Svchost Generic Trojan. Suggestions?
I'm using Windows XP, SP 3 and BitDefender Antivirus 2009. I've just started using Spybot Search and Destroy as well, in order to try and fix this issue.
<ScanDetails>
<AffectedItem index="0" itemType ="File" path="[system]=]C:\WINDOWS\system32\svchost.exe (full dump)" threatType="virus" threatName="DeepScan:Generic.PWStealer.FD3FDA81" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>
<AffectedItem index="1" itemType ="Process" path="[system]=]C:\WINDOWS\system32\svchost.exe (memory dump)" threatType="virus" threatName="Generic.PWStealer.0E96BF1A" action="disinfect" finalStatus= "infected" error= "no action possible"/>
</ScanDetails>
Any help very gratefully received.
Comments
-
Hello Madrayken,
Spybot was installed after this detection appeared, or before?
Please tell me in what language in your Windows XP? And what other important applications are you using usually?
I will try to find out some details about this detection and then I'll post back here.
Cris.0 -
Hello Madrayken,
Spybot was installed after this detection appeared, or before?
Please tell me in what language in your Windows XP? And what other important applications are you using usually?
I will try to find out some details about this detection and then I'll post back here.
Cris.
I installed Spybot after this detection.
My Windows XP is in English.
I usually use Firefox, but in this case the newest things I'd installed were Google Chrome and SFPack, (something used to decompress soundfonts) and that's about it. I use music software such as EnergyXT regularly. This machine is usually used for browsing the web.0 -
Please download this tool: BitDefender AVIS
Unpack all files from that archive into a new, empty folder.
Then run avis.exe, go to System info and generate a complete system log, using the settings from this screenshot:
The path where the log will be generated will automatically be set to your Desktop. In the screenshot, that path is just an example.
After the scan is finished, the log will be placed on your desktop, named bd_sys_log.xml.zip. Please upload that file on a file-sharing server (like rapidshare) and send me a download link through PM. We will analyze the log and give you further information.
Notice: Please do NOT make a system scan for malware with AVIS, unless specifically told so by one of the BitDefender Support Member or BitDefender Virus Analyst. Thank you.
Also, please post the whole scan log (which you posted in the first post).
Cris.0 -
Added the full dump. I'm PMing you now with a direct link to the other file.
Thanks for the help, by the way.0 -
As the BitDefender scanlog shows, you also had other infections which were cleaned. Please restart your system and make another scan. It's enough to scan only the C drive, and also the memory, so you can create a custom scan task.
When the scan is finished, please attach the scanlog here.
Cris.0 -
As the BitDefender scanlog shows, you also had other infections which were cleaned. Please restart your system and make another scan. It's enough to scan only the C drive, and also the memory, so you can create a custom scan task.
When the scan is finished, please attach the scanlog here.
Cris.
Doing this now. Might take a while.
In the meantime, I thought that if bitdefender shows a virus attached to svchost.exe it is permanent until something else alters and fixes the svchost.exe file in the system32 folder. Am I incorrect?0 -
In the meantime, I thought that if bitdefender shows a virus attached to svchost.exe it is permanent until something else alters and fixes the svchost.exe file in the system32 folder. Am I incorrect?
Actually, yes, you are incorrect. If the local file in system32 was infected, then BitDefender should detect it locally (as it detects it in memory).
But since the detection appears only in memory and not on the local file, it means that the local file is clean, and the infection took place dynamically. In other words, another process might have injected something in svchost.exe while it was running, leaving the original file intact.
And since the infections that BitDefender removed on your previous scan were active processes (they were registered in Windows Startup, so they ran at some point), then the injection might have come from there. Also, since those infections were removed, there is a chance that now, after this scan you're making, everything will be clean. But to be certain, we have to see the scanlog.
Cris.0 -
Actually, yes, you are incorrect.
Good!
Here's the most recent dump attached for my scan of C:
The scan went through with no problems this time (only the zipped xml file created by avis).0 -
I'm glad it was sorted out.
You can delete the report generated by AVIS, so it won't appear in later scans.
If you have problems in the future, don't hesitate to post back here. But for now, I'll consider this topic closed.
Cris.
== CLOSED (issue solved) ==
== In case you need this topic reopened, please contact a member of the Moderating Team by PM. ==0