11 replies to this topic

[MartinGibbs]

I have run MS Security Essentials with no items found, but when I run Malewarebytes, it keeps finding a "Trojan" in svchost.exe. I've run rkill, and it stops it, but then a re-run of Malwarebytes shows it again. Quarantining it and deleting the entry do no good, as it keeps coming back. The system seems otherwise clean.

Windows 7, 64bit, HP G72 laptop.

[shadowwar]

Can you please post a scan log from mbam so we can decide wether this may be a f/p or you may need some help in removing?
Thanks.

[MartinGibbs]

 shadowwar, on 07 September 2011 - 08:17 AM, said:

Can you please post a scan log from mbam so we can decide wether this may be a f/p or you may need some help in removing?
Thanks.

Quote

Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.org

Database version: 7666

Windows 6.1.7600 Internet Explorer 8.0.7600.16385

9/7/2011 9:19:50 PM mbam-log-2011-09-07 (21-19-50).txt

Scan type: Quick scan Objects scanned: 187748 Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1

Memory Processes Infected: (No malicious items detected)

Memory Modules Infected: (No malicious items detected)

Registry Keys Infected: (No malicious items detected)

Registry Values Infected: (No malicious items detected)

Registry Data Items Infected: (No malicious items detected)

Folders Infected: (No malicious items detected)

Files Infected: c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Thanks!

[shadowwar]

Ok can you please attach the file here. It will have to be zipped to attach.

This is definately an incorrect location for this:

Files Infected: c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

So i would have to say you probably have an infection. But lets be sure. Please attach file if possible.

Thanks

[MartinGibbs]

Do you mean attach the svchost.exe file?

[shadowwar]

Yes.

please.

[MartinGibbs]

Attached

Attached Files

•  svchost.zip   10.55K   3 downloads

[shadowwar]

As i suspected your pc is infected with a rootkit that puts this file there.

You can try running this tool to fix it:

http://support.kaspe.../?qid=208280684

Or please visit our malware removal forums and they will help with removal.

[MartinGibbs]

OK, thanks, will be moving to the removal forums. Still coming back after the scan...

[shadowwar]

Ok. just so you know. This file indicates the pahir rootkit and that is a MBR infector.

[LPGrassfed]

I have same problem. Here is a mbam log from the last detection of trojan. Thanks.

[shadowwar]

Please visit our malware removal forums and they will help you there. This is for reporting false positives only.

Thanks.