A Trojan Pwned my PC. I need help

vbimport

#1

A few hours ago, A Trojan got into 1 of my pcs and, Now, the Trojan was detected after it launched it self…
Okay folks I wanna delete it and,
Norton will detect it but,
will not delete or take action the running process is: svchost.exe
Now, I used google.com and, it said this was a MS process but,
its not! Its a trojan in disguise as a regular process.
Now, here is the side effects of the trojan:
I can not shut down my pc at all. The PC stays on no matter what I do. I can hit Reset button and, it still stays on I have to pull the power cord out of the PC. …despite all my efforts the process can not be terminated not even with taskmanager!!! Nothing stops it I even tried msconfig.exe
looked at all the services & startups and, I unchecked everything! And, the trojan STILL started up with windows…please help me…I dont wanna format this pc and, start over…lot of registered apps on it…and, its a massive 1 TB HDD
:frowning:

When I try to close it…it tricks windows…
saying: Not responding then, I minute later its still running again…there is really no way to stop it…>:( Its a nasty spyware.

BTW, This svchost.exe Process is not from MS…
its a fake I right clicked it and, its not from MS I have a screen shot and, I tried safemode and, still can not delete it. I went to Norton site to the site for removal and, its a
generic Trojan Horse is a
startup keys & services in the registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrenVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

and, there is nothing that starts up with svchost.exe and, Im scanning with mcafee and, still nothing…Im stumped!

Scanning with mcafee & it detects it but, wont remove it access denied! This spyware thought of everything!
I tried the boot from dos command with a floppy disk to delete the file
And, it saids it cant delete it (protected file)

I have spybot installed and, it detects nothing :frowning:
I even tried enditall where it kills all running process and, guess what? Its still running but, in not responding…and, I use taskmanager to close and, it stays there & doesnt even say any error messages! So, what would u recommend next?


#2

Download HijackThis: http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Read through this and follow instructions: http://aumha.net/viewtopic.php?f=30&t=4075&sid=61985b22bcd9f8012b47eaa9bf501295

Run HijackThis and then post your HijackThis log at http://aumha.net/viewforum.php?f=30
or one of the other sites listed in my second link.


#3

Advice from MS:

"The only way to clean a compromised system is to flatten and rebuild"
http://technet.microsoft.com/en-us/library/cc512587.aspx

Michael


#4

[QUOTE=Kerry56;2177968]Download HijackThis: http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Read through this and follow instructions: http://aumha.net/viewtopic.php?f=30&t=4075&sid=61985b22bcd9f8012b47eaa9bf501295

Run HijackThis and then post your HijackThis log at http://aumha.net/viewforum.php?f=30
or one of the other sites listed in my second link.[/QUOTE]

I get this message, I am the owner & admin…:confused: how do I fix that?



#5

Weird…I just downloaded and installed, and ran it with no issues. I have heard of certain malware that specifically targets antivirus programs, including HijackThis, but haven’t kept up with current problems.

Talk to the people at MalwareBytes for help. http://www.malwarebytes.org/forums/index.php?act=idx You’ll probably get faster response from them.
You can also run Trend Micro Housecall. http://housecall.trendmicro.com/

Or just nuke it from orbit. It is still the safest bet.


#6

You can’t fix anything here.
The malware you installed has taken total control over your system. I hope, you have unplugged the network cable already.

Get the Antivir Resuce system (ISO file) from http://www.avira.de/en/support/support_downloads.html and burn to CD. Boot from that disc.

Please note, even if you can repair something, you system will be still compromised. It might send spam, it might send the serials of your installed software to someone else, it might help attacking websites, it might help stealing your personal data, if you do online banking it might steal your account and login data.

From a clean system (get a Linux Live CD), you should immediately change all passwords of mail, messenger, banking, forum etc. accounts at least.

Michael


#7

Is this the online scan…or the download and run?

I think there are two ways to check this out.

In addition, AVG has a couple of ways to try this…I have had it work for me before with a trojan

[I]EDIT: and ditto to what mciahel said : the problems will not all go away anyway…you may eventually have to start from scratch[/I]


#8

You can try an old dos trick of changing the file attributes to kill it temporarlly.

May buy you enough time to clean up and save [U]some files [/U]elsewhere.

http://msdn.microsoft.com/en-us/library/aa365535.aspx

Should wipe drive ASAP afterwards and start from scratch


#9

[quote=bean55;2178029]You can try an old dos trick of changing the file attributes to kill it temporarlly.

