I am currently using avast! 4.x Professional and have recently come along the “Win32:Trojan-gen. {Other}” trojan. Avast seems to be the only program that detects this [usually by the On-Access Scanner] since AdAware and Spybot are unable to even detect this trojan. Anyway, the first thing I decided to do was to repair the file - I was unsuccessful. Next, I tried to move it to teh virus chest - ok that worked - but shortly after I get a message saying that another file has been infected with it. This time I try deleting it and scheduled a boot time scan and the problem still persists. Right now, 99% of the time when the avast! Warning window pops up, it shows that “svcroot.dll” [in the windows system32 directory] is infected with the virus. Again, I tried deleting it, but nothing worked. This now brings me to where I am now - asking for your aid in helping me solve this annoying problem.
I have enclosed my most recent system log from HiJackThis! in hope’s that it could help pinpoint the problem or is deemed useful.
Any help aiding in the rectification of this problem would be greatly appreciated!
--------------------------------------------Start of HiJackThis! Log---------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:16:02 PM, on 9/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
I suggest you try the good & FREE “Ewido” antitrojan
program available from www.ewido.net/en . From what I
have seen various Experts on anti-spyware forums
recommend, you should uninstall MessengerPlus, known
as a “carrier” of spyware. Your Java Runtime Environment
program is several updates behind. If the Ewido does NOT
remove your trojan, I would advise you to see assistance
on the forums at www.landzdown.com/index.php . That
forum is staffed by the experts that used to advise on the
now-defunct Lavasoft Ad-Aware Support forums, which
includes HiJackThis Experts.
Ok if you have Windows System Restore turned on then turn it off. A virus can hide in System Restore, once you get rid of the virus it just pops back out of System Restore.
Thank you for your help “The Maxx” and “Spiritsongs”. I’ll try out Ewido and leave my computer on overnight if need be. I realized that I didn’t turn off system restore, so i’ll do that as well. I assume for best results, I should update the definitions and scan my computer in safe mode. If the problem still persists, I’ll visit the forum you reccommended.
A virus isn’t hiding in System Restore, viruses can be installed in the system restore folder to hide they have to be placed there by the system restore process.
A virus just can’t pop out of system restore, someone or something has to initiate the restore point, that something would need to know the restore point ID which is generated by windows when, typically the virus is deleted from a system folder.
Not only that the original infected file name is also changed so it would need to know that in order to restore it and the only one allowed to rummage about inside the System Volume Information folder (to try and extract/restore files) is the System Restore process.
I’ve tried everything suggested by you people, with little luck. Ewido found nothing, and AdAware & SpyBot found a few minor spyware entries. I have decided to post my problem over at the LandzDown forums as suggested by you guys if the problem persisted.
If avast detected it then I suggest that you schedule a boot-time scan from within avast! and that will scan before windows is open, the file svcroot.dll won’t be in use and should be able to be deleted.
Sorry I didn’t answer your original question about svcroot.dll I got side tracked by some of the advice in the thread and failed to answer your question.
I’ve already tried what you’ve suggested. In fact, that was the first thing I did. I guess I forgot to mention it. What happened was that it deleted the file, but came back infected once I got into Windows. Trojans are a PAIN to deal with these days.
StarStrike
EDIT: It seems that P3-450 has found the solution to my problem! [view here: http://www.landzdown.com/index.php/topic,1585.0.html] So far, no alerts from avast!
I would like to thank you guys and the guys over at Landzdown for helping me solve my problem!
Sorry I neglected this almost totally, I should have directed you to an on-line analysis site that did pick up both of these as unknown and that would have raised suspicions.
Thank you for your help, I’ll definately be looking into these HJT on-line analysis sites the next time a problem occurs. If I require any more help, I’ll be sure to ask you guys and the people over at the Landzdown forums first.
Thank you for the warm welcome. Let’s hope I can be as helpful to others as you all have been,