Help for removing a trojan horse Thread poster: Xuchun
|
|---|
Xuchun 
China
Local time: 13:27
English to Chinese
+ ...
My computer infected a trojan horse the day before when I browsing a web site. It disguised itself as svch0st.exe (not 'o', but '0') in the /system32 directory. Whenever I run a program, it will detect and execute itself first. I killed the trojan process from the memory and deleted the SVCH0ST.exe file from /system32 directory. But when I run programs again, it will reappear! Apparently there are other copies of the trojan in my disk, and other trojan thread in my memory! So when the trojan thr... See more My computer infected a trojan horse the day before when I browsing a web site. It disguised itself as svch0st.exe (not 'o', but '0') in the /system32 directory. Whenever I run a program, it will detect and execute itself first. I killed the trojan process from the memory and deleted the SVCH0ST.exe file from /system32 directory. But when I run programs again, it will reappear! Apparently there are other copies of the trojan in my disk, and other trojan thread in my memory! So when the trojan thread detect that the trojan file is deleted, it will copy back the trojan file from other place and execute.
I searched the Internet and found that the trojan horse may well be used for logging my keystrokes when I logging on to a bank website. But the methods they provide to manually remove the trojan are no help for me, since the trojan horse in my computer is more vicious than they have dealt with.
Finally I adopted an alternative method to avoid running the trojan horse. I replaced the trojan file (svch0st.exe) with a small program I developed (used to check whether my computer is connected to the Internet, and display a dialogbox to show the information). This time, when I running programs, my small program will running instead of the trojan. What I have to do is click the OK button to close the program.
But this is just a temporary method, I want to find the real culprit and eradicate the trojan horse. Any good suggestions? ▲ Collapse
| | | |
Jerzy Czopik
Germany
Local time: 07:27
Member (2003)
Polish to German
+ ...
| Get Trojanhunter | Mar 25, 2005 |
This is a quite valuable software, which not only removes trojans, but also helps to protect your PC in the future.
Even if it is not free, I think that spending 49 $ on it isn´t too much. Further consider installing a software fiewall to your system.
Informations about Trojanhunter may be found on this website.
Some informations about virus scanner and firewalls can ... See more This is a quite valuable software, which not only removes trojans, but also helps to protect your PC in the future.
Even if it is not free, I think that spending 49 $ on it isn´t too much. Further consider installing a software fiewall to your system.
Informations about Trojanhunter may be found on this website.
Some informations about virus scanner and firewalls can be found here.
Regards
Jerzy ▲ Collapse
| | | |
Xuchun
China
Local time: 13:27
English to Chinese
+ ...
TOPIC STARTER | Thanks for your information | Mar 25, 2005 |
Thanks for your information. I may consider to use a trojan removal software. I have a symantec AntiVirus software installed with latest live updates. But it's no help at all. I have been using the sygate firewall before when I directly connecting to the Internet. Now I have constructed a local area network and my computers are behind the ADSL Modem (the Modem has the real IP address, my computers use the 192.168.1.XXX addresses), so I don't have to use a firewall now, and it won't remove trojan... See more Thanks for your information. I may consider to use a trojan removal software. I have a symantec AntiVirus software installed with latest live updates. But it's no help at all. I have been using the sygate firewall before when I directly connecting to the Internet. Now I have constructed a local area network and my computers are behind the ADSL Modem (the Modem has the real IP address, my computers use the 192.168.1.XXX addresses), so I don't have to use a firewall now, and it won't remove trojans anyway.
I never use a trojan removal software before. Sometimes when my computer did get a trojan horse, I would remove it manually. I know quite well the tricks trojan horses played. But this time, I cannot figure it out... ▲ Collapse
| | | |
Jerzy Czopik
Germany
Local time: 07:27
Member (2003)
Polish to German
+ ...
| Sure you use a modem | Mar 25, 2005 |
but this does not mean, that you canot get a trojan infection from inside. What you are protected before, is a trojan attack from outside, but with modern trojans a modem using the standard IP adress of 192.168.2.1 is no guarantee - this is the best known configuration, used by any private network by default. So you can imagine, how easy this could be omitted.
