virus or trojan-scanner company (like Simply Super Software) for further analysis. A record of this rename operation will be written to the Trojan Remover logfile. Delete this file (use with caution) You should only select this option if you are absolutely positive that the file being scanned is Malware. A copy will NOT be sent to the recycle bin. Once you answer YES to the confirmation message the file will be deleted. A record of this file deletion will be written to the Trojan Remover logfile. THIS ACTION IS IRREVERSIBLE. Once you have selected the desired option clicking on the OK button carries that operation out and returns you to the main Trojan Remover program. .topic 8051 You can run a scan of all currently running processes by selecting File > Scan Running Processes. When this scan is carried out an Alert screen is shown for each running process detected, showing whatever information can be taken from the file. If the file is detected as Malware, the name of the Malware will be displayed. Clicking on the Details will open the Malware Reference Database and provide details on the Malware, if any are available. The following options are then made available to you: Allow this process to continue running No action will be taken on the running process and the scan will continue. Terminate this running process Trojan Remover will attempt to terminate the running process. If successful, a message will be displayed. If Trojan Remover is unable to terminate the running process, a warning message will be displayed. The scan of Running Processes will then continue. Terminate this running process and rename the program file Trojan Remover will attempt to terminate the running process. Next, the file will be disabled from re-loading by being renamed (the last letter of the file extension is changed to a "$"). If Trojan Remover is unable to immediately rename the file, once the scan of Running Processes has been completed it will offer to restart your system so that the file can be renamed during the restart process. Details of any rename operation are written to the logfile. Click on the appropriate radio button to select the required option. Click on the OK button to accept the currently indicated option and continue with the scan. Clicking the Stop Scan button will stop the remainder of the scan and no action will be taken on the running process. CAUTION: terminating a running process can lead to system instability. You should only terminate a running process that is confirmed as Malware by Trojan Remover, or on the direct instructions of Simply Super Software support staff. .topic 11046 To run a manual scan of all files located in the Downloaded Program Files directory (including any sub-directories) select File > Scan Downloaded Program Files. An Alert screen will be shown for each file detected in the Downloaded Program Files directory (or in a subdirectory), displaying whatever information can be gained from the file. If any file is suspect a warning will be displayed. Clicking on the Details button will open the Malware Reference Database and provide details on the Malware, if they are available. You can choose from the following options: Continue to allow this file to load as normal Selecting this option will make no changes - the file will continue to be located in the Downloaded Program Files directory (unless it is manually removed). Prevent this file from loading by moving it This is a good option to choose if you are not sure whether the file is Malware. Selecting this option will move the file out of the Downloaded Program Files directory in which it is located to the C:\Windows\System directory. It will also rename the file in order to prevent it from being executed. If the file is successfully moved details will be written to the logfile. If you later determine that the file is not Malware you can manually rename it and move it back to the Downloaded Program Files directory from which it was moved. You can select the required option by selecting the appropriate radio button and then clicking on OK. Clicking in the Stop Scan button will mean that no action will be taken on the file and the remainder of the scan will be skipped. Should the Malware be known to make system modifications and you elect to take action on it, Trojan Remover will offer to reset any changes made by the Malware. .topic 15100 It is possible to use the Windows Task Scheduler to carry out automatic scans with Trojan Remover. You can schedule the on-boot scanner (FastScan) to activate at regular intervals (useful if you do not shut down your PC daily) - this will carry out a quick scan for active Malware, and alert you if it detects anything. Alternatively, you can schedule a scan for a particular drive or directory. When activated, Trojan Remover will scan the drive/directory chosen. NOTE: as the scan is designed to run unattended, you should disable Warnings on Running Anti-Malware. To do this start Trojan Remover and select Options. Click on 'Warnings on running Anti-Malware programs enabled' to disable this option. On XP, the Windows Task Scheduler is normally accessible via START > All Programs > Accessories > System Tools > Scheduled Tasks. Scheduling a scan for active Malware (the on-boot FastScan) Open the Windows Task Scheduler, and double-click on 'Add Scheduled Task'. This will start the Scheduled Task Wizard. Click on the 'Next' button. In the screen that appears, click on the 'Browse' button. Browse to the directory where you installed Trojan Remover (C:\Program Files\Trojan Remover by default) and double-click on the Trjscan.exe program. In the next two screens select the times you want the scanner to run. Clicking on the 'Finish' button on the last page closes the Wizard and your scheduled task is set up. Scheduling a drive/directory scan This requires slightly more work than the above task, as you need to specify to Trojan Remover what drive or directory it has to scan when activated. Open the Windows Task Scheduler, and double-click on 'Add Scheduled Task'. This will start the Scheduled Task Wizard. Click on the 'Next' button. In the screen that appears, click on the 'Browse' button. Browse to the directory where you installed Trojan Remover (C:\Program Files\Trojan Remover by default) and double-click on the Rmvtrjan.exe program. In the next two screens select the times you want the scanner to run. In the final screen, place a checkmark in the box labeled 'open advanced properties for this task when I click Finish'. Click on the 'Finish' button - in the screen that comes up, look at the box labeled 'Run:'. In here you will find the command that the Scheduler will actually run - it will look something like this: C:\PROGRA~1\TROJAN~1\RMVTRJAN.EXE or, on 2000/XP: "C:\Program Files\Trojan Remover\Rmvtrjan.exe" This line will differ depending on where your copy of Trojan Remover is actually installed. This is where we will tell Trojan Remover what drive or directory to scan. Click your mouse inside this box so that you can edit what is there. Move to the end of the line, and add the following parameters (preceded by a space): /ds "[drive or directory name]" where [drive or directory name] is the actual drive or directory you wish to scan. Here are some examples: C:\PROGRA~1\TROJAN~1\RMVTRJAN.EXE /ds "C:\" - this will scan the whole C: drive. C:\PROGRA~1\TROJAN~1\RMVTRJAN.EXE /ds "C:\Windows\" - scans the Windows directory. On 2000/XP, the entries may look like this: "C:\Program Files\Trojan Remover\Rmvtrjan.exe" /ds "C:\" - this will scan the whole C: drive. "C:\Program Files\Trojan Remover\Rmvtrjan.exe" /ds "C:\Windows\" - scans the Windows directory. Once you have edited the line correctly, click on the 'OK' button - your task is now scheduled. [Note for XP Pro/Vista Users: if the User account you use to schedule this task does not require a password you will need to modify the default Windows security policies to allow the PC to run unattended scans - contact us for more information]. When the scan runs the program will appear minimized, i.e. you will only see the button on the taskbar. The warnings on running anti-malware programs are suppressed (if they were on), so that the program can run unattended. If you wish to see the progress of the scan, you can click on the program's taskbar button to open the drive/directory scan screen. When the scan is completed, if no malware has been found (and the scan screen is still minimised) then the program will shut itself down automatically. .topic 18000 It is possible to use the Windows Task Scheduler to carry out automatic scans with Trojan Remover. You can schedule the on-boot scanner (FastScan) to activate at regular intervals (useful if you do not shut down your PC daily) - this will carry out a quick scan for active Malware, and alert you if it detects anything. Alternatively, you can schedule a scan for a particular drive or directory. When activated, Trojan Remover will scan the drive/directory chosen. NOTE: as the scan is designed to run unattended, you should disable Warnings on Running Anti-Malware. To do this start Trojan Remover and select Options. Click on 'Warnings on running Anti-Malware programs enabled' to disable this option. Ensure that you are logged on with an account that has Administrator privileges. Open the Task Scheduler - START > Control Panel > System and Maintenance > Administrative Tools, then double-click "Task Scheduler" (if User Account Control is enabled, you will see a UAC elevation prompt). Scheduling a scan for active Malware (the on-boot FastScan) In the "Action" box on the right-hand side click on Create Basic Task.... On the screen that comes up, type in a useful name and description for the task, then click Next. On the next two screens select when you want the FastScan to run. On the next screen, in answer to the question "What action do you want the task to perform?" select Start a program, then click the Next button. In the "Start a Program" screen click on the Browse button. A window will open allowing you to browse for a program. Go to the Trojan Remover program directory (C:\Program Files\Trojan Remover by default) and double-click on Trjscan.exe. Leave the "Add arguments" and "Start in" boxes blank. Click Next then click Finish. The task is now scheduled and you can close the Task Scheduler. Scheduling a drive/directory scan In the "Action" box on the right-hand side click on Create Basic Task.... On the screen that comes up, type in a useful name and description for the task, then click Next. On the next two screens select when you want the FastScan to run. In the "Start a Program" screen click on the Browse button. A window will open allowing you to browse for a program. Go to the Trojan Remover program directory (C:\Program Files\Trojan Remover by default) and double-click on Rmvtrjan.exe. The program path and name will appear in the "Program/script" box. In the "Add arguments" box, you determine which drive/directory Trojan Remover should scan during this scheduled scan. The format of the additional arguments is: /ds "[drive or directory name]" A couple of examples may help: /ds "C:\Windows" - this will scan the Windows directory (and all sub-directories) /ds "C:\Program Files" - this will scan the Program Files directory /ds C:\ - this will scan the whole C: drive. Note: if the path has spaces in it, then be sure to enclose the full path in quotes, as shown above. You should leave the "Start in" box blank. Because Trojan Remover requires Administrator privileges to run, we have one further step to complete. Click Next. On this final screen, place a checkmark in the box "Open the Properties dialog for this task when I click