Mobile menu

Help for removing a trojan horse
Thread poster: Robert Fong

Robert Fong  Identity Verified
China
Local time: 19:16
English to Chinese
+ ...
Mar 25, 2005

My computer infected a trojan horse the day before when I browsing a web site. It disguised itself as svch0st.exe (not 'o', but '0') in the /system32 directory. Whenever I run a program, it will detect and execute itself first. I killed the trojan process from the memory and deleted the SVCH0ST.exe file from /system32 directory. But when I run programs again, it will reappear! Apparently there are other copies of the trojan in my disk, and other trojan thread in my memory! So when the trojan thread detect that the trojan file is deleted, it will copy back the trojan file from other place and execute.
I searched the Internet and found that the trojan horse may well be used for logging my keystrokes when I logging on to a bank website. But the methods they provide to manually remove the trojan are no help for me, since the trojan horse in my computer is more vicious than they have dealt with.
Finally I adopted an alternative method to avoid running the trojan horse. I replaced the trojan file (svch0st.exe) with a small program I developed (used to check whether my computer is connected to the Internet, and display a dialogbox to show the information). This time, when I running programs, my small program will running instead of the trojan. What I have to do is click the OK button to close the program.
But this is just a temporary method, I want to find the real culprit and eradicate the trojan horse. Any good suggestions?


Direct link Reply with quote
 

Jerzy Czopik  Identity Verified
Germany
Local time: 13:16
Member (2003)
Polish to German
+ ...
Get Trojanhunter Mar 25, 2005

This is a quite valuable software, which not only removes trojans, but also helps to protect your PC in the future.
Even if it is not free, I think that spending 49 $ on it isn´t too much. Further consider installing a software fiewall to your system.

Informations about Trojanhunter may be found on this website.
Some informations about virus scanner and firewalls can be found here.

Regards
Jerzy


Direct link Reply with quote
 

Robert Fong  Identity Verified
China
Local time: 19:16
English to Chinese
+ ...
TOPIC STARTER
Thanks for your information Mar 25, 2005

Thanks for your information. I may consider to use a trojan removal software. I have a symantec AntiVirus software installed with latest live updates. But it's no help at all. I have been using the sygate firewall before when I directly connecting to the Internet. Now I have constructed a local area network and my computers are behind the ADSL Modem (the Modem has the real IP address, my computers use the 192.168.1.XXX addresses), so I don't have to use a firewall now, and it won't remove trojans anyway.
I never use a trojan removal software before. Sometimes when my computer did get a trojan horse, I would remove it manually. I know quite well the tricks trojan horses played. But this time, I cannot figure it out...


Direct link Reply with quote
 

Jerzy Czopik  Identity Verified
Germany
Local time: 13:16
Member (2003)
Polish to German
+ ...
Sure you use a modem Mar 25, 2005

but this does not mean, that you canot get a trojan infection from inside. What you are protected before, is a trojan attack from outside, but with modern trojans a modem using the standard IP adress of 192.168.2.1 is no guarantee - this is the best known configuration, used by any private network by default. So you can imagine, how easy this could be omitted.

Using only a virus scanner is not enoug to protect yourself against a trojan. You must have downloaded the trojan along with other software somwhere, so it works as a trojan horse - from inside.

Regards
Jerzy


Direct link Reply with quote
 

Kirill Semenov  Identity Verified
Ukraine
Local time: 14:16
Member (2004)
English to Russian
+ ...
I recommend a great site Mar 25, 2005

Dear Xuchun, I recommend you and others a great site:

http://windowsbbs.com/

Just register and ask for help in the correspoding forum (Removing Spyware & Viruses). People are great there, and they will help you. Recently I had a problem with a very tricky adware, and I've got a great help there -- not only they helped me to remove the nasty pop-ups but also advised on how to protect my computer better in the future. Highly recommended!

[Edited at 2005-03-26 09:51]


Direct link Reply with quote
 

Robert Fong  Identity Verified
China
Local time: 19:16
English to Chinese
+ ...
TOPIC STARTER
the trojan horse entered by exploiting the IE vulnerabilities. Mar 25, 2005

Jerzy Czopik wrote:

but this does not mean, that you canot get a trojan infection from inside. What you are protected before, is a trojan attack from outside, but with modern trojans a modem using the standard IP adress of 192.168.2.1 is no guarantee - this is the best known configuration, used by any private network by default. So you can imagine, how easy this could be omitted.

Using only a virus scanner is not enoug to protect yourself against a trojan. You must have downloaded the trojan along with other software somwhere, so it works as a trojan horse - from inside.

Regards
Jerzy


By placing my computer behind a modem and a hub, hackers usually won't be able to plant a trojan horse in my computer without first breaking into my Modem, which is far more difficult than directly dealing with the computer. But the trojan horse inside my computer apparently exploited the IE vulnerabilities, not from inside. Because when I clicked a web page listed by google search, the trojan horse and several other alien programs immediately went into my computer. I never run any of the programs. My antivirus software only reports once that a program has been quarantined. But for the rest programs, I have to kill them immediately from the memory and then delete the files on the disk.


Direct link Reply with quote
 

Robert Fong  Identity Verified
China
Local time: 19:16
English to Chinese
+ ...
TOPIC STARTER
Thank you for the web site Mar 25, 2005

I will check the pages to see if I can get any help there. thanks!

Direct link Reply with quote
 

Robert Fong  Identity Verified
China
Local time: 19:16
English to Chinese
+ ...
TOPIC STARTER
I removed the trojan finally Mar 26, 2005

I removed the trojan finally. It's indeed a password stealing trojan! Here is what I did:

When I was trying to find a clue, I suddenly got an idea to search the /windows/system32 directory by entering the DOS command 'dir /ah' as I did before. Then the suspected files revealed: 'lnterapi64.dll' and 'lnterapi32.dll', which are set as hidden, readonly and system. The exact clue is found! The following is the exact trojan in my computer:

http://www.sophos.com/virusinfo/analyses/trojlegmiraaz.html


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Help for removing a trojan horse

Advanced search






SDL MultiTerm 2017
Guarantee a unified, consistent and high-quality translation with terminology software by the industry leaders.

SDL MultiTerm 2017 allows translators to create one central location to store and manage multilingual terminology, and with SDL MultiTerm Extract 2017 you can automatically create term lists from your existing documentation to save time.

More info »
LSP.expert
You’re a freelance translator? LSP.expert helps you manage your daily translation jobs. It’s easy, fast and secure.

How about you start tracking translation jobs and sending invoices in minutes? You can also manage your clients and generate reports about your business activities. So you always keep a clear view on your planning, AND you get a free 30 day trial period!

More info »



All of ProZ.com
  • All of ProZ.com
  • Term search
  • Jobs