Trojan Horse - svchost.exe

Hi,

 

I have Norton Security 2009 and the problem is that it has detected a Trojan Horse in my system but it doesn't remove it. It only blocks it and every 2-3 minutes an information comes up that Norton has detected a trojan horse and it has been blocked, but when I run a full scan system it doesn't finds anything.


Everytime its being detected in a sub-directory of the following directory: C:\WINDOWS\Temp\

for example: C:\WINDOWS\Temp\tqbd.tmp\svchost.exe

 

Request your help in removing the Trojan Horse completely?

 

Thanks..

Hi arsh_kamaal:

 

Welcome to the Norton Community!

 

It is possible that you have a Rootkit or another threat.

 

Let's rule this out.

 

Please download and install Malwarebytes Anti-Malware at this location. It is the new version. when you install it, update the definitions to the latest release and run a Full Scan. When complete, attach the logfile (.txt) which it will create, in this thread.

 

Use the Add Attachments hotspot under the orange POST button on the lower left hand side of the window pane.

 

The logfile will be analyzed and the next step will be posted.

 

I know you are running NIS 2009, but when this is resolved, I would like you to download a free upgrade to NIS 2010.

 

One step at a time.

 

Kindly advise and thanks.

Hi

 

Odd that this is the 2nd thread with the exact same thing found today. The other thread was marked as solved without a solution really given.  If the malwarebytes log is the same, then it may be a strange coincidence or else this is a new rootkit which is partially being found by Norton's.

It's not Odd

 

As it is not the 2nd thread overall on on the forum, And it's not new as the one has been around since at least end of Nov 2009

 

Quads 

While Malwarebytes might clean up the attendant malware, it will not touch the rootkit.  You will need to visit one of the malware removal forums listed below for more appropriate assistance.

 

The danger in suggesting MBAM is that the user, as seen in the mentioned thread mistakenly believed that his problem was solved.  This does the user no service and leaves him insecure.

 

www.bleepingcomputer.com

http://www.geekstogo.com/forum/

http://www.cybertechhelp.com/forums/

http://forums.whatthetech.com/

Hi delphinium:

 

Do you think that the OP should go directly to those sites (I am familiar with two of them) now, or first determine if it is indeed a Rootkit? There are some tools (i.e. SysProt) to produce a logfile for analysis which have been used on this forum that could help with this and not compromise the OP's system.

 

Please share your feelings with us. We are open to suggestions.

 

TIA

Message Edited by Plankton on 01-08-2010 09:56 PM

Plankton wrote:

Hi delphinium:

 

Do you think that the OP should go directly to those sites (I am familiar with two of them) now, or first determine if it is indeed a Rootkit? There are some tools (i.e. SysProt) to produce a logfile for analysis which have been used on this forum that could help with this and not compromise the OP's system.

 

Please share your feelings with us. We are open to suggestions.

 

TIA

Message Edited by Plankton on 01-08-2010 09:56 PM

SysProt won't show it, no point in doing useless scans
Quads 

 

Hi Quads:

 

Well, how do we know with 100% certainty that it is a true Rootkit?

 

Is there another tool that we can use at low/no risk to determine if it is one?

 

What do you suggest?


Plankton wrote:

Hi Quads:

 

Well, how do we know with 100% certainty that it is a true Rootkit?

 

Is there another tool that we can use at low/no risk to determine if it is one?

 

What do you suggest?


Because, it's the process of symptoms 
This is not the first 2 we have had, and I have had the svchost.exe on my PC awhile ago on purpose, as I said it's from late Nov onwards
"Well, how do we know"  "WE' don't as we means more than one person.
 Quads

 

Hi Quads:

 

What would you recommend as the next step, aside from the recommendation by delphinium?

Delphinium's, got to another forum, As I am not doing it.

 

Quads 

Hi arsh_kamaal:

 

It is the opinion of delphinium and Quads that you take this issue to one of the sites listed for assistance.

 

Once this is resolved, please come back here and and create a new thread for the NIS 2010 upgrade.

 

Thanks.

Message Edited by Plankton on 01-08-2010 10:30 PM

Hi floplot:

 

Were you referring to this thread?

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=95480

 

I see the similarities.

Do you think that the OP should go directly to those sites (I am familiar with two of them) now, or first determine if it is indeed a Rootkit? There are some tools (i.e. SysProt) to produce a logfile for analysis which have been used on this forum that could help with this and not compromise the OP's system.

 

Please share your feelings with us. We are open to suggestions.


Please do not throw such temptation in my path.    :smileyvery-happy::smileytongue:

Is that the royal "we" or is there more than one of you?

 

Hi Plankton

 

Yes, that was the thread I was thinking of.


delphinium wrote:

While Malwarebytes might clean up the attendant malware, it will not touch the rootkit.  You will need to visit one of the malware removal forums listed below for more appropriate assistance.

 

The danger in suggesting MBAM is that the user, as seen in the mentioned thread mistakenly believed that his problem was solved.  This does the user no service and leaves him insecure.



When I nipped back to that other thread, it was too late, it had already been marked solved :-( However, I'll try to grab the poster's attention :-)

Hi Plankton, Delphinium and Quads,

 

Thanks for all your advice. I have posted my problem on bleepingcomputers.com as well. I am yet to get any solution though..

 

Regards,

Arsh

Hi Arsh

 

BleepingComputers is a very busy place, so you will have to wait your turn. When they do get to you, please follow their instructions to the letter. If you have any questions about what they want you to do, ask the question before you do it. I would recommend that you stay away from banking sites, and buying anything with the infected computer. In fact, use it as little as possible. The more a computer is used when it has a rootkit, the worse it may get. Please come back and let us know how you making out. Thanks.