Finish", then click Finish. In the Properties screen that appears, on the General tab, check the box labelled 'Run with highest privileges' then click OK. The task is now scheduled and should run at the designated time. You can, if you wish, schedule multiple instances like this, to scan different parts of your PC each time. This may be better than scheduling one full drive scan, as such a scan will take a very long time to complete each time it is run. When the scan runs the program will appear minimized, i.e. you will only see the button on the taskbar. The warnings on running anti-malware programs are suppressed (if they were on), so that the program can run unattended. If you wish to see the progress of the scan, you can click on the program's taskbar button to open the drive/directory scan screen. When the scan is completed, if no malware has been found (and the scan screen is still minimised) then the program will shut itself down automatically. .topic 9010 The FastScan runs every time you start your PC. This option is enabled by default. When enabled Trojan Remover scans all the program loading points each time Windows is started. If a suspected Malware file is located an alert screen pops up advising you to run the main Trojan Remover program in order to disable the Malware. When the PC starts, the FastScan execution is delayed for a short time (the default is 2 minutes). This allows other programs to fully load, so that more processing time is available to the FastScan when the scan starts. This means the scan is usually faster. You can modify the delay time (or opt for no delay at all) by starting the main Trojan Remover program and selecting Options | BootScan Delay Options. Boot-time scanning can be enabled and disabled from the main Trojan Remover menu by selecting the appropriate option from the 'Options' menu, or clicking on the and buttons. You can also use the Windows Task Scheduler to schedule regular FastScans. See Scheduling Unattended Scans (or Scheduling Unattended Scans (Vista) if you use Windows Vista or above) for information on how to do this. .topic 11010 FastScan is the component of Trojan Remover which runs each time you start your computer. It carries out the same scanning functions as are carried out when you run a Scan from within Trojan Remover itself. When a suspicious file is found being loaded via a call in the WIN.INI file an alert screen is displayed. This screen shows the name of the file being loaded, whether it is being called by a run= or a load= line, and the line number in the win.ini file in which the call was found. Once the scan is complete you should start Trojan Remover to remove this Malware. Clicking on the OK button will continue the scan. .topic 11020 FastScan is the component of Trojan Remover which runs each time you start your computer. It carries out the same scanning functions as are carried out when you run a Scan from within Trojan Remover itself. When a suspicious file is found being loaded via a call in the SYSTEM.INI file an alert screen is displayed. This screen shows the name of the file being loaded, whether it is being called by a shell= or a scrnsave.exe= line, and the line number in the system.ini file in which the call was found. Once the scan is complete you should start Trojan Remover to remove this Malware. Clicking on the OK button will continue the scan. .topic 11030 FastScan is the component of Trojan Remover which runs each time you start your computer. It carries out the same scanning functions as are carried out when you run a Scan from within Trojan Remover itself. When a suspicious file is found being loaded via a call in the Windows Registry an alert screen is displayed. This screen shows the name of the file being loaded, and the Registry key in which the call was found. Once the scan is complete you should start Trojan Remover to remove this Malware. Clicking on the OK button will continue the scan. If you do not wish to see this alert again, but wish to allow the file being alerted on to continue loading, click on the Exclude button. This alert will then no longer appear, nor will the main Trojan Remover program show an alert on this file. .topic 11040 FastScan is the component of Trojan Remover which runs each time you start your computer. It carries out the same scanning functions as are carried out when you run a Scan from within Trojan Remover itself. When a suspicious file is found being loaded from any Startup Group (including individual User Startup Groups), either via a Shortcut Link or directly, an alert screen is displayed. This screen shows the name of the file being loaded, and if it is a Shortcut the actual file referenced by the Shortcut. Once the scan is complete you should start Trojan Remover to remove this Malware. Clicking on the OK button will continue the scan. If you do not wish to see this alert again, but wish to allow the file being alerted on to continue loading, click on the Exclude button. .topic 11050 FastScan is the component of Trojan Remover which runs each time you start your computer. It carries out the same scanning functions as are carried out when you run a Scan from within Trojan Remover itself. When a suspicious Program Information File is found being loaded from any system file, Trojan Remover analyses the PIF to determine the target MS-DOS application. It then scans this application. If anything suspicious is found an alert is displayed showing the PIF name and where it is loaded from, and information on the target MS-DOS application referenced by the PIF. Once the scan is complete you should start Trojan Remover to remove this Malware. Clicking on the OK button will continue the scan. If you do not wish to see this alert again, but wish to allow the file being alerted on to continue loading, click on the Exclude button. .topic 3036 FastScan is the component of Trojan Remover which runs each time you start your computer. It carries out the same scanning functions as are carried out when you run a Scan from within Trojan Remover itself. If FastScan attempts to scan a file and finds that the file is permanently in-use/locked, it will display an alert screen. This is because a number of malicious files deliberately "lock" themselves in order to avoid being scanned by anti-malware scanners. Caution: a file NEED NOT BE MALICIOUS just because it is in-use/locked - the file could be currently open in another application, or access to it is being prevented by another anti-malware program. You should not take any action on the file unless you are reasonably satisfied that it IS malicious. In order to help you decide if a file is malicious, the Alert screen will show any additional information it can obtain about the file. You should run a scan with Trojan Remover's main program when the FastScan has been completed. This will allow you to take action on the file. If the file is not alerted on by Trojan Remover's main scan, then the next time the alert screen appears during a FastScan you can, if you choose, select the option to exclude the file from future scans by clicking on the Exclude button. Clicking on the OK button will continue the scan. .topic 3039 FastScan is the component of Trojan Remover which runs each time you start your computer. It carries out the same scanning functions as are carried out when you run a normal Scan from within Trojan Remover itself. If FastScan detects that a Windows Service is hidden using Rootkit technology it will display an alert screen. Whilst not all Windows Services hidden in this way need necessarily be malicious, the fact that it is hidden from normal scrutiny is suspicious. You should run a scan with Trojan Remover's main program when the FastScan has been completed. This will allow you to take action on the file. If the file is not alerted on by Trojan Remover's main scan, then the next time the alert screen appears during a FastScan you can, if you choose, select the option to exclude the file from future scans by clicking on the Exclude button. Clicking on the OK button will continue the scan. .topic 11060 When Trojan Remover finds a suspect command line in the AUTOEXEC.BAT file an Alert screen will be shown. Suspect lines are defined as follows: Any line beginning with DEL Any line containing the word DELETE Any line containing the word FORMAT Any line containing the word DELTREE The Alert will show the actual suspect line being examined. You will be presented with the following options: Leave this line in place, and suppress future alerts on it Choosing this option will mean that Trojan Remover will allow the line to remain active in the Autoexec.bat file. Further, Trojan Remover will record the line - for all subsequent scans, Trojan Remover will *not* raise an alert for this line. This is useful for users who use DELETE commands in the Autoexec.bat to remove temporary files on a regular basis. If you wish to re-enable alerts on this line, select 'Options > Reset Suppressed Autoexec.bat Alerts' from Trojan Remover's main menubar (this option will be greyed out if Trojan Remover is not currently suppressing any alerts). Leave this line in place Choosing this option will mean that Trojan Remover will take no action. The line will remain active in the Autoexec.bat file. Prevent this line from being executed by commenting it out Trojan Remover will place a REM comment at the start of the suspect line, thus preventing it from being executed. This is the safest option to choose because if it is later determined that the line was required then it can be reinstated simply by removing the REM comment. Prevent this line from executing by removing it Trojan Remover will delete the line from the Autoexec.bat. Should Trojan Remover make any modifications to the Autoexec.bat file it will save the original file as AUTOEXEC.TR. This file can then be used for recovery purposes if required. .topic 7050 FastScan is the component of Trojan Remover that runs each time you start the PC. Some Malware programs try to conceal their presence by installing themselves as Debugger entries for other, legitimate programs. When the FastScan runs, it checks for these entries. When the FastScan finds such a file it will display an alert screen, EVEN IF the file is not positively detected as Malware. This is because if an invalid Imagefile Debugger entry is created it could mean that the legitimate program referenced may not work properly. Caution: a file NEED NOT BE MALICIOUS just because it is installed as an Imagefile Debugger. For example, the SysInternals Process Explorer installs itself in this way (as a Debugger for Taskmgr.exe) if you choose its option to "Replace Task Manager". You are recommended not to take action on any file alerted on in this way unless it is positively identified as Malware. If you are unsure, you can submit the file to Simply Super Software for analysis. Information on how to do this is on the Support page of the website. You should run a scan with Trojan Remover's main program when the FastScan has been completed. This will allow you to take action on the file. If the file is not alerted on by Trojan Remover's main scan, then the next time the alert screen appears during a FastScan you can, if you choose, select the option to exclude the file from future scans by clicking on the Exclude button. .topic 21000 Some malware programs deliberately alter Windows settings, usually by restricting the user from carrying out certain actions. This is usually done to make it harder for the user to remove the malware. Trojan Remover checks for such alterations during a normal scan. When Trojan Remover detects that there are restrictive Windows Explorer Policies in force on the