?
Solved

Can't get rid of Trojan on Windows 7 Dell Laptop

Posted on 2012-09-11
11
Medium Priority
?
924 Views
Last Modified: 2016-11-23
We have purchased and run Malwarebytes several times, and each time after the restart, Malwarebytes  STILL reports a Trojan.


Vendor:  
Trojan Agent

Category:  
File
Memory Process

Item:
c:\Windows\svchost.exe

Other:
4172


How can I clean this out?  I recall there being some very strong "medicine" I can use.


Thanks.


Larry
0
Comment
Question by:computerlarry
11 Comments
 
LVL 38

Accepted Solution

by:
younghv earned 668 total points
ID: 38389217
Hi Larry,
It is almost never good enough to just run one of the tools/scanners any more - regardless of how they...and MBAM is one of the best.

Please follow the directions in these EE Articles for using a 'rogue process stopper' - and then running your scanners.

http://www.experts-exchange.com/A_4922.html Rogue-Killer-What-a-great-name
http://www.experts-exchange.com/A_5124.html Stop-the-Bleeding-First-Aid-for-Malware


PLEASE be sure to post the logs from any tools/scanners you run so we can review the details of what is found.
0
 
LVL 34

Assisted Solution

by:Michael-Best
Michael-Best earned 332 total points
ID: 38389224
Boot into safe mode and then remove the trojan.

HijackThis may be more effective:
 http://sourceforge.net/projects/hjt/

You can get ageneric report of what HijackThis finds @ http://www.hijackthis.de/
Then use HijackThis to remove the trojan
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 668 total points
ID: 38389240
@Michael-Best -
Most current variants of malware aren't even running their processes during a "Safe Mode" boot and they will be invisible to any scanner - much less something as old and out-dated as "HijackThis".

When Trend bought it from 'Merjin' (orginal developer) the wouldn't hire him to maintain it, so he moved over to the team at MalwareBytes.

Anyone wanting to see the processes running will be better served to run "OTL" (http://www.geekstogo.com/1888/otl-by-oldtimer-a-modern-replacement-for-hijackthis/) - but to run it in "Normal Mode" so that (a) the rogue processes are actually running and (b) they can be identified.

Of course, in most instances running a rogue process stopper and one of the automated tools is light years better than trying guess what to do based on only a scan.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 30

Assisted Solution

by:pgm554
pgm554 earned 332 total points
ID: 38389385
Download the bootable security essentials disk from MS.

http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline
0
 

Assisted Solution

by:sniperguy02895
sniperguy02895 earned 332 total points
ID: 38389431
Use Malwarebites and windows security essentials they work very well for me. If that does not work try using Mbam.
0
 

Author Comment

by:computerlarry
ID: 38389643
This one is quite resistant!  It couldn't be removed by RogueKiller or Combofix.

What's left to run?
0
 
LVL 44

Expert Comment

by:Darr247
ID: 38389748
If you followed the articles recommended by younghv, you would have run RogueKiller, let it do its prescan, then clicked its Scan button in the upper right corner... when that scan's done, minimize (DO NOT CLOSE/EXIT)  RogueKiller, then do a full scan with MalwareBytes AntiMalware (MBAM for short).
0
 
LVL 93

Expert Comment

by:nobus
ID: 38389803
on severe cases, i gain more time by a full reinstall, than by cleaning the system, so that's my suggestion : a fresh install
0
 
LVL 38

Expert Comment

by:younghv
ID: 38390382
@computerlarry

<<This one is quite resistant!  It couldn't be removed by RogueKiller or Combofix.
What's left to run?>>

I suggest that you actually read the advice that has been offered, then follow the instructions.
You might also review these suggestions from EE that seem to be applicable:

"Three Rules":
http://www.experts-exchange.com/help/viewHelpPage.jsp?helpPageID=13

I am sorry, but I cannot assist you any further on this question.  Perhaps there may be another Expert here who can.

I wish you good luck in this endeavor, and perhaps I will be able to help you on some future question.
0
 
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 336 total points
ID: 38391540
@computerlarry,

Did you follow the instructions posted above by Younghv ?

If yes then please post the logs of RogueKiller and MBAM.
0
 

Author Closing Comment

by:computerlarry
ID: 38439220
Good recommendations, but I had a serious problem. I ended up backing up the User files, extracting all the serial numbers, then erasing and re-installing.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question