Hi all,

I'm trying to help someone with trojans on his computer but he's quite security conscious, so my assurances of "it's probably fine" are not quite enough. I thought I'd better ask some more informed people to get a better understanding of what, if anything, he has to worry about.

He's using Symantec Endpoint Projection, which seems to be similar to Norton Internet Security, and since it's the antivirus part that's picking this up and there's no specific forum for Endpoint Protection I thought this would be the best place to post. Apologies if it is not.

The computer is old and running Windows XP Professional SP2. It's his work computer and he uses it for some kind of remote desktop. The last thing I want is to accidentally stop him from connecting to his office - he would not take it lightly.

A few days ago (3rd March) the first reports came up, several a minute at one point, of "Trojan.Gen" and "Trojan.Shylock.B!gen[1-3]", with some "Backdoor.Trojan" and "Trojan.Ransomlock.G". I tried Norton Power Eraser and Spybot, then running the normal Endpoint Protection antivirus scan in safe mode with networking, but it didn't seem to make much of a difference. At one point a full system scan did come up clean, but since then there have been a few more detections.

I thought it was coming from ads on websites he was visiting (he was using IE8) so I persuaded him to use Chrome with Adblock Plus. Since I installed that (yesterday) there has only been one risk detected by the antivirus (as opposed to 20+ per day) and it's Trojan.Gen.2. I had hoped to find something out by comparing the time that was detected with his browsing history, but according to that he was not browsing anything at the time.

He also noticed some strange files in C:\Windows\Temp which we have now deleted. Their modified dates were coinciding with detections and the file names were similar to what was being detected.

Since it now seems unlikely that the trojans are coming from ads on websites, he is worried that one of them has opened some kind of backdoor which is allowing more through.

Does anyone have any suggestions on how to completely remove these, or perhaps someone can at least give some insight which might reassure him a bit?

Thanks very much,

Ben