computer it displays an alert screen: NOTE: it is possible that these Policies have been deliberately created by the computer's owner, using Group Policies. You should run a scan with Trojan Remover's main program after this FastScan has been completed. When the main program detects these restrictive Policies it will show an alert screen similar to this, where you can select to remove these policies or suppress future alerts. See also: Explorer Policies Alert Options .topic 3005 If Trojan Remover finds a file or program it does not recognise being loaded by the system files or a Startup Group it pops up an Alert box (depending on the Alert Viewing Option chosen). The Alert will show the name and location of the called program and state whether an executable file with this name has been located in the path. ** Note ** If Trojan Remover is not able to locate the file this does not necessarily mean that it does not exist. Trojan Remover may have difficulty locating files on ancillary drives. If the location of the file is shown as being on a different drive to that from which Trojan Remover is run you should attempt to manually locate the file. Trojan Remover will compare the name of the file to a database of known Malware files. Should the names match a warning will be displayed. If the file exists, Trojan Remover will scan it to see if it contains Malware. If the file is suspect a warning will be displayed. When a file is suspect the Details button will be activated. Clicking on this button will open the Malware Reference Database and display details on the Malware. Should the Malware be known to make system modifications and you elect to take action on it, Trojan Remover will offer to reset any changes made by the Malware. See also: Alert Viewing Options System.Ini Alert Options Win.Ini Alert Options Registry Alert Options Startup Group Alert Options .topic 3010 When Trojan Remover finds a program being loaded at boot time from the System.Ini file that it does not recognise it pops up an Alert box. The options available to you will depend on whether Trojan Remover can locate the referenced file. Select the required option by clicking on the appropriate radio button and then clicking on the OK button: If the file exists, Trojan Remover will scan it to see if it contains Malware. If the file is suspect a warning will be displayed. Clicking on the Details button will open the Malware Reference Database and provide details on the Malware, if they are available. If the file can be located you will be presented with the following options: Continue to allow this program to load as normal Selecting this option will make no changes - the program will continue to load at boot time (so long as it exists). Prevent this program from running by commenting it out Selecting this option will remove the reference to the file from the SYSTEM.INI file thus preventing the program from being called at boot time. The reference will be saved in the SYSTEM.INI file as a comment. Details of this change will be written to the logfile. This option is useful if you are not sure that the program is Malware. By preventing it being called at boot time you can see if any Malware behaviour continues after a reboot. However you should note that some Malware files continuously rewrite their references in the SYSTEM.INI file. If a scan by Trojan Remover after the reboot shows that the program is once again referenced in the SYSTEM.INI file you can be fairly confident that it is Malware. Select the 'Prevent this program file from running, and rename the program file' option (explained below). Should you determine that the program should be loaded as normal, you can edit SYSTEM.INI and remove the semi-colon from the start of the SHELL= or SCRNSAVE.EXE= line in which the program name appears. Prevent this program from running by removing its reference Selecting this option will remove the call to this program from SYSTEM.INI. Details of this change will be written to the logfile. This option is useful if you determine that a program or file being called does not actually exist on your system. Removing the reference will eliminate the error you get each time you start Windows, stating that a file required by Windows is missing. Prevent this program from running, and rename the program file You should use this option only if you are sure that the program is in fact Malware. Selecting this option will remove the call to this program from the SYSTEM.INI file. Next Trojan Remover will attempt to rename the file. If the file cannot be located a warning will be displayed. Trojan Remover may not be able to rename the file immediately as the program is in memory. Most Malware files adopt this method to try to make their detection and removal more difficult. In this event, Trojan Remover will offer to reboot the system and then rename this file. If you do not accept this option and the program is Malware, it is highly likely that the program will immediately re-infect the system. If the file is successfully renamed details will be written to the logfile. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. If the file cannot be located you will be presented with the following options: Leave this reference in place Choosing this option will mean that Trojan Remover will take no action. The file will continue to be called at boot time. Comment this reference out of the SYSTEM.INI file Selecting this option will remove the reference from the current SYSTEM.INI file. The reference will be written to a new line in the SYSTEM.INI - this new line will start with a semi-colon to ensure that Windows takes no notice of it. The logfile will be updated with details of this change. Should you wish to later restore this reference you can edit SYSTEM.INI and remove the semi-colon from the beginning of the line containing the referenced file name. Remove this reference from the SYSTEM.INI file Selecting this option will remove the call to this program from the SYSTEM.INI file. This option is useful if you determine that a program or file being called does not actually exist on your system. Removing the reference will eliminate the error you get each time you start Windows, stating that a file required by Windows is missing. The logfile will be updated with details of this change. Should the Malware be known to make system modifications and you elect to take action on it, Trojan Remover will offer to reset any changes made by the Malware. See also: Alerts Win.Ini Alert Options Registry Alert Options Startup Group Alert Options .topic 3020 When Trojan Remover finds a file being loaded from a LOAD= or a RUN= line in the Win.Ini that it does not recognise it pops up an Alert screen. The options available to you will depend on whether Trojan Remover is able to locate the referenced file. Select the required option by clicking on the appropriate radio button and then clicking on the OK button: If the file exists, Trojan Remover will scan it to see if it contains Malware. If the file is suspect a warning will be displayed. Clicking on the Details button will open the Malware Reference Database and provide details on the Malware, if they are available. If the file can be located, you will be presented with these options: Continue to allow this program to load as normal Selecting this option will make no changes - the program will continue to load at boot time (so long as it exists). Prevent this program from running by commenting it out Selecting this option will remove the reference to the file from the current LOAD= or RUN= line thus preventing the program from being called at boot time. The reference will be saved in the WIN.INI file as a comment; the logfile will be updated with the details of this change. This option is useful if you are not sure that the program is a Malware file. By preventing it being called at boot time you can see if any Malware behaviour continues after a reboot. However you should note that some Malware files continuously rewrite their references in the Win.Ini file. If a scan by Trojan Remover after the reboot shows that the program is once again referenced in an active LOAD= or RUN= line you can be fairly confident that it is a Malware file. Select the 'Prevent this program file from running, and rename the program file' option (explained below). Should you determine that the program should be loaded as normal, you can edit Win.Ini and remove the semi-colon from the start of the LOAD= or RUN= line in which the program name appears. Prevent this program from running by removing its reference Selecting this option will remove the call to this program from the LOAD= or RUN= line. This option is useful if you determine that a program or file being called does not actually exist on your system. Removing the reference will eliminate the error you get each time you start Windows, stating that a file required by Windows is missing. The logfile will be updated with details of this change. Prevent this program from running, and rename the program file You should use this option only if you are sure that the program is in fact Malware. Selecting this option will remove the call to this program from the LOAD= or RUN= line. Next Trojan Remover will attempt to rename the file. If the file cannot be located a warning will be displayed. Trojan Remover may not be able to rename the file immediately if the program is in memory. Most Malware files adopt this method to try to make their detection and removal more difficult. In this event, Trojan Remover will offer to reboot the system and then rename this file. If you do not accept this option and the program is a Malware file, it is highly likely that the program will immediately re-infect the system. If the file is successfully renamed details will be written to the logfile. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. If the file cannot be located, you will be presented with these options: Leave this reference in place Choosing this option will mean that Trojan Remover will take no action. The file will continue to be called at boot time. Comment this reference out of the WIN.INI file Selecting this option will remove the reference from the current LOAD= or RUN= line in the WIN.INI file. The reference will be written to a new line in the WIN.INI - this new line will start with a semi-colon to ensure that Windows takes no notice of it. The logfile will be updated with details of this change. Should you wish to later restore this reference you can edit WIN.INI and remove the semi-colon from the beginning of the LOAD= or RUN= line containing the referenced file name. Remove this reference from the WIN.INI file Selecting this option will remove the call to this program from the LOAD= or RUN= line. This option is useful if you determine that a program or file being called does not actually exist on your system. Removing the reference will eliminate the error you get each time you start Windows, stating that a file required by Windows is missing. The logfile will be updated with details of this change. Should the Malware be known to make system modifications and you elect to take action on it, Trojan Remover will offer to reset any changes made by the Malware. See also: Alerts System.Ini Alert Options Registry Alert Options Startup Group Alert Options .topic 3030 Trojan Remover examines all major keys in the Windows Registry that can be used to call a program or file at boot time. If it finds a program being called that it does not recognise it pops up an Alert box. The options available to you will depend on whether Trojan Remover can locate the referenced file. Select the required option by clicking on the appropriate radio