Svchost Generic Trojan. Suggestions?

Madrayken
Madrayken
in Bitdefender 2009 products

I'm using Windows XP, SP 3 and BitDefender Antivirus 2009. I've just started using Spybot Search and Destroy as well, in order to try and fix this issue.


<ScanDetails>


<AffectedItem index="0" itemType ="File" path="[system]=]C:\WINDOWS\system32\svchost.exe (full dump)" threatType="virus" threatName="DeepScan:Generic.PWStealer.FD3FDA81" action="disinfect" finalStatus= "infected" error= "disinfect failed"/>


<AffectedItem index="1" itemType ="Process" path="[system]=]C:\WINDOWS\system32\svchost.exe (memory dump)" threatType="virus" threatName="Generic.PWStealer.0E96BF1A" action="disinfect" finalStatus= "infected" error= "no action possible"/>


</ScanDetails>


Any help very gratefully received.

Comments

  • alexcrist
    alexcrist

    Hello Madrayken,


    Spybot was installed after this detection appeared, or before?


    Please tell me in what language in your Windows XP? And what other important applications are you using usually?


    I will try to find out some details about this detection and then I'll post back here.


    Cris.

  • Madrayken
    Madrayken
    Hello Madrayken,


    Spybot was installed after this detection appeared, or before?


    Please tell me in what language in your Windows XP? And what other important applications are you using usually?


    I will try to find out some details about this detection and then I'll post back here.


    Cris.


    I installed Spybot after this detection.


    My Windows XP is in English.


    I usually use Firefox, but in this case the newest things I'd installed were Google Chrome and SFPack, (something used to decompress soundfonts) and that's about it. I use music software such as EnergyXT regularly. This machine is usually used for browsing the web.

  • alexcrist
    alexcrist
    edited June 2009

    Please download this tool: BitDefender AVIS


    Unpack all files from that archive into a new, empty folder.


    Then run avis.exe, go to System info and generate a complete system log, using the settings from this screenshot:


    avis.jpg


    The path where the log will be generated will automatically be set to your Desktop. In the screenshot, that path is just an example.


    After the scan is finished, the log will be placed on your desktop, named bd_sys_log.xml.zip. Please upload that file on a file-sharing server (like rapidshare) and send me a download link through PM. We will analyze the log and give you further information.


    Notice: Please do NOT make a system scan for malware with AVIS, unless specifically told so by one of the BitDefender Support Member or BitDefender Virus Analyst. Thank you.


    Also, please post the whole scan log (which you posted in the first post).


    Cris.

  • Madrayken
    Madrayken

    Added the full dump. I'm PMing you now with a direct link to the other file.


    Thanks for the help, by the way.


    /applications/core/interface/file/attachment.php?id=5239" data-fileid="5239" rel="">1244710154_1_02.xml

  • alexcrist
    alexcrist

    As the BitDefender scanlog shows, you also had other infections which were cleaned. Please restart your system and make another scan. It's enough to scan only the C drive, and also the memory, so you can create a custom scan task.


    When the scan is finished, please attach the scanlog here.


    Cris.

  • Madrayken
    Madrayken
    As the BitDefender scanlog shows, you also had other infections which were cleaned. Please restart your system and make another scan. It's enough to scan only the C drive, and also the memory, so you can create a custom scan task.


    When the scan is finished, please attach the scanlog here.


    Cris.


    Doing this now. Might take a while.


    In the meantime, I thought that if bitdefender shows a virus attached to svchost.exe it is permanent until something else alters and fixes the svchost.exe file in the system32 folder. Am I incorrect?

  • alexcrist
    alexcrist
    edited June 2009
    In the meantime, I thought that if bitdefender shows a virus attached to svchost.exe it is permanent until something else alters and fixes the svchost.exe file in the system32 folder. Am I incorrect?


    Actually, yes, you are incorrect. If the local file in system32 was infected, then BitDefender should detect it locally (as it detects it in memory).


    But since the detection appears only in memory and not on the local file, it means that the local file is clean, and the infection took place dynamically. In other words, another process might have injected something in svchost.exe while it was running, leaving the original file intact.


    And since the infections that BitDefender removed on your previous scan were active processes (they were registered in Windows Startup, so they ran at some point), then the injection might have come from there. Also, since those infections were removed, there is a chance that now, after this scan you're making, everything will be clean. But to be certain, we have to see the scanlog.


    Cris.

  • Madrayken
    Madrayken
    Actually, yes, you are incorrect.


    Good! :D


    Here's the most recent dump attached for my scan of C:


    The scan went through with no problems this time (only the zipped xml file created by avis).


    /applications/core/interface/file/attachment.php?id=5244" data-fileid="5244" rel="">1244731755_1_02.xml

  • alexcrist
    alexcrist

    I'm glad it was sorted out. :)


    You can delete the report generated by AVIS, so it won't appear in later scans.


    If you have problems in the future, don't hesitate to post back here. But for now, I'll consider this topic closed. :)


    Cris.


    == CLOSED (issue solved) ==


    == In case you need this topic reopened, please contact a member of the Moderating Team by PM. ==

This discussion has been closed.

All Time Leaders

Categories

Defenders of the month