Using only a virus scanner is not enoug to protect yourself against a trojan. You must have downloaded the trojan along with... See more but this does not mean, that you canot get a trojan infection from inside. What you are protected before, is a trojan attack from outside, but with modern trojans a modem using the standard IP adress of 192.168.2.1 is no guarantee - this is the best known configuration, used by any private network by default. So you can imagine, how easy this could be omitted.
Using only a virus scanner is not enoug to protect yourself against a trojan. You must have downloaded the trojan along with other software somwhere, so it works as a trojan horse - from inside.
Regards
Jerzy ▲ Collapse
| | |
|
|
|
Kirill Semenov
Ukraine
Local time: 08:27
Member (2004)
English to Russian
+ ...
| I recommend a great site | Mar 25, 2005 |
Dear Xuchun, I recommend you and others a great site:
http://windowsbbs.com/
Just register and ask for help in the correspoding forum (Removing Spyware & Viruses). People are great there, and they will help you. Recently I had a problem with a very tricky adware, and I've got a great help there -- not only they helped me to remove the nasty pop-ups but also advised on how to protect my co... See more Dear Xuchun, I recommend you and others a great site:
http://windowsbbs.com/
Just register and ask for help in the correspoding forum (Removing Spyware & Viruses). People are great there, and they will help you. Recently I had a problem with a very tricky adware, and I've got a great help there -- not only they helped me to remove the nasty pop-ups but also advised on how to protect my computer better in the future. Highly recommended!
[Edited at 2005-03-26 09:51] ▲ Collapse
| | | |
Xuchun
China
Local time: 13:27
English to Chinese
+ ...
TOPIC STARTER | the trojan horse entered by exploiting the IE vulnerabilities. | Mar 25, 2005 |
Jerzy Czopik wrote:
but this does not mean, that you canot get a trojan infection from inside. What you are protected before, is a trojan attack from outside, but with modern trojans a modem using the standard IP adress of 192.168.2.1 is no guarantee - this is the best known configuration, used by any private network by default. So you can imagine, how easy this could be omitted.
Using only a virus scanner is not enoug to protect yourself against a trojan. You must have downloaded the trojan along with other software somwhere, so it works as a trojan horse - from inside.
Regards
Jerzy
By placing my computer behind a modem and a hub, hackers usually won't be able to plant a trojan horse in my computer without first breaking into my Modem, which is far more difficult than directly dealing with the computer. But the trojan horse inside my computer apparently exploited the IE vulnerabilities, not from inside. Because when I clicked a web page listed by google search, the trojan horse and several other alien programs immediately went into my computer. I never run any of the programs. My antivirus software only reports once that a program has been quarantined. But for the rest programs, I have to kill them immediately from the memory and then delete the files on the disk.
| | | |
Xuchun
China
Local time: 13:27
English to Chinese
+ ...
TOPIC STARTER | Thank you for the web site | Mar 25, 2005 |
I will check the pages to see if I can get any help there. thanks!
| | | |
Xuchun
China
Local time: 13:27
English to Chinese
+ ...
TOPIC STARTER | I removed the trojan finally | Mar 26, 2005 |
I removed the trojan finally. It's indeed a password stealing trojan! Here is what I did:
When I was trying to find a clue, I suddenly got an idea to search the /windows/system32 directory by entering the DOS command 'dir /ah' as I did before. Then the suspected files revealed: 'lnterapi64.dll' and 'lnterapi32.dll', which are set as hidden, readonly and system. The exact clue is found! The following is the exact trojan in my computer... See more I removed the trojan finally. It's indeed a password stealing trojan! Here is what I did:
When I was trying to find a clue, I suddenly got an idea to search the /windows/system32 directory by entering the DOS command 'dir /ah' as I did before. Then the suspected files revealed: 'lnterapi64.dll' and 'lnterapi32.dll', which are set as hidden, readonly and system. The exact clue is found! The following is the exact trojan in my computer:
http://www.sophos.com/virusinfo/analyses/trojlegmiraaz.html ▲ Collapse
| | | |
Login to reply/comment 