button and then clicking on the OK button: If the file exists, Trojan Remover will scan it to see if it contains Malware. If the file is suspect a warning will be displayed. Clicking on the Details button will open the Malware Reference Database and provide details on the Malware, if they are available. If the file can be located you will be presented with the following options: Continue to allow this program to load as normal Selecting this option will make no changes - the program will continue to load at boot time (so long as it exists). Prevent this program from running by removing its reference Selecting this option will remove the call to this program from the Windows Registry. The logfile will be updated with details of this change. This option is useful if you determine that a program or file being called does not actually exist on your system. Removing the reference will eliminate the error you get each time you start Windows, stating that a file required by Windows is missing. Prevent this program from running, and rename the program file You should use this option only if you are sure that the program is in fact a Malware file. Selecting this option will remove the call to this program from the Windows Registry. Next Trojan Remover will attempt to rename the file. If the file cannot be located a warning will be displayed. Trojan Remover may not be able to rename the file immediately if the program is in memory. Most Malware files adopt this method to try to make their detection and removal more difficult. In this event, Trojan Remover will offer to reboot the system and then rename this file. If you do not accept this option and the program is a Malware file, it is highly likely that the program will immediately re-infect the system. If the file is successfully renamed details will be written to the logfile. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. If the file cannot be located you will be presented with the following options: Leave this reference in place Choosing this option will mean that Trojan Remover will take no action. The file will continue to be called at boot time. Remove this reference from the Windows Registry Selecting this option will remove the call to this program from the Windows Registry. This option is useful if you determine that a program or file being called does not actually exist on your system. Removing the reference will eliminate the error you may be getting each time you start Windows, stating that a file required by Windows is missing. The logfile will be updated with details of this change. Remove this reference and rename the file (if it exists) If Trojan Remover thinks that the file referenced does exist but may be stealthed (e.g. by a rootkit) then you will also be offered this option. If you choose it, the registry entry will be removed. Then an attempt will be made to rename the file. If it still cannot be located, a command will be set to attempt to rename the file during the next PC restart. Should the Malware be known to make system modifications and you elect to take action on it, Trojan Remover will offer to reset any changes made by the Malware. See also: Alerts System.Ini Alert Options Win.Ini Alert Options Startup Group Alert Options .topic 3040 Trojan Remover examines all files and programs called at boot time from any Startup Group, including User Startup Groups. If it finds a file or program that it does not recognise it pops up an Alert box. If the file is called via a Windows Shortcut, the options available to you depend on whether Trojan Remover can locate the referenced file: If the file exists, Trojan Remover will scan it to see if it contains Malware. If the file is suspect a warning will be displayed. Clicking on the Details button will open the Malware Reference Database and provide details on the Malware, if they are available. Continue to allow this Shortcut to load as normal Selecting this option will make no changes - the Shortcut will continue to load the file it references at boot time (so long as it exists). Remove this Shortcut from the Start Group Selecting this option will remove the Shortcut from the Startup Group from which it is loaded, thus preventing a call to the file it references. The logfile will be updated with details of this change. This option is useful if you determine that a program or file being called does not actually exist on your system. Removing the Shortcut will eliminate the error you get each time you start Windows, stating that a file required by Windows is missing. This is also a good option to choose if you are uncertain that the called file is Malware. If you later determine that the file is not a Malware file you can reinstate the Shortcut. If the file can be located you will be presented with this additional option: Remove this Shortcut and rename the called file You should use this option only if you are sure that the program is in fact Malware. Selecting this option will remove the Shortcut from the Startup Group from which it is called. Next Trojan Remover will attempt to rename the file referenced by the Shortcut. If the file cannot be located a warning will be displayed. If the file is called from more than one Startup Group, then Trojan Remover may already have renamed the referenced file. Trojan Remover may not be able to rename the file immediately if the program is in memory. Most Malware files adopt this method to try to make their detection and removal more difficult. In this event, Trojan Remover will offer to reboot the system and then rename this file. If you do not accept this option and the program is a Malware file, it is highly likely that the program will immediately re-infect the system. If the file is successfully renamed details will be written to the logfile. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. If the file is actually located in the Startup Group folder you will be presented with the following options: Continue to allow this file to load as normal Selecting this option will make no changes - the file will continue to be loaded at boot time (so long as it exists). Prevent this file from loading by moving and renaming it This is a good option to choose if you are not sure whether the file is Malware. Selecting this option will move the file out of the Start Group in which it is located to the C:\Windows\System directory. As the file is called from the Startup Group it is quite possible that it is still in memory thus preventing its move. In this event Trojan Remover will offer to reboot the system and then move the file. If you do not accept this offer and the file is Malware it will simply continue to infect your system. If the file is successfully moved details will be written to the logfile. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. If you later determine that the file is not Malware you can manually move it back to the Startup Group directory from which it was originally removed. You can select the required option by selecting the appropriate radio button and then clicking on the OK button. Should the Malware be known to make system modifications and you elect to take action on it, Trojan Remover will offer to reset any changes made by the Malware. See also: Alerts System.Ini Alert Options Win.Ini Alert Options Registry Alert Options .topic 8050 Trojan Remover's normal scan for active Malware starts off by recording details of all Running Processes to the logfile. Information on the file's name, location and size is always recorded. Where possible, information taken from the file's Properties are also recorded. This information can be useful for later analysis purposes. This Logging of Running Processes can be disabled by selecting Options from the main menubar and clicking on 'Logging of Running Processes is enabled' to turn this option off. This option will then display 'Logging of Running Processes is disabled' - click on this to re-enable the Logging of Running Processes. It is also possible to directly scan Running Processes, by selecting File > Scan Running Processes. When this scan is carried out, an Alert screen is shown for each Running Process detected, showing whatever information can be taken from the file. If the file is detected as Malware, the name of the Malware will be displayed. Clicking on the Details button will open the Malware Reference Database and provide details on the Malware, if any are available. The following options are available: Allow this process to continue running No action will be taken on the running process and the scan will continue. Terminate this running process Trojan Remover will attempt to terminate the running process. If successful, a message will be displayed. If Trojan Remover is unable to terminate the running process, a warning message will be displayed. The scan of Running Processes will then continue. Terminate this running process and rename the program file Trojan Remover will attempt to terminate the running process. Next, the file will be disabled from re-loading by being renamed (the last letter of the file extension is changed to a "$"). If Trojan Remover is unable to immediately rename the file, once the scan of Running Processes has been completed it will offer to restart your system so that the file can be renamed during the restart process. Details of any rename operation are written to the logfile. Click on the appropriate radio button to select the required option. Click on the OK button to accept the currently indicated option and continue with the scan. Clicking the Stop Scan button will stop the remainder of the scan and no action will be taken on the running process. CAUTION: terminating a running process can lead to system instability. You should only terminate a running process that is confirmed as Malware by Trojan Remover, or on the direct instructions of Simply Super Software support staff. .topic 3050 Program Information Files (PIFs) are special files used by Windows to access MS-DOS applications. When Trojan Remover encounters a PIF it analyses the file to determine the nature and location of the target application. If the application can be found it is scanned for Malware. The options available when a PIF Alert is displayed depend on where the PIF is loaded from and whether or not the target application could be located. The options are similar to those for other types of alert, but also allow for the renaming of the target application if it exists. .topic 3035 When Trojan Remover encounters a file it cannot access because the file is in-use/locked, it will display an alert screen. This alert is displayed because some malware files deliberately lock themselves to prevent them from being scanned by anti-malware programs. Caution: a file NEED NOT BE MALICIOUS just because it is in-use/locked - the file could be currently open in another application, or access to it is being prevented by another anti-malware program. You should not take any action on the file unless you are reasonably satisfied that it IS malicious. In order to help you decide if a file is malicious, the Alert screen will show any additional information it can obtain about the file. You can choose from the following options: Continue to allow this file to load as normal No action will be taken on the file, and the scan will continue. Prevent this file from loading by removing its reference Trojan Remover will remove, or comment out, the reference loading this file. This should ensure that the file is no longer loaded when the PC is restarted. No action is taken on the file itself. Prevent this file from loading and disable the file by renaming it This is the recommended option if you are certain that the file is malicious. The reference loading the file is removed. Next, Trojan Remover will attempt to rename the file in order to disable it. To do this, it will check if the file is currently running - if it is, Trojan Remover will attempt to halt the process from running, and then the file will be renamed. If the file cannot immediately be renamed Trojan Remover will arrange for the file to be renamed when the PC is restarted. