Infected with Trojan Horse

clylbw

Well-known member
Messages
454
Likes
4
Hi,

A scan with Symantec indicates that a file in my machine, svchost.exe, is infected with a Trojan Horse. I could not delete it as access was denied, and I went to Task Manager and tried to end its process first in order to be able to delete it.

Then strange things happened. Each time I tried to end the process in svchost.exe-there are quite a few of them under this name, according to Task Manager-the following error message came up: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly. Then it automatically shut down and restarted again in 1 minute’s time.

I wonder how to deal with this problem? My OS is XP and the file system is NTFS. In the past I had ended the process through Task Manager and then deleted the infected file, but it does not work this time.

BTW, is there a better firewall and anti-Horse software? I use Sygate but it seems to have failed this time.

Please let me know ASAP. Thanks indeed.
 
Clylbl, is the trojan, trojan.tofger? Because I think that that is the trojan that I still have, lol. Not too bothered as I dont use this pc for trading. Not sure if this will work but try starting the pc in safe mode.

Good Luck

Ilia
 
Hi Skim, ilia king,

I think it is svchost that was indicated by Symantec, as there is no scvhost in the Task Manager. But I am doing another scan now, and am waiting for confirmation.

I was first allerted yesterday when the speed of my Internet connection slowed mysteriously. I then did scans with both Household Call and Micro Trend, but nothing was found. I did a Trojan Horse scan just now with Symantec, and it indicated the infection.
 
Scan Result with GFI TrojanScan:

'Unable to scan C:\System Volume Information - Access is denied.'

What is the problem? :(
 
Hi ChartMan,

Thanks indeed.

I suppose I need to take the following steps to clean my computer. Am I right in each of them?

1. Disable the Remote Procedure Call (RPC) service so that I can end the process of svchost.exe without having the machine being rebooted.

2. End the process of svchost.exe. There are 4 of them in the Task Manager, two of which are under the username of System, another under the username of Network Service, the last one under the username of Local Service. Do I need to end the processes of ALL of them?

3. Romove svchost.exe. I wonder whether I should do it manually by going to Start-Search, finding out all the files/folders under the name of svchost.exe and deleting all of those files? The website of Symantec requires subscription of its software for the removal. As I do not use Symantec's software, can I still remove the virus? Or do I have to subscribe to Symantec for removal?

4. Symantec also recommends removal from the registry. Do I have to do this? I would prefer not to touch the registry as I know little about the backup aspect.

Thanks indeed.
 
Don't stop any svchost until you know which one. To stop rebooting Go to run and type shutdown -a This will temporarily disable the RPC which reboots you.
You must try and find the name of the virus/troj, so you can stop the correct process.
Try some more online scans.
Try and download and run these 2
http://vil.nai.com/vil/stinger/
http://www.avast.com/i_idt_1060.html
Remember to disable System Restore if you're running XP or ME
Let us know how you get on
 
BTW, is there a better firewall and anti-Horse software? I use Sygate but it seems to have failed this time.
I doubt Sygate is to blame. Your AV should pick it up but it's your decision ultimately on what to let in. What AV prog are you using? Are you current with Windows critical updates? What other anti spyware/hijack etc are you running?
There's a bit of info here
http://www.computercops.biz/postt7736.html
 
Virus help, for free downloads, go Supanova.org then goto Apps, windows, norton everything (4th on list)and download, I believe its anti-virus software,plus other useful items, I haven't used it myself so I'm not recommending, but it may provide a solution and get rid of your virus, Good luck
 
Many thanks to all of you indeed.

I did scans using Stinger and Avast. Neither of them found anything, but Symantec insisted there was a Trojan horse. Is it possible that Stinger and Avast only scanned for 'virus', while Symantec scanned for 'virus AND Trojan horses'?

Thanks indeed.
 
Thanks indeed, Chartman.

I just ran Spybot and PestPetrol twice. Guess what? Spybot and PestPetrol found 22 and 15 infected files respectively. OH GODNESS ME!!!!!!!!!!

I assume I do not have to change the registry now that the two programmes have deleted the infected files. Is it correct?

I wonder whether there is some firewall which also detects and prevents spyware from entering into my machine. As mentioned above, I have always used Sygate, but it seems incompetent. I do know ultimately it is up to myself to decide what to let in, and I believe I have been rather cautious, still I have incurred such a big problem...:(
 
Sygate is a firewall not a spyblocker. You have to let it know what traffic to allow.
I went to Sygate's support forum for the first time yesterday. Have a browse.
http://forums.sygatetech.com/vb/forumdisplay.php?s=&forumid=8
Try these for extra protection
SpywareBlaster and Spywareguard work together(same people)
http://www.javacoolsoftware.com/downloads.html
WinPatrol will tell you of attempts to alter sensitive parts of your system.
http://www.winpatrol.com/winpatrol.html
Also a new edition of Spybot S&D is available
http://www.majorgeeks.com/download2471.html

here's some info
http://www.isecurity.org.uk/html/security_steps.html
 
Last edited:
Hi oatman,

Many thanks indeed.

I just did yet another scan using Bazooka, and it detected an infected file named
%WinDir%/svchost.exe, which, I believe, is what was found by Symantec.

According to Bazooka, I should run the Safe Mode, go into Windows Explorer, and then delete the file.

As advised, I went into the Safe Mode and then Windows Explorer. In order to find and delete the file, I made a search using the Search function in the Start button. I searched all files and folders under the name of %WinDir%/svchost.exe, without success; then I searched for %WinDir%, still no success.

I wonder why I could not find the file? How should I delete it?

Interestingly, last night I did scans using Spybot and PestPetrol, but neither of them seemed to found this infected file.

Thanks indeed.
 
Did Symantec quarantine it or delete it?
If it deleted, did you turn off System Restore(XP&ME)?
 
Hi oatman,

No, Symantec did nothing other than finding it, as far as I am aware. It required subscription before any action would be taken, and I did not follow that requirement. But I did turn off System Restore before doing all the scans.

Since the previous scans with Spybot and PestPetrol deleted quite a few files, I wonder whether that could be the reason for me being unable to find the file. However, if that is the case, then why Bazooka still managed to detect the file?
 
Top