Can't remove Trojan Horse

I have a Process on my computer under Task Manager named "IOSDT.EXE" which is causing 100% CPU Usage slowing down my system almost to a standstill. When I terminate this process CPU Usage Falls to 4%. The problem is I can't stop it from starting up everytime I boot my computer. Running a search failed to find it on the system.  

On the website "http://www.answersthatwork.com/Tasklist_pages/tasklist.htm" I found the following information:
===========================================
Iosdt

Iosdt.exe
???

You have a  Trojan virus  on your PC – IOSDT.EXE is its main file.   You most probably tried to download illegal copies of Microsoft software, and got infected by this trojan virus as a result (it gives access to your PC from the Internet).

Recommendation :  
Reboot your PC into Safe Mode and then do a search for all files and folders which start with  IOSDT  and delete them.  Next, empty your Recycle Bin and reboot back into Normal Mode.
==============================================

I followed the instructions above but still could not find any file or folder doing a search. I also did a search in the registry and still no sign of this file, yet when I rebooy back in normwl mode the process starts up again grabbing 100% of my CPU usage.

I am running Windows XP Professional

This is doing my head in

your help is desperately needed

with thanks


greenfly2Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Computer101Connect With a Mentor Commented:
PAQed with no points refunded (of 250)



Computer101
EE Admin
0
 
sunray_2003Commented:
Hi greenfly2,

Do you have any anti-virus installed in your machine ?

If yes , update it and check for virus . If it reports any trojan or virus , ask it to remove

Also check these online scanners

**********************
http://vil.nai.com/vil/stinger/

http://housecall.trendmicro.com/ 

http://security.symantec.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://www.pcpitstop.com/antivirus/default.asp 
**********************

Using this check if you can stop it from startup

Start --> run --> Type in "msconfig" and press "Enter"
goto Startup tab
Disable all the applications there.Reboot the machine and check if the trojan comes back.

Then go to the same location and enable each application one by one and check the culprit

Thanks
0
 
LucFEMEA Server EngineerCommented:
Hi greenfly2,

You'll find the file most likely at %systemroot%\System32\iosdt\iosdt.exe
You can remove this folder after killing the task.

Then, look at the startup part of the start menu and find either:
network.vbs and/or microsoft_office.lnk
Delete those both if you can find it.

Next time, just buy legal microsoft product, it'll save you from this mess.

Greetings,

LucF
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
sunray_2003Commented:
Also you may want to run the spyware tools listed here
http:Q_20945897.html
0
 
Tim HolmanCommented:
Try HijackThis to ensure the Trojan isn't set to run at boot-time:

http://www.spychecker.com/program/hijackthis.html
0
 
greenfly2Author Commented:
Sorry to disappoint you LucF but I haven't got any illegal microsoft software on my system they have all been purchased leagally. They are four people using my computer and even if one of my sons attempt to download illeaglly I can assure you its not loaded on my system.  The suggesting that "I may have tried to downlod illegal microsoft software" was an assumption of how the Trojan may have got to my system and not an accusation.


Sunray I am about to try your suggestion, but the other suggetions did not work
thanks guys. I'll get back to you soon
0
 
LucFEMEA Server EngineerCommented:
You don't dissappoint me... quite the opposite actually, it is just that I had to handle with this virus several times before, and always it came from either crack sites or through P2P networks... sorry for jumping on the gun right away. I also noticed that every virusscanner I tried didn't work :(

I think tim_holmans idea is pretty good, if you want, post the logfile it creates, so we can do a manual search from where it's started from.

LucF
0
 
rossfingalCommented:
Hi!

When you download and install HijackThis (per. tim_holman suggestion), install it to it's own folder, not on your Desktop or a temp folder. Create a folder such as: C:\HJT or C:\HijackThis and install it there.
Good luck!
0
 
HynesCoCommented:
Boot your computer into safemode with networking support, go to trend.com or norton.com and do the free online scan.
0
 
Rich RumbleSecurity SamuraiCommented:
Everyone is forgetting it's XP, you have to turn off system restore... then get rid of it... otherwise it'll be back on next reboot.
http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm

Try the stinger tool... Ad-Aware might even help...
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=98844
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.bymer.html
-rich
0
 
greenfly2Author Commented:
Unfortunately none of the suggesstion received so far work. So i have decided to count my losses, reformat my hard drive and start again.

0
 
Tim HolmanCommented:
Sorry we couldn't help..  ;(
Don't forget to delete the question, and try us again soon !
0
 
mgbyrne2004Commented:
*** advertising removed by Netminder, Site Admin ***
0
 
sfleronCommented:
Hi guys

I know It's been some time since you have had the problem.

I just ran into it myself - In fact it is pretty easy to fix...

1) I was unable to stop the process (takin 100% CPU)
2) I searched the disk for the process - nothing found.
3) using REGEDIT.EXE I searched for IOSDT and exportet any keys found
4) restarted the system, and it was gone...

It seems like a trojan that comes through E-Mule p2p software!!!
It has not done any harm to my system (lucky me...).

Best regards Soren - Denmark
0
 
TolomirAdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Accept: sfleron{http:#12685467}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Tolomir
EE Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.