Hacktool.Proxy file infected svchost.exe

I ran Symantec Endpoint and foud that Hacktool.Proxy file infected svchost.exe.  Endpoint did not clean it up.  The action taken was "Backup" for svchost.exe.  Is there a way to clean up this trojan?
cwojcicki1099Asked:
Who is Participating?
 
IndiGenusConnect With a Mentor Commented:
Hijackthis will not fix the service itself. It can be done a few ways. I usually remove them like this....
Click Start->Run...
Enter the following commands one at a time into the window and click OK each time.

sc stop HWDect
sc delete HWDect

Reboot and that should do it.



0
 
IndiGenusCommented:
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
 
cwojcicki1099Author Commented:
Here's the log file.  Thanks for your help.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
IndiGenusCommented:
Think you forgot to attach it. Don't see any log...
0
 
cwojcicki1099Author Commented:
Sorry, here it is.
hijackthis.log
0
 
IndiGenusCommented:
This service....

O23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINNT\system32\inetsrv\svchost.exe (file missing)

Pretty sure it's bad. Take a look at how "Detection" is spelled. :lol:

I would fix that. Even though it says "file missing" sometimes HJT reports 023's as missing files when they aren't. And that is not the typical location for svchost.exe.

I would first stop the service then remove it. Then seek and delete that file.


0
 
cwojcicki1099Author Commented:
This is our master DC with all the FSMO roles.  I just virtualized it in VMWare this past Sunday. So on the physical server that I took out of the network, I went under Symantec EndPoint Quarantine and deleted it.  I ran another virus scan and it came up clean.  But when I run the the Hijack tool again, the log still picks up the svchost.exe under the inetsrv directory and I verified that it is not there.  So I'm a bit confused.
hijackthis.log
0
 
cwojcicki1099Author Commented:
Ok, that did it, thanks for your help.
0
 
IndiGenusCommented:
Great, glad it worked out and thank you.
Dave
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.