need help with removing a trojan
trojansvchost.exe
malwarebytes removes it, but it's back again after a restart. Security essentials can't remove it, so I ran Windows Defender offline, but it doesn't even show up in the scan. Any suggestions?
Your help is greatly appreciated!
douglas9
(4,358 posts)lillypaddle
(9,580 posts)Thanks, douglas, but that is one stubborn virus. Ran the trojan remover twice, appeared to find the files & renamed them or deleted them, but upon restart, still got alerts that it was still there. Appreciate the help, though.
Earth Bound Misfit
(3,554 posts)Run TDSSKiller (Kaspersky), DON'T reboot yet, run MBAM. Follow that up with an ESET online scan (uses Internet Ex-PLODE-r only)
TDSSKiller: http://www.bleepingcomputer.com/download/tdsskiller/
MBAM: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/
ESET online scanner: http://www.eset.com/us/online-scanner/
lillypaddle
(9,580 posts)but I followed your links anyway. Right now, everything appears "green." eset found 6 viruses not found by any of the other anti-virus software, so hopefully that's done the trick!
I can't thank you enough.
Earth Bound Misfit
(3,554 posts)My bad, I should have told u to d/l the tools first or boot to "Safe mode with networking"
Did TDSSKiller and/or MBAM find/remove/cure/delete etc anything?
If you could post the results logs of each scan we may get a better idea if this "thing" is gone for good --only the last 15 or so lines of TDSS, full MBAM log & items found/removed etc. by ESET
What were/are the symptoms of the malware?
lillypaddle
(9,580 posts)don't know if I'm savvy enough to post what you ask. The main culprit seemed to be a trojan file called svchost.exe. It still seems to have parts popping up, but once I run all the scans again, things seem to be okay. The other files that eset and none of the others found were olmarik.altrogan and some other variations.
I invested in the paid version of malware bytes. Periodically it says that it's blocking outgoing contact with svchost.exe.
I'll keep you posted if anything else pops up again. As far as the symptons, I kept getting alerts from Security Essentials, and when I'd attempt to go to some website, I'd get these fake (at least they seemed so) websites with blue links instead of what I would expect.
Thanks again!
Earth Bound Misfit
(3,554 posts)"Olmarik" is bad news... http://www.eset.eu/encyclopaedia/win32-olmarik-rn-trojan-downloader-agent-dmes-backdoor-tidserv-k-alureon-ct?lng=en
The trojan contains a backdoor. It can be controlled remotely. It uses techniques common for rootkits. The file is run-time compressed using UPX.
The link above contains a "removal tool" but I'm not familiar with, nor have I used it so I can't speak to it's effectiveness etc.
When TDSS completes, a log is produced at "root". It will be named "UtilityName.Version_Date_Time_log.txt"
for example, C:\TDSSKiller.2.2.0_27.1.2010_15.31.43_log.txt
Double clicking that log will open it in Notepad. Copy the last 15-20 or so lines & post them back here
You really should get expert help making sure this thing is not still lurking about. I recommend Bleepingcomputer.com
Read the pinned topic Instructions for posting advice in Am I Infected and start a thread. The helpers there are extremely helpful, courteous and user/noob friendly.
lillypaddle
(9,580 posts)with a little help from my friends.
Ran eset, trojan remover, malwarebytes pro again this morning, and all came up clean. I think I'm good to go. Thanks again!
Earth Bound Misfit
(3,554 posts)It's your call, however I really think it would be wise to err on the side of caution & have an *expert* (which I am NOT) take a deeper look as suggested in post #9.
lillypaddle
(9,580 posts)I'll have him take a look on Monday. I have a laptop, so it will be easy for him.
On edit: PS, I tried the removal tool you posted in #9, but it wasn't compatible with my OS (64-bit)
hobbit709
(41,694 posts)lillypaddle
(9,580 posts)if things keep happening. I knew DU folks could help - smartest people in the world!