Metascan found Trojan.Girtk.TJS.nlms.mg in svchost.exe

Viruses and worms
1

Hello everyone,

everytime I turn on my computer, Avast tells me about 10-20 times that different URL like

http://reddie.net/2828/<%GetRandomNameByCount(panda_bits”
http://blackled.info/2828/<%GetRandomNameByCount(panda_bits”
http://reduled.info/2828/…” (all found in svchost.exe) have been blocked.

I ran Metascan and it found “Trojan.Girtk.TJS.nlms.mg” in svchost.exe.
Unfortunately Malwarebytes’ Anti-Malware didn’t find anything.

The log files by Malwarebytes, FRST.exe and aswMBR are attached.

I am really looking forward to your help.
Thanks in advance!

2
I ran Metascan and it found "Trojan.Girtk.TJS.nlms.mg" in svchost.exe.
was is detected by Filseclab engine?
3

Yes, exactly.

4

False Positive https://forum.avast.com/index.php?topic=164547.msg1172949#msg1172949

everytime I turn on my computer, Avast tells me about 10-20 times that different URL like
essexboy will fix this when online later today ... i guess he is online in 3-4 hours
5

Ah, I see! Virustotal.com indicated “Probably harmless! There are strong indicators suggesting that this file is safe to use.”. Thanks.
Alright, I’ll just wait … :slight_smile:

6

if you click the additional info tab, scroll down a bit and see date for first submission, guessing it is several years old … or?

and under file detail tab you can see who made it and if digitally signed

7

Yep, it says: “First submission 2013-09-03 13:43:01 UTC ( vor 1 Jahr, 4 Monate )” :slight_smile:

8

Could you let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:64883;https=127.0.0.1:64883 2014-12-27 21:14 - 2014-12-27 21:14 - 00003106 _____ () C:\WINDOWS\System32\Tasks\{8BAA66D2-7E6B-4024-9506-77C3815FF4FE} 2014-12-27 21:08 - 2014-12-28 13:27 - 00000000 ____D () C:\ProgramData\UTahPOc 2014-12-21 15:27 - 2014-12-21 15:27 - 00000000 __SHD () C:\Users\Nina\AppData\Local\EmieBrowserModeList 2014-12-21 13:50 - 2014-12-21 13:50 - 00000000 __SHD () C:\Users\Nina\AppData\Local\EmieUserList 2014-12-21 13:50 - 2014-12-21 13:50 - 00000000 __SHD () C:\Users\Nina\AppData\Local\EmieSiteList 2014-12-21 13:44 - 2014-12-21 13:44 - 00000180 _____ () C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2014-09-01 09:18 - 2014-12-28 01:19 - 0000365 _____ () C:\Users\Nina\AppData\Roaming\FDWFQJH Task: {FF18BFE8-578D-4450-9536-C2DE2A5E5828} - \temp_30b0cf2d-8587-4249-9b58-da5d8965da3c-2 No Task File <==== ATTENTION EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

9

Oh wow! Thanks. Seems like the problem has been solved. I didn’t get any notifications yet.
I’m going to attach the fixlog.txt …

10

If all is well tomorrow let me know and I will tidy up

11

Thanks so much. My computer seems to be clean now… still didnt get any notifications any more. :slight_smile:

12

Hi I´m having the same problems with permanent notifications about the mentioned URL’s
Although I already know from other replies that the problem seems harmless, the notifications are quite annoying.
How can I solve this issue?
@essexboy: in your fixing reply to the thread opener you mentioned that the explained procedure is especially for this unique machine,
is there already a common way to fix this?
Best regards and thanks for your help
David

13

@Specialized0815

for help you start your own topic and follow instructions here https://forum.avast.com/index.php?topic=53253.0