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. Select the required option and click on the OK button. Clicking on the Stop Scan button will stop the remainder of the scan. No action will be taken on the file currently being alerted on. .topic 3038 When Trojan Remover encounters a Windows Service that is hidden using Rootkit technology it will display an alert screen. If Trojan Remover can access the file it will scan it to see if it is malicious. However such files are usually not accessible whilst the Rootkit service is running. Not all Windows Services hidden using Rootkit technology are necessarily malicious. However the fact that such a Service is hidden from normal access makes it suspicious. When the Alert screen is displayed you have the following options: Allow this Windows Service to load as normal No action will be taken on the file and the scan will continue. Disable this Windows Service Trojan Remover will change this Windows Service's registry Start setting to "Disabled" so that it will no longer run. This change will not take effect until the PC is restarted. Disable this Windows Service and remove the reference The Windows Service's registry Start setting will be altered to "Disabled", then the registry key loading this Service will be removed. These changes will not take effect until the PC is restarted. Disable this Windows Service, remove the reference, and rename the Service file This is the recommended option if you are certain that the file is malicious. The Windows Service's registry Start setting will be altered to "Disabled", then the registry key loading this Service will be removed. These changes will not take effect until the PC is restarted. After this Trojan Remover will attempt to rename the file. If the file cannot be immediately renamed Trojan Remover will arrange for the file to be renamed when the PC is restarted. Exclude this Windows Service from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer hidden using Rootkit technology. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. This is the recommended option if you know that the Windows Service being alerted on is not malicious. Select the required option and click on the OK button. Clicking on the Stop Scan button will stop the remainder of the scan. No action will be taken on the file currently being alerted on. Note: hidden Rootkit Windows Services are usually used to hide other files, often along with associated registry keys, from normal access. If you disable this Rootkit Service we highly recommend that a new scan is run with Trojan Remover once the PC has been restarted, so that it can properly scan any files that are no longer hidden. .topic 3060 When Trojan Remover finds a suspect command line in the AUTOEXEC.BAT file an Alert screen will be shown. Suspect lines are defined as follows: Any line beginning with DEL Any line containing the word DELETE Any line containing the word FORMAT Any line containing the word DELTREE The Alert will show the actual suspect line being examined. You will be presented with the following options: Leave this line in place Choosing this option will mean that Trojan Remover will take no action. The line will remain active in the Autoexec.bat file. Prevent this line from being executed by commenting it out Trojan Remover will place a REM comment at the start of the suspect line, thus preventing it from being executed. This is the safest option to choose because if it is later determined that the line was required then it can be reinstated simply by removing the REM comment. Prevent this line from executing by removing it Trojan Remover will delete the line from the Autoexec.bat. Should Trojan Remover make any modifications to the Autoexec.bat file it will save the original file as AUTOEXEC.TR. This file can then be used for recovery purposes if required. .topic 14000 If the option to Scan inside Archive files is selected, when scanning files from Windows Explorer, if Trojan Remover encounters an Archive File (i.e. a compressed file containing other files, e.g. a Zipfile) it will decompress the Archive and examine the files it contains individually. NB: if the Archive file is password-protected it will not be scanned. If one or more of the files contains Malware, an Alert Screen is displayed. This screen itemises the files contained within the Archive which appear to contain Malware and gives the Malware name. You are then presented with the following options: Leave this file in place Selecting this option will close the file-scan screen. No action will be taken on the file. Delete this file (use with caution) You should only select this option if you are absolutely positive that the file being scanned contains Malware. A copy will NOT be sent to the recycle bin. Once you answer YES to the confirmation message the file will be deleted. A record of this file deletion will be written to the Trojan Remover logfile. THIS ACTION IS IRREVERSIBLE. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. Select the required option and click on the OK button. NOTE: when Trojan Remover scans archive files, it creates (and later deletes) temporary directories off the Windows Temporary Files (normally C:\Windows\Temp\) directory. Whilst scanning you may notice these temporary directories being created and deleted. This is normal and is no cause for concern. .topic 14010 If the option to Scan inside Archive files is selected, when scanning files from Windows Explorer, if Trojan Remover encounters an SFX Archive File (a self-extracting archive file) it will decompress the file and examine the files it contains individually. NB: if the Archive file is password-protected it will not be scanned. If one or more of the files contains Malware, an Alert Screen is displayed. This screen itemises the files contained within the Archive which appear to contain Malware and gives the Malware name. You are then presented with the following options: Leave this file in place Selecting this option will close the file-scan screen. No action will be taken on the file. Disable this file by renaming it The file will be renamed so that it cannot be executed. If a file is suspicious, this is the best option to choose. You can then send a copy of the file to an anti-virus or trojan-scanner company (like Simply Super Software) for further analysis. A record of this rename operation will be written to the Trojan Remover logfile. Delete this file (use with caution) You should only select this option if you are absolutely positive that the file being scanned contains Malware. A copy will NOT be sent to the recycle bin. Once you answer YES to the confirmation message the file will be deleted. A record of this file deletion will be written to the Trojan Remover logfile. THIS ACTION IS IRREVERSIBLE. Exclude this file from future scans Choose this option if you no longer wish Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. You should note that if you select this option, the file will continue to be excluded from future scans, even if, when such a scan is carried out, the file is no longer in-use/locked. If you select this option to exclude the file from future scans, you can arrange for the file to be re-included in future scans by selecting File > Manage Excluded Files from the main menu. Select the required option and click on the OK button. NOTE: when Trojan Remover scans archive files, it creates (and later deletes) temporary directories off the Windows Temporary Files (normally C:\Windows\Temp\) directory. Whilst scanning you may notice these temporary directories being created and deleted. This is normal and is no cause for concern. .topic 4050 Some Malware programs try to conceal their presence by installing themselves as Debugger entries for other, legitimate programs. Trojan Remover checks for such programs during the Normal scan (and also during a FastScan). When Trojan Remover finds such a file it will display an alert screen, EVEN IF the file is not positively detected as Malware. This is because if an invalid Imagefile Debugger entry is created it could mean that the legitimate program referenced may not work properly. Caution: a file NEED NOT BE MALICIOUS just because it is installed as an Imagefile Debugger. For example, the SysInternals Process Explorer installs itself in this way (as a Debugger for Taskmgr.exe) if you choose its option to "Replace Task Manager". You are recommended not to take action on any file alerted on in this way unless it is positively identified as Malware. If you are unsure, you can submit the file to Simply Super Software for analysis. Information on how to do this is on the Contact Us page of the website. When the alert screen is displayed, the options available depend on whether the Imagefile Debugger file can be found. If the file cannot be found, the option to rename the file is not available. The general options are: Leave this reference in place No action will be taken on the file, and the scan will continue. This is the default action to take unless the file is positively identified as Malware. Remove this reference from the Windows Registry Trojan Remover will remove this Imagefile Debugger entry. This will disable the file concerned from loading when the referenced legitimate program is executed. Remove this reference from the Windows Registry and disable the file by renaming it [This option is only available if the file concerned actually exists] This is the recommended option if the file is positively identified as Malware. The reference loading the file is removed. Then the file is renamed (during a reboot if necessary) to ensure that it can no longer run. Exclude this file from future scans Select this option if you no longer want Trojan Remover to show an alert screen when this file is scanned. No action will be taken on the file. Select the required option and click on the OK button. Clicking on the Stop Scan button will stop the remainder of the scan. No action will be taken on the file currently being alerted on. .topic 4060 Trojan Remover examines all applications set up as Scheduled Tasks. If the file is suspect an Alert screen will be displayed. Clicking on the Details button will open the Malware Reference Database and provide details on the Malware, if they are available. Where possible further information on the Scheduled Task will also be presented, giving details of last and next run times, etc. On this Alert screen you have the following options: Take no action on this Scheduled Task If you select this option no action will be taken on the scheduled program. The Scheduled Task will remain in place, and if enabled and scheduled, will continue to run at its scheduled time(s). You should select this option if you do not wish to take action immediately, perhaps preferring to submit the referenced file for analysis before deciding what action to take. Delete this Scheduled Task (no action will be taken on the called file) Select this option if you wish to remove this Scheduled Task. The program referenced will then no longer run at the scheduled time(s). The program file itself will remain in place. Delete this Scheduled Task and disable the called file Select this option to remove the Scheduled Task, and disable the called file by renaming it. Trojan