May buy you enough time to clean up and save [U]some files [/U]elsewhere.[/quote]A live Linux DVD or CD is a much better option :slight_smile:

Should wipe drive ASAP afterwards and start from scratch
:iagree:

Michael


#10

[QUOTE=mciahel;2178019]You can’t fix anything here.
The malware you installed has taken total control over your system. I hope, you have unplugged the network cable already.

Get the Antivir Resuce system (ISO file) from http://www.avira.de/en/support/support_downloads.html and burn to CD. Boot from that disc.

Please note, even if you can repair something, you system will be still compromised. It might send spam, it might send the serials of your installed software to someone else, it might help attacking websites, it might help stealing your personal data, if you do online banking it might steal your account and login data.

From a clean system (get a Linux Live CD), you should immediately change all passwords of mail, messenger, banking, forum etc. accounts at least.

Michael[/QUOTE]

it wont set me download iso images at all!
here is the link:
http://dlpro.antivir.com/down/vdf/rescuecd/rescuecd

[QUOTE=bean55;2178019]
Should wipe drive ASAP afterwards and start from scratch
[/QUOTE]
Thats the easy way out…:stuck_out_tongue: I wanna find the trojans weak spot…:smiley:
This is proof the satan does exist…:frowning:


#11

I think Michael is right. Unplug this thing from the internet now!

If it has taken control to this extent, you’re pretty much screwed. It could be extremely hard to get rid of short of formatting.


#12

A live Linux DVD or CD is a much better option

If you have one :iagree:

And depending on how much it will still do.


#13

For what it’s worth, I’m with mciahel on this one. :iagree:

Only safe option is to restore a system backup you have made with an imaging program (not just using System Restore) or reinstall from scratch.

You may want to boot from a rescue CD/DVD to save important files before reinstalling or restoring.


#14

[QUOTE=DrageMester;2178070]… or reinstall from scratch.

You may want to boot from a rescue CD/DVD to save important files before reinstalling or restoring.[/QUOTE]

Okay, I give up on this…the trojan may have leave me no choice & format & reinstall the OS (which is what it wanted)…:clap::clap: but, NO F’ ing way!..:a I’m gonna show & expose this
trojan by sending the HDD (wont let me copy the .exe either to quaranteen) (error copying file) sent the HDD to a company like McAfee that investigates this
parasite & study its nature & hard-coring so, people dont be a sucker like nvm…if the trojan would have been givin to some one like a new comer(newbie) w/PCs he would have formated & reinstalled the OS.
without hesitation. But, not me…I will give it to mcafee they will inform
the public about it. Im not a hero…Im just doing my job…:smiley:


#15

You’ll also want to get one anti-virus program and stick with it. Running several different firewalls and anti-virus programs can open up vulnerabilities in your pc. I’d stick with avira.


#16

Macro in post #5 Kerry56 mentioned MalwareBytes download and run that and it will find what is on your computer. Also use rogue remover after to make sure you removed everything. Don’t forget to run ccleaner after to clean up the mess left over.


#17

[quote=Macrovision3500;2178048]it wont set me download iso images at all!
here is the link:
http://dlpro.antivir.com/down/vdf/rescuecd/rescuecd[/quote]add “.iso” to that :slight_smile:

There is also an .exe file, but you don’t want that.

Some hints to avoid such events in future:

[ol]
[li]Unless you install software or drivers (system maintenance) [B]never [/B]log in with a user account that has administrative permissions.
[/li][li]Using something else than MSIE for web surfing is another good idea (I know, other browsers have vulnerabilities, too). Same applies for mail, instant messenger etc.
[/li][li]Do not trust your “security” software. It won’t help with new malware.
[/li][/ol]

Michael


#18

Mcafee probably already knows about the trojan. Your just wasting money sending them your whole hard drive. Just do a full format an reinstall your os thats the sure way to get rid of it.


#19

Think I had this one and the only way to get rid of it was clean my harddrive and start again.


#20

Hard reset your PC.
Press F8 to boot safe mode.
Use system restore to go back a few weeks.

Don’t do it again.

A few years ago, my missus managed to pick up a virus that started with explorer. So even if you tried to kill it in safe mode, you couldn’t, because it was a system protected process (by explorer) … even if you killed it & removed it, the dropper that started with explorer would place a new one somewhere ( a random location) and fire it up again.

After searching through the registry, I found the bastard, and removed the entry from the registry …
After next restart, it was back … in the registry, running with explorer, and dropping virii on the HDD.

The only way to kill it was get into safe mode, open regedit & open a command prompt -> Kill Explorer, Kill the dropper program/trojan, kill the virus, remove the entry from the registry, and delete the dropper & the viurus executables (using the command prompt).

Only took me 4 hrs & about 5 reboots to clean that bastard out.