Confused newbie needs help with trojan

Discussion in 'malware problems & news' started by frags, Mar 22, 2005.

Thread Status:
Not open for further replies.
  1. frags

    frags Guest

    Hi everyone, im a newbie to computers and need a little help with a trojan prob.

    I realised I had one and tried getting rid with norton and ad-aware se, to no affect! Then downloaded trial version of trojan hunter which I thought had done the trick...it "cleaned" 12 trojan files!! ran it again today which showed all clear YET while it was running Trojan warning popped up, apparently in:-

    C:\WINDOWS\svchost.exe

    How can I get rid of this trojan, if it doesnt show up on my trojan hunter?

    Any help really appreciated cos Im completely lost !! Cheers.
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    svchost.exe is a legitimate program, hosted by Generic Host Process for Win32, and is used to run dll based services; you would normally expect to find it in the System32 folder - i.e. in C:\Windows\System32\

    The file path you have given is incorrect, this suggests it is malware but with a plausible name. If you wish you could click Start/Run/msconfig, to bring up the System Utility Configuration box and look in the 'startup' tab. If you find svchost.exe listed there you will know it is 'bad' because the genuine article does not appear in msconfig/startup.

    To give yourself the best chance of getting rid of this thing, try the following little routine:-

    A) To start with you should disable system restore (I'm assuming you're using XP) as per here:- http://www.bleepingcomputer.com/forums/tutorial56.html

    B) Then clear out all your temp files, and the easy way to do that is by downloading CCleaner from here:- http://www.ccleaner.com/

    C) Then you need to open Windows Explorer and:-
    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    D) Finally you should go into Safe Mode; see here:- http://www.bleepingcomputer.com/forums/tutorial61.html

    and do a full system scan with your AV and AT.

    Try the above first of all and let us know the result.

    P.S. - It would have been helpful if you could have given us the name of the 'trojan', as found by Norton or TrojanHunter (several different trojans masquerade as svchost.exe!), together with some of the symptoms you have experienced; for example has your browser been hijacked?
     
    Last edited: Mar 22, 2005
  3. frags

    frags Guest

    Cheers TopperID. I tried your fix and all went great............just turned the computer tho do this repl;y and trojan warning appeared on norton anti-virus, it then said i had a runtime error "2 at 00405242". Im way over my head on this!! is it the trojan thats causing the error....Is it a new trojan, or the same one ?? ran checks on adware se, trojan hunter, and norton in safe last nite following your advice...came back all clear......then ran them all again when i rebooted...still clear!! Id be grateful for any more advice that you have!! MY browser isnt hijacked. and apart from the trojan and error msg, all seems to be normal !
     
  4. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
    Time to switch AVs...
    Norton is good on finding trojans and viruses, but it just can't remove them.
    This seems Norton being norton again.
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If you have no symptoms and your scans are coming up clean, then you should be O.K.

    I can't tell you what the runtime error means, you would have to email Symantec support about that - but trying to get a satisfactory answer from them is not easy!

    To investigate the latest trojan warning from Norton, we would have to know the details - i.e. the exact name and file path as given by NAV. You should be able to find this out by looking at the Reports section of the NAV interface, which will keep a record of all findings. It is possible, for example, that NAV has placed infected files into quarantine and/or backup, in which case you can delete them in those locations.

    Next time NAV pops up a warning, make a note of the full details of what it says and post them here.
     
Loading...
Thread Status:
Not open for further replies.