Remover will (if it can) remove the Scheduled Task. Then the called file will be renamed in order to disable it. If the file cannot be renamed immediately Trojan Remover will rename the file when the PC is restarted. You should select this option when you are sure that the called file is malicious. Exclude this Scheduled Task from future scans You should select this option if you no longer want Trojan Remover to show an alert screen for this file. No action will be taken on the file. If you select this option, the file will be excluded from all future scans, unless and until you remove it from the "Excluded Files" list using File > Manage Excluded Files. You should choose this option if you are sure that the referenced file is not malicious. Select the required option and click on the OK button. Clicking on the Stop Scan button will stop the remainder of the scan. No Action will be taken on this Scheduled Task. .topic 19000 When Trojan Remover detects any additional file that is malicious, it may display a File Alert form, giving information on what has been detected: You have the following options: Take no action on this file No action will be taken on the file. Delete this file (file will be deleted permanently) Select this option if you wish to permanently delete this file. It will not be sent to the Recycle Bin. You should only do this when you are sure that the file is Malware. Disable this file by renaming it [recommended] The file will be renamed (.REN will be added to the end of the filename). This effectively disables the file from running. When you are sure that the file is malicious you can then locate the renamed file and delete it. This option is safer than immediately deleting the file, as it allows you to restore it should you find that the file is not actually malicious. Exclude this file from future scans (no action will be taken on it) Choose this option if you do not want to see an alert on the file during future scans. No action will be taken on the file. If you later decide you wish to see an alert on this file again you can remove its entry using Trojan Remover's Excluded Files Manager. Select the required option and click on the OK button. Clicking on the Stop Scan button will stop the remainder of the scan. No Action will be taken on this file. Clicking on the Details button (if it is enabled) will take you to the Malware Reference Database and show any information listed there on this Malware. .topic 20000 Some malware programs deliberately alter Windows settings, usually by restricting the user from carrying out certain actions. This is usually done to make it harder for the user to remove the malware. Trojan Remover checks for such alterations during a normal scan. When Trojan Remover detects that there are restrictive Windows Explorer Policies in force on the computer it displays an alert screen: The screen shows which restrictive Windows Explorer Policies are in force and what the Policies restrict. You have the following options: Remove these restrictive Policies Click on the OK button to remove these Policies. Unless you see an error message the Policies will be removed and the restrictions will no longer be in place (you may need to restart the PC for some of the Policy effects to be disabled). NOTE: it is possible that these Policies have been deliberately created by the computer's owner, using Group Policies. You should not click on the OK button unless you are sure that these Policies should not be in effect. Leave these restrictive Policies in place Click on the Cancel button to leave these Policies in place. The Alert screen will be closed. If you do not wish to see this alert screen the next time you run a scan, place a checkmark in the box labelled 'Do not show this warning again' before you click the Cancel button. .topic 3007 You can choose from three different levels of Alert Viewing. Trojan Remover can be set to only pop up an Alert screen when a confirmed Malware file is detected (the default), to pop up an alert on confirmed malware and files not located, or it can be set to show an Alert screen on all unknown files called at boot-time. To set the Alert level select the required choice from the 'Options' menu; you can also click on the or button to choose between the first and third options. .topic 2001 When a scan has been completed, you have the option of viewing the logfile by clicking on the View Log button. You can view the logfile by selecting the File | View Log File… or by clicking the button. The logfile will be opened in Notepad (or whichever program you have designated to open .TXT files), from where you can print it. The Logfile is named TRLOG.TXT and is normally stored in the User's My Documents\Simply Super Software\Trojan Remover Logfiles directory. You may have more than one if scans are run by different users on the same PC - each user will have their own logfile. This logfile is automatically truncated by Trojan Remover when it reaches a certain size. Older information is removed first. .topic 4010 You can check online for updates by clicking on the "Update" button in Trojan Remover's main menu or by selecting "Help > Check for Updates" from the main menu. This will launch the Trojan Remover Updater. You need to ensure that you are already connected to the Internet before checking for updates. If you use a firewall then you will need to ensure that your firewall allows "Trojan Remover Updater" to access the Internet. The Updater will first check online to see if there are any Program or Database updates available. If there are you will be offered the option to downloaded the update(s). Clicking on the Update button on the Updater screen starts the update. All files needed for the update are downloaded and automatically installed, and where necessary registry information is updated. Normally Trojan Remover can update itself without requiring a reboot, but if a reboot is necessary then you will be prompted, and the update will only be complete once you have rebooted. Should you wish you can manually download new Program Updates from: http://www.simplysup.com/update/ See also: Updating the Known Malware Database Scheduling Automatic Update Checks .topic 4001 Additions are made to the Malware Databases in-between releases of updated program versions of Trojan Remover. Click on the "Update" button on Trojan Remover's main menubar to allow Trojan Remover to check online for updates. Alternatively you can select "Help > Check for Updates" from the main menu. You need to ensure that you are already connected to the Internet before using this option. This will launch the Trojan Remover Updater which will check online to see if there are any updates available. If there are, the Updater will on request download and automatically install the updates. See also: Updating Trojan Remover Scheduling Automatic Update Checks .topic 15200 It is possible to use the Windows Task Scheduler to schedule automatic update checks. Windows 98/ME/2000/XP Open the Windows Task Scheduler - START > All Programs > Accessories > System Tools > Scheduled Tasks. Double-click on 'Add Scheduled Task'. This will start the Scheduled Task Wizard. Click on the 'Next' button. In the screen that appears, click on the 'Browse' button. Browse to the directory where you installed Trojan Remover (C:\Program Files\Trojan Remover by default) and double-click on the trupd.exe program. In the next two screens select the days/times you want the automatic update check to be carried out. It is important to select a time when you are fairly confident that the PC will be connected to the Net. The Updater cannot start its own Internet connection so the PC must already be connected. If you are on XP or later, you may be asked to also input your User Account password. In the final screen, place a checkmark in the box labeled 'Open advanced properties for this task when I click Finish'. Click on the 'Finish' button. In the screen that comes up, look at the box labeled 'Run:'. In here you will see the command that has been set up to run the Updater. Click your mouse inside this box so that you can edit what is there. Move to the end of the line and add the following parameter, preceded by a space: /silent The line should then be similar to: "C:\Program Files\Trojan Remover\trupd.exe" /silent Of course it may differ on your PC if you have installed Trojan Remover to a different directory. Once you have edited the line correctly click on the 'OK' button - the task is now scheduled. When the scheduled automatic update is started, it will silently attempt to contact one of the update servers (chosen randomly). If a Database update is found, the Updater will attempt to silently download and install it, without requiring User intervention. If a Program Update is found, the normal Updater screen will be displayed allowing you to manually proceed with the update, or cancel it. If no update is found, or a connection could not be made, a note will be added to the Update logfile. This logfile can be viewed in Trojan Remover by selecting 'Help > View Update Log'. ** IMPORTANT** For the Updater to be able to connect to the update website, the PC must be connected to the Internet when the Updater runs. Also, you must ensure that any firewall you have installed is configured to allow the Updater program trupd.exe to connect to the Net. ** NOTE FOR WINDOWS XP USERS ** If the User account you use to schedule this task does not have a password assigned to it (i.e. the password is blank), then you will need to make a system modification to allow scheduled tasks to be run. This is what you need to do: For Windows XP Pro Click START > Control Panel. Double-click on Administrative Tools. Double-click on Local Security Policy. In the left-hand pane, navigate to Local Security Policy > Security Settings > Local Policies > Security Options. In the right-hand pane find the option labelled 'Accounts: Limit local account use of blank passwords to console logon only'. This policy is enabled by default - right-click on it, and select Properties. Change it from Enabled to Disabled. For Windows XP Home You will need to manually modify the Windows Registry. WARNING: serious problems might occur if you modify the registry incorrectly. If you are not familiar with using Regedit, contact us for further advice. Using regedit, navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa You should see a value labelled limitblankpassworduse, set to 1. Modify this value, changing the 1 to 0 [zero]. Windows Vista Ensure that you are logged on with an account that has Administrator privileges. Open the Windows Task Scheduler - START > Control Panel > System and Maintenance > Administrative Tools, then double-click "Task Scheduler" (if User Account Control is enabled, you will see a UAC elevation prompt). When the Task Scheduler screen appears, in the "Action" box on the right-hand side click on Create Basic Task.... On the screen that comes up, type in a useful name and description for the task (we use "Trojan Remover Scheduled Updates", and "Automatically checks for updates at the selected date/time"), then click the Next button. On the next two screens, select when you want the Updater to run. When scheduling the updater, ensure you choose a time when you know the PC will be running and connected to the Internet. On the next screen, in answer to the question "What action do you want the task to perform?", select Start a program, then click the Next button. On the "Start a Program" screen click on the Browse button. A window will open allowing you to browse for a program. Go to the directory that Trojan Remover is installed in (C:\Program Files\Trojan Remover by