Hacktool.Proxy file infected svchost.exe

I ran Symantec Endpoint and foud that Hacktool.Proxy file infected svchost.exe.  Endpoint did not clean it up.  The action taken was "Backup" for svchost.exe.  Is there a way to clean up this trojan?
cwojcicki1099Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IndiGenusCommented:
It would help if we could see what was going on with your computer. I suggest that you download, run, and upload a HijackThis log from the link below.

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log file. Do not have HJT fix anything at this point.

Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.
0
cwojcicki1099Author Commented:
Here's the log file.  Thanks for your help.
0
IndiGenusCommented:
Think you forgot to attach it. Don't see any log...
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

cwojcicki1099Author Commented:
Sorry, here it is.
hijackthis.log
0
IndiGenusCommented:
This service....

O23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINNT\system32\inetsrv\svchost.exe (file missing)

Pretty sure it's bad. Take a look at how "Detection" is spelled. :lol:

I would fix that. Even though it says "file missing" sometimes HJT reports 023's as missing files when they aren't. And that is not the typical location for svchost.exe.

I would first stop the service then remove it. Then seek and delete that file.


0
cwojcicki1099Author Commented:
This is our master DC with all the FSMO roles.  I just virtualized it in VMWare this past Sunday. So on the physical server that I took out of the network, I went under Symantec EndPoint Quarantine and deleted it.  I ran another virus scan and it came up clean.  But when I run the the Hijack tool again, the log still picks up the svchost.exe under the inetsrv directory and I verified that it is not there.  So I'm a bit confused.
hijackthis.log
0
IndiGenusCommented:
Hijackthis will not fix the service itself. It can be done a few ways. I usually remove them like this....
Click Start->Run...
Enter the following commands one at a time into the window and click OK each time.

sc stop HWDect
sc delete HWDect

Reboot and that should do it.



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cwojcicki1099Author Commented:
Ok, that did it, thanks for your help.
0
IndiGenusCommented:
Great, glad it worked out and thank you.
Dave
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.