Trojan Horse keeps coming back

T

Tom Gordon

Yesterday, I got a Trojan Horse virus alert for the following program:
C:\WINDOWS\SYSTEM32\SVC.EXE
Norton Antivirus could not repair it, but it did quarantine the
program. However, I kept getting alerts for it.

So I went into the XP registry and found the following entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
pointing to the SVC.EXE program.

I deleted that key from the registry and shut down the system (powered
off) but after I rebooted, the next time I ran anything like Internet
Explorer or Explorer, I got the virus alert again. The program itself
no longer exists (I deleted it from the NAV Quarantine folder. But
something kept putting the registry entry back.

Then I read about turning off System Restore, because it can restore a
previous version of the registry. I turned it off, and deleted the
registry key (again). I powered down again to erase make sure memory
was cleared, but the virus alert still came back. I have no ideas
left. Can anybody help me? There is no specific removal tool on
Symantec's website for this generic Trojan Horse.
 
F

FuzionMan

A lot of people have problems with Norton not able to remove simple trojans
& viruses.. I switched to McAfee and haven't had a problem...
 
G

Guest

1. read what is available about the virus and see if it
is contained in another program (a shell for the trojan)
that could be launching it, then scan your computer for
both files and delete them.

2. do a regedit and search for the SVC.EXE file and
delete it wherever else it appears (checking to make sure
you are not deleting legitimate pointers.

3. If the svc.exe trojan is contained in a shell program,
repeat step two for that program.

4. Use The Cleaner, an anti-trojan program, to sweep your
system.

5. Use Ad-aware or the like.

6. Make sure you have your firewall enabled.

7. Run an anti-virus check of your system using an up-to-
date set of definitions.
 
J

Jim Byrd

Hi Tom - Download HijackThis, free, here:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Unzip it to any convenient folder, start it then press Scan. Click on
SaveLog when it's finished which will create hijackthis.log. Now click
the Config button, then Misc Tools and click on Generate StartupList.log
which will create Startuplist.txt

Go to Spyware and Hijackware Removal Support, here:
http://www.spywareinfo.com/forums/index.php?s=8a236cdf61469fbad3bddbe810be0374&act=SF&f=11

Sign in, then copy and paste both files a message asking for assistance,
Someone will answer with detailed instructions for the removal of your
parasite(s).



For the general hijack case, the best way to start is to get Ad-Aware 6.0,
Build 181 or later, here: http://www.lavasoftusa.com/support/download/.
Update and run this regularly to get rid of most "spyware/hijackware" on
your machine. If it has to fix things, be sure to re-boot and rerun
AdAware again and repeat this cycle until you get a clean scan. The reason
is that it may have to remove things which are currently "in use" before it
can then clean up others.

Another excellent program for this purpose is SpyBot Search and Destroy
available here: http://security.kolla.de/ SpyBot Support Forum here:
http://www.net-integration.net/cgi-bin/forums/ikonboard.cgi. I recommend
using both normally. After fixing things with SpyBot S&D, be sure to
re-boot and rerun SpyBot again and repeat this cycle until you get a clean
"no red" scan. The reason is that SpyBot sometimes has to remove things
which are currently "in use" before it can then clean up others.


Note that sometimes you need to make a judgement call about what these
programs report as spyware. See here, for example:
http://www.imilly.com/alexa.htm


Once you get this cleaned up, you might want to consider installing the
SpywareBlaster and SpywareGuard here to help prevent this kind of thing from
happening in the future:
http://www.wilderssecurity.com/spywareblaster.html (Prevents malware Active
X installs) (BTW, SpyWare Blaster is not memory resident ... no CPU or
memory load - but keep it updated) The latest version as of this writing
will prevent installation or prevent the malware from running if it is
already installed, and it provides information and fixit-links for a variety
of parasites.
http://www.wilderssecurity.net/spywareguard.html (Monitors for attempts to
install malware) Both Very Highly Recommended.

See if any of this helps and post back with your results.


--
Please respond in the same thread.
Regards, Jim Byrd, MS-MVP



In
 
N

noone

geesh! to do all that crap, it would be easier to blank
the drive and reinstall the OS and apps. Then make sure
you have a good firewall between the box and the internet
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Pesky TROJAN virus won't go away. 4
Can't get rid of Trojan Horse 5
Help Trojan Horse/Virus? 5
Virus? Trojan Horse Dropper.Agent.JOC 7
A trojan in Windows XP ?? 4
Webroot spysweeper found Trojan conhook 8
How do i remove " Trojan Horse Generic2.dbs" 11
Trojan Horse Virus 3

Top