default) and double-click on trupd.exe (or just trupd, if you have the option to hide known file extensions enabled in Windows Explorer). This will place the full path to the filename into the "Start a Program" screen, looking like: "C:\Program Files\Trojan Remover\trupd.exe" Of course it may differ on your PC if you have installed Trojan Remover to a different directory. Next, in the "Add arguments (optional)" box, type /silent - this ensures that the Updater works without requiring prompting. Here's a screenshot: Click the Next button. On the last screen, check the box labelled 'Open the Properties dialog for this task when I click Finish', then click Finish. In the Properties screen that appears, on the General tab, check the box labelled 'Run with highest privileges', then click OK. The task is now scheduled. When the scheduled automatic update is started, it will silently attempt to contact one of the update servers (chosen randomly). If a Database update is found, the Updater will attempt to silently download and install it, without requiring User intervention. If a Program Update is found, a message will be displayed advising you to start Trojan Remover and click on the Update button to manually update the program (Program Updates cannot be installed automatically in Vista as Administrator privileges are required). If no update is found, or a connection could not be made, a note will be added to the Update logfile. This logfile can be viewed in Trojan Remover by selecting 'Help > View Update Log'. ** IMPORTANT** For the Updater to be able to connect to the update website, the PC must be connected to the Internet when the Updater runs. Also, you must ensure that any firewall you have installed is configured to allow the Updater program trupd.exe to connect to the Net. .topic 9999 Windows 98/ME/2000/XP To uninstall Trojan Remover, click on the START button in the Windows taskbar, then on Programs > Trojan Remover > Uninstall Trojan Remover. Alternatively, click on the Start button and select Control Panel. Double-click on Add/Remove Programs, highlight Trojan Remover Version x.x.x, and click the Add/Remove button. Windows Vista Click Start > Control Panel, then double-click on Programs and Features. Highlight Trojan Remover Version x.x.x, and click on Uninstall. You will be prompted for Administrator credentials (unless you have disabled User Account Control). If you are unable to install Trojan Remover in this way, this is usually because one or more components have already been manually removed. To fix this, re-install a new FULL copy of Trojan Remover and then restart your PC. The Uninstall should then work correctly. .topic 7000 You can access this database from the opening Trojan Remover screen by selecting 'Help | Malware Reference' from the main menu, or clicking on the button. The database is searchable by Malware name and by the Port Number particular Remote Access Trojans use. When searching, the program will find all Malware in the database that matches the given information. You can scroll through the entries using the Previous and Next buttons. Individual Malware information can be printed by using the Print button. .topic 8000 Simply click on the Register Online Now! link on the opening Trojan Remover expiry warning screen. Alternatively, if the program has not yet expired, you can select Register | Register Trojan Remover... from the main menu. Make sure that you are online - the link will launch your default web browser. You will be taken to a secure online server, where you can register Trojan Remover using your credit card. Should you prefer not to provide your credit card details online, the site offers a way for you to enter your personal details, and then transmit your credit card information via phone or fax. Other payment methods are available at the registration site, including Paypal, check payment, etc. Information on all registration methods, including information on current pricing, is available at the Registration website: http://www.simplysup.com/tremover/register.html We currently use two different online registration services, Plimus.com and Regsoft.com. Customers from EU companies are recommended to use the Plimus.com registration portal, as you will not be charged VAT. Customers from the Rest of the World can use either portal. Direct secure links to the registration portals are here: Plimus.com https://www.plimus.com/jsp/buynow.jsp?contractId=1659980 Regsoft.com http://www.regsoft.net/purchase.php3?productid=57822 UK Customers Only If you are based in the UK and wish to order by mail, you can send payment direct to: Simply Super Software PO Box 2849 Nuneaton Warwickshire CV10 7YX The current cost will be ahown on the registration page of the website. Please make all cheques payable to: SIMPLY SUPER SOFTWARE. When your registration has been authorised you will receive an email containing your Username and Licence Key. You will need to enter this information into the program in order to remove the expiry limitations. To do this, start Trojan Remover. When the expiry-warning screen appears click on the Enter Licence Key button. Enter your Username and Licence Key in the spaces indicated and click on the OK button. You should see a message stating that the registration has been successfully completed. If you are using Windows 2000 or later you will need to start Trojan Remover from an account with Administrator privileges in order to successfully register the program. .topic 17001 Reset Internet Explorer Home/Start/Search Page Settings Some Malware programs make changes to the Internet Explorer Home, Start and Search Page settings in order to re-direct the web browser to different websites. This Utility will reset the Home/Start/Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Reset Windows HOSTS file The Windows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name (e.g. microsoft.com) with its DNS address (e.g. 207.46.130.108), the web browser can find the website more quickly as it does not have to query a DNS Name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related or antivirus company websites), or to re-direct access to websites of their choosing. This Utility will reset the HOSTS file to the default as installed, i.e. with no re-directs. Reset Windows Update Policies Some Malware programs attempt to prevent Windows Update from running, and inhibit access to resetting Windows Update by blanking out the Windows Update options on the Update configuration screen. This Utility will check the current Windows Update settings and correct them where necessary. Repair Layered Service Provider registry entries Some Adware/Spyware programs install themselves as "Layered Service Providers". If such a program is removed, but the Registry entries it has created are not repaired, then Internet connectivity can be lost. This Utility will check for Layered Service Provider entries referencing missing DLL components, remove any such entries, and re-number the remaining entries so that Internet connectivity can be restored. Note: you should only use this Utility if you are currently unable to connect to any websites and you believe that this started to happen after an Adware/Spyware component was removed/disabled. Reset Windows Explorer Policies Some Malware programs make changes to the Windows Explorer Policies settings, usually in order to restrict a user's ability to reset malicious changes carried out by the Malware. Examples include disabling access to the Windows Control Panel, disabling access to modifying the Windows Desktop (wallpaper, screensaver etc.), and disabling the ability to manually edit the Windows Registry. This Utility will reset the Windows Explorer Policies settings to their normal defaults. .topic 16000 The Excluded Files Manager is used to manage which files and directories are excluded from scanning. It is accessed by selecting File > Manage Excluded Files, or by clicking on the button. Any files or directories already excluded will be shown in the Exclusions List. You can Add a file/directory to this list, and you can Edit or Remove an existing entry. Adding a Directory/File to be Excluded Files are normally added to the Excluded Files list when a User selects the option to Exclude a file from scanning during one of Trojan Remover's normal scanning routines. Using the Excluded Files Manager you can manually add files and directories to be excluded by Trojan Remover's scans. Click on the Add button. An Edit Window will appear. Here you can manually type in the file/directory to exclude (ensure you type in the FULL path to the file/directory). Alternatively, you can click on the button. This will open up an Explorer-type Window to allow you to browse for the file/directory you wish to add to the Excluded Files List. If you choose to add a directory, ALL sub-directories of that directory will ALSO be excluded from scanning. Editing an Existing Item in the Excluded Files List Select the item you wish to edit by clicking on it once with the mouse, to highlight it. The Edit button will be enabled. Click on the Edit button. This will open an Edit Window and allow you to make your changes. Pressing OK on the Edit Window will temporarily save the changes you have made. The changes will become permanent only when you click OK on the Excluded Files Manager screen. Removing an Item from the Excluded Files List Select the item(s) you wish to remove by clicking on it with the mouse, to highlight it. Multiple items can be selected by holding down the Ctrl button and clicking on each item you wish to remove in turn. The Remove button will be enabled. Click on the Remove button to remove the item(s). When you click on the OK button on the Excluded Files Manager screen, the item(s) are permanently removed from the Excluded Files List, meaning that these items WILL now be included during Trojan Remover's Active and Drive/Directory scans. Any changes you make in the Excluded Files Manager will NOT be saved unless you click on the OK button (this button is disabled if you have made no changes). If you click on the Cancel button, any changes you have made will be discarded, and no changes will be made to the Excluded Files List. Any items shown in the Excluded Files List will automatically be excluded from Active and Drive/Directory Scans. However, if the item is a file, it CAN be scanned if you locate the file, right-click on it, and select "Scan with Trojan Remover". .topic 6000 Contacting Simply Super Software: Email: simplysupsupport@aol.com Trojan Remover website: www.simplysup.com/tremover Address: PO Box 2849 Nuneaton Warwickshire United Kingdom CV10 7YX .topic 13000 If you are unsure that a file detected by Trojan Remover is actually Malware you may wish to send a copy to Simply Super Software for further analysis. The file should be placed in a zip file password-protected with the password infected. Details of how to do this are below. Then send the file as an email attachment to submit@simplysup.com with the subject 'File For Analysis'. When sending the email, please be sure to include: 1) an email address where you can be contacted 2) details of why you believe the file to be infected Note: if you are going to send the sample via Yahoo or Google Mail, then you should change the file extension of any executable file (e.g. .exe, .com, .scr) to something else (e.g. .ex0, .co0, .sc0) before placing it in the zipfile, otherwise these email providers will prevent the email from being sent. Creating a password-protected zip file If you have Windows XP or later 1. Using Windows Explorer, locate the first file you want to zip. 2. Right click on the file and select "Send To" and "Compressed (zipped) Folder". 