Troj_Dropper.zp

JacoStanley · 06-06-2006 7:24am #1

My anti-virus software detects this but can't seem to delete or quarantine it. It's located in something called svchost.exe. Any ideas please?

NutJob · 06-06-2006 10:36am

Yur in trouble. Your going to need to figure out if theres more than on copy of svhost lying around on the hard drive. If its the windows copy replace it from the windows cd using bart pe or a linux cd.

If its somewhere else on the drive and is a new file and simply the smae name you need to find where its being started from and then remove the file. If its running thew OS wont be able to modify it same goes for system binary hence a live cd is needed.

Being a dropper means its not actually a virus but it should contain one internally in its code or some other type of malware so get a full system scan done aswell.

JacoStanley · 06-06-2006 9:34pm

Cheers buddy,

I've run my scans and although it detects it, it won't do anything about it. Are you saying that I could replace the driver (if it is a driver) with the windows installation cd?

NutJob · 06-06-2006 11:54pm

JacoStanley wrote:

Cheers buddy,

I've run my scans and although it detects it, it won't do anything about it. Are you saying that I could replace the driver (if it is a driver) with the windows installation cd?

In theory yes. Only one way to find out but it may break stuff. Id try it and backup the dropper.

I googled it and all i could track down is a trend macro sketchy report. Can you give me the exact path to the binary?

JacoStanley · 07-06-2006 7:19am

NutJob wrote:

In theory yes. Only one way to find out but it may break stuff. Id try it and backup the dropper.

I googled it and all i could track down is a trend macro sketchy report. Can you give me the exact path to the binary?

Exact path to the binary? Do you mean the location of svchost?

C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\SVCHOST.EXE

I take it that's not what you mean?

timeout · 07-06-2006 12:46pm

First did you try running your antivirus in safe mode? if not try that. If that fails try the procedure below.

Prep
open msconfig(go to run type msconfig) click the tab that says startup. Untick the item listed as svchost.exe click ok and restart your computer.

Removal
on startup press f5 and enter safe mode. Run your antivirus program and the virus should be removed. Restart the computer and enter windows normally. When it restarts you will get a message about changes. tick the don't inform me checkbox and click ok.

Cleanup
Open msconfig again and make sure the svchost.exe is unchecked under startup. Open regedit(go to run type regedit). Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig and click the + next to startupreg. The folder there can be deleted.

NutJob · 07-06-2006 3:09pm

JacoStanley wrote:

Exact path to the binary? Do you mean the location of svchost?

C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\SVCHOST.EXE

I take it that's not what you mean?

If thts the path its not the windows binary so all you need to do is delete it. Boot up in safe mode and you should have no problems.

If its starting from there its not a sophisticated dropper. I cant see how ur av couldnt get this in safe mode

JacoStanley · 07-06-2006 8:46pm

Nice one. Thanks a mil for the help. I'll give it a go later.

Troj_Dropper.zp

Comments