MartinGibbs Posted September 7, 2011 ID:473599 Share Posted September 7, 2011 I have run MS Security Essentials with no items found, but when I run Malewarebytes, it keeps finding a "Trojan" in svchost.exe. I've run rkill, and it stops it, but then a re-run of Malwarebytes shows it again. Quarantining it and deleting the entry do no good, as it keeps coming back. The system seems otherwise clean.Windows 7, 64bit, HP G72 laptop. Link to post Share on other sites More sharing options...
Staff shadowwar Posted September 7, 2011 Staff ID:473601 Share Posted September 7, 2011 Can you please post a scan log from mbam so we can decide wether this may be a f/p or you may need some help in removing? Thanks. Link to post Share on other sites More sharing options...
MartinGibbs Posted September 8, 2011 Author ID:473871 Share Posted September 8, 2011 Can you please post a scan log from mbam so we can decide wether this may be a f/p or you may need some help in removing? Thanks.Malwarebytes' Anti-Malware 1.51.1.1800 www.malwarebytes.orgDatabase version: 7666Windows 6.1.7600 Internet Explorer 8.0.7600.163859/7/2011 9:19:50 PM mbam-log-2011-09-07 (21-19-50).txtScan type: Quick scan Objects scanned: 187748 Time elapsed: 2 minute(s), 20 second(s)Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1Memory Processes Infected: (No malicious items detected)Memory Modules Infected: (No malicious items detected)Registry Keys Infected: (No malicious items detected)Registry Values Infected: (No malicious items detected)Registry Data Items Infected: (No malicious items detected)Folders Infected: (No malicious items detected)Files Infected: c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.Thanks! Link to post Share on other sites More sharing options...
Staff shadowwar Posted September 8, 2011 Staff ID:473875 Share Posted September 8, 2011 Ok can you please attach the file here. It will have to be zipped to attach. This is definately an incorrect location for this:Files Infected: c:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.So i would have to say you probably have an infection. But lets be sure. Please attach file if possible. Thanks Link to post Share on other sites More sharing options...
MartinGibbs Posted September 8, 2011 Author ID:473976 Share Posted September 8, 2011 Do you mean attach the svchost.exe file? Link to post Share on other sites More sharing options...
Staff shadowwar Posted September 8, 2011 Staff ID:474205 Share Posted September 8, 2011 Yes. please. Link to post Share on other sites More sharing options...
MartinGibbs Posted September 8, 2011 Author ID:474244 Share Posted September 8, 2011 Attachedsvchost.zip Link to post Share on other sites More sharing options...
Staff shadowwar Posted September 9, 2011 Staff ID:474274 Share Posted September 9, 2011 As i suspected your pc is infected with a rootkit that puts this file there. You can try running this tool to fix it:http://support.kaspersky.com/faq/?qid=208280684Or please visit our malware removal forums and they will help with removal. Link to post Share on other sites More sharing options...
MartinGibbs Posted September 9, 2011 Author ID:474291 Share Posted September 9, 2011 OK, thanks, will be moving to the removal forums. Still coming back after the scan... Link to post Share on other sites More sharing options...
Staff shadowwar Posted September 9, 2011 Staff ID:474430 Share Posted September 9, 2011 Ok. just so you know. This file indicates the pahir rootkit and that is a MBR infector. Link to post Share on other sites More sharing options...
LPGrassfed Posted December 11, 2011 ID:503636 Share Posted December 11, 2011 I have same problem. Here is a mbam log from the last detection of trojan. Thanks. Link to post Share on other sites More sharing options...
Staff shadowwar Posted December 11, 2011 Staff ID:503641 Share Posted December 11, 2011 Please visit our malware removal forums and they will help you there. This is for reporting false positives only. Thanks. Link to post Share on other sites More sharing options...
Recommended Posts