3. Right click any other files you want to compress and select "Copy". 4. Right click on the compressed folder and select "Paste". The copied files will be compressed and pasted in. 5. Right click on the file and select "Explore". 6. In "File" select "Add a Password". Enter the password infected and confirm the password. If you have an earlier version of Windows 1. Download a zip utility. An evaluation version of WinZip is available free from www.winzip.com. Other utilities are available from: http://www.freedownloadscenter.com/utilities/Compression_and_Zip_File_Utilities - the instructions below are for WinZip. 2. Using Windows Explorer, locate the first file you want to zip. 3. Right-click on the file and select "WinZip" and "Add to Zip File". 4. In "Add to Archive" enter the path and name you want your zip file to have. 5. Click "Password" and enter the password infected 6. Click "Add". 7. If you wish to add other files, on the WinZip window that appears, click "Add" and select any other files you want to add to the zip file. 8. When you have finished adding files, select "File" and "Close Archive". The zip file is now ready for sending. .topic 24000 Why does my Process Monitor always raise an alert when I start Trojan Remover? When Trojan Remover launches, it creates a randomly-named copy of the main executable file, then launches this copy. This is part of Trojan Remover's defenses against malicious process killers. Some Process Monitors see this behaviour as suspicious. You should instruct your Process Monitor to always allow this behaviour by Trojan Remover, or you will continue to get alerts each time the program is launched. However, if your Process Monitor acts simply on filenames, and not by checking the executable properly (by MD5 signature, for example), then you may continue to see alerts as Trojan Remover's main filename is different each time it is launched. One way to stop these alerts is to start Trojan Remover, select Options and click on "Random filename generation protection enabled" to turn this option off. You should then instruct your Process Monitor to always allow Trojan Remover to launch RMT.EXE. Turning off random filename generation does make Trojan Remover more vulnerable to malicious process killers: however, your Process Monitor itself should prevent any such malicious activity, so there should be no increased risk. My Firewall/Process Monitor shows an alert saying that Trojan Remover wants to create a service called TRDUMMYnn (where nn are random numbers). Is it safe to allow this? Yes, you should allow this action. TRDUMMYnnn is part of Trojan Remover's routines to check for stealthed (rootkit) drivers. Basically, Trojan Remover writes a dummy service entry to the registry, just to confirm that it has write access. The entry is immediately deleted. You should instruct your Firewall/Process Monitor to always allow this. Kaspersky Antivirus shows an alert screen every time I start Trojan Remover, about a "hidden install". I have added Trojan Remover to the Trusted Zone, but I still get the alerts - how do I stop this? Start Trojan Remover. When the "hidden install" alert appears, click on "Add to Trusted Zone". In the screen that appears, click on the blue highlighted "Hidden install.." message next to Verdict mask. In the box that appears, remove the checkmark from the "Advanced Settings" box. Click on OK to close the box, click on OK again to close the Exclusion Mask box. The "hidden install" alert should no longer appear when you start Trojan Remover. .topic 28000 When Trojan Remover has completed a scan, why do I see the message "One or more files are currently excluded from scanning"? This means that during the scan (or during an earlier scan) you selected the option to disable one or more files from scanning when you were presented with an alert screen. You can review which files are currently excluded from scanning by selecting File | Manage Excluded Files from Trojan Remover's main menu. Here you can add, remove or edit the entries. .topic 27000 When I run Trojan Remover's installation (or Update) program the installation screen appears, and then disappears. I cannot install/update the program. Some malware programs deliberately try to prevent the installation of anti-malware programs. If, when trying to install Trojan Remover, you see the installation screen completely disappear whilst you are installing the program, this is probably being caused by the malware program shutting down our installer. The work-around for this is to run a "silent" install. Ensure that you have saved the trsetup.exe (or trjnnn.exe, where nnn is the version number, if you are trying to run the Program Update) file to a directory on your PC. Click START > Run. In the box that comes up, type in: "\trsetup.exe" /silent ("\trjnnn.exe" /silent if installing the Program Update) and press the ENTER key. Replace with the actual path to where you saved the downloaded setup file. Make sure that the path and filename are surrounded by quotes, as shown in the examples above. For example, if you have saved the setup file to C:\My Downloads, then the command would look like this: "C:\My Downloads\trsetup.exe" /silent (there is a space before the /silent). This will install Trojan Remover to the default directory, i.e. C:\Program Files\Trojan Remover. You will see a progress window as the installation proceeds. You may need to try this a couple of times - the installation is fast, but it needs to be faster than the malware trying to stop it.. You will know when the install has succeeded when Trojan Remover's icon appears on the desktop. If you still cannot install Trojan Remover using this method, then you should try to install the program in SAFE mode. Why do I get an error message about a missing file when I try to uninstall Trojan Remover? The usual reason for errors when uninstalling Trojan Remover is that one or more components have been manually removed. The fix is to download and install a new FULL copy of the program. Once installed go to START | All Programs | Trojan Remover | Uninstall Trojan Remover (in Windows Vista, go to Start | Control Panel | Programs | Uninstall a Program - select Trojan Remover then click on the Uninstall button near the top of the window). .topic 29000 How do I submit a file for analysis? Instructions on how to send file(s) to Simply Super Software for analysis are on the Contact Us page of the website. Trojan Remover renames Malware files. Why doesn't the program just delete these malicious files completely? This is a quarantine function. Trojan Remover renames Malware files by adding the extension '.VIR' to the filename. This disables the file from being run. If the file was immediately permanently deleted, and then you realised that you wanted to keep the file (either for analysis, or (rarely) if it was a false positive detection), it would be too late. By renaming the file, you have the opportunity to restore it should you wish to (simply by removing the '.REN' extension). When you have decided you do not want to keep the disabled file, you can simply delete it. You can also run a Directory scan with the option 'Scan Files already renamed by Trojan Remover' checked. When such a file is located, Trojan Remover will then offer to permanently delete the file. .topic 30000 I get the error message "A required DLL file, GDIPLUS.DLL, was not found" (or "The dynamic link library gdiplus.dll could not be found") when I try to start Trojan Remover (or the FastScan runs). Earlier versions of Trojan Remover required the use of the Microsoft Windows file GDIPLUS.DLL. Later versions do not. Update your program to the latest version and this should resolve the issue. To update, download and manually install the latest Program Update for Trojan Remover from the Updates page. Why, when I start Trojan Remover, does it just hang, consuming 100% (50% on dual-core processors) of CPU time? The most likely cause is a known conflict with System Mechanic, from Iolo Systems. Our Support page has more detailed information on this problem and a work-around. How do I fix the error message "The application failed to initialize properly (0xc0000005)."? This error message can be caused by a malware program attempting to prevent Trojan Remover from running. Try the following work-around to run a scan with Trojan Remover: Locate the Trojan Remover program files directory (normally C:\Program Files\Trojan Remover). Make a copy of the "rmvtrjan.exe" file. Rename this copy to a different name (anything you choose, e.g. "mynewprog.exe"). Double-click on this renamed file to start Trojan Remover. The program should now start, and you will be able to run a scan. .topic 31000 Why does the FastScan screen appear blacked out when I start the PC? When you start the PC and the FastScan screen appears, sometimes the screen appears to be blacked out, and the titlebar says that the FastScan program is "not responding". This happens when Vista is busy dealing with all the other program startup requirements. There is no need for you to do anything, the FastScan will start scanning correctly once it is allocated enough processor time. Why do I get a User Account Control prompt every time I start Trojan Remover? If you have User Access Control (UAC) enabled (it is enabled by default, and Microsoft highly recommend you leave it enabled), each time you start Trojan Remover you will see a UAC elevation prompt. This is because Trojan Remover requires access to protected system areas and processes. It is more sensible to ask for UAC elevation the one time, when the program starts, rather than ask each time a different protected area is accessed during the scan. .topic 10 Context-sensitive help is available in most entry fields. With the cursor placed in a text-entry box or in a control box pressing F1 will bring up specific help as required. For general help select 'Help | Contents…' from the main menu, click on the Contents tab and choose the topic of interest. To search the help file either click on the Index tab or on the Find tab. .topic 12100 A file scanned by Trojan Remover may contain Malware. The alert screen shows the file name and location, and which Malware (if identified). You have three options: Leave this file in place Selecting this option will close the file-scan screen, and return you to the main Trojan Remover program. No action will be taken on the file. Disable this file by renaming it The file will be renamed so that it cannot be executed. If a file is suspicious, this is the best option to choose. You can then send a copy of the file to an anti-virus or trojan-scanner company (like Simply Super Software) for further analysis. A record of this rename operation will be written to the Trojan Remover logfile. Delete this file (use with caution) You should only select this option if you are absolutely positive that the file being scanned is Malware. A copy will NOT be sent to the recycle bin. Once you answer YES to the confirmation message the file will be deleted. A record of this file deletion will be written to the Trojan Remover logfile. THIS ACTION IS IRREVERSIBLE. Once you have selected the desired option clicking on the OK button carries that operation out; if there are further files to be scanned the scan will continue. If the file being scanned has already been renamed by a previous Trojan Remover operation the Alert Screen will state this. You will not have the option to Rename this file, as it has already been renamed. When you are certain that the file is actually a malicious file, and not a valid system file which has been wrongly renamed, you should select the Delete option.