RootsChat.Com
General => Technical Help => Topic started by: Lloydy on Sunday 03 July 05 15:21 BST (UK)
-
A virus has somehow managed to get into my computer despite me having Norton Antivirus running (with up to date virus definitions).
A message keeps popping up on the screen and this is what it says:
VIRUS ALERT etc etc
File: C:\windows/svcihoslat.exe
Type: Trojan Horse
Unable to repair this file
A few seconds after, an Error box appears with the following:
Runtime error2 at 0040529A
I have had a look at the Symantec site at how to remove a Trojan Horse but it does seem to be a very complicated procedure, which I am not confident enough to try.
Can anyone help me please with the removal of this virus?
Thank you very much
Jan
-
Jan,
I can't find anything on svcihoslat.exe - are you sure it wasn't svchost.exe?
Anyway, best procedure is to run a full virus scan (ie check every file on your machine) and check the logs produced for any messages. You should get the name of the suspected virus listed at some point. (you may find that Norton has already logged this information, but I don't know the Norton software so can't tell where this would be.)
Once you have that, then it's possible to check for specific instructions to handle that virus. Some sites even have special utilities to clean up the commonest viruses.
Adrian
-
Adrian,
Thank you for your message and advice.
I had already run a full virus scan, and this morning I have opened Norton Antivirus Quarantine and the virus is listed in there as follows:-
General Info: Kiozif.exe
Type: Application File
Location: c:\WINDOWS\system32
Size: 49.4 kb
Quarantined: 30 June 05
Virus Info: Download, Trojan
Infects: N/A
Likelihood: Common
Side effect Info:
Registry Side Effects: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio Driver
Make any sense to you?!!!!
Jan
-
Jan,
Take a look at the following URL
http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.html
I think this is the culprit the log is referring to. the file mentioned, kiozif.exe, isn't listed anywhere as a virus name in the two sources I have checked and it doesn't return any results on google. This may be a file downloaded by the virus, or it may be a part of some software you have installed.
Either way, it needs removing. The instructions on the above web page are fairly straightforward - delete the quarantined file and clear out the temporary internet files stored by your browser, then run a full scan again to be sure it has gone.
You may have to do a little bit extra if your are running windows XP.
It looks as though Norton has stopped the worst effects of the virus, however.
How it got onto your system is worth thinking about. Its not a new virus, so check anything you have downloaded recently.
All the best
Adrian
-
Hi Adrian
Thanks once again for your reply and advice.
I have done exactly what the Symantec site suggests but I'm still getting the Virus Alert message.
I have done another Live Update, restarted the PC in safe mode, done a full system scan for viruses and deleted the quarantined file.
Any other ideas please?
Jan
-
Jan,
The other possibility is that its one of those viruses that rebuilds itself every time you reboot.
The log has an entry for a registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio Driver
It may be that this key is hiding the program that is rebuilding the virus.
You can get rid of this but BE CAREFUL. editing the registry can be dangerous!!!
Go to the start menu and click on run...
type regedit
navigate down the tree till you find the above entry in the left hand panel, (it may only go down as far as 'Run'). Check the right hand panel and see if there is an entry for HDAudio Driver. If so note which file it is pointing at.
Don't go near the delete button at this stage!
See if you can find the file that was listed and delete it, (you may want to copy it to a floppy in case its innocent.)
restart your PC and run the virus scan yet again and see if the problem persists.
There are programs available on the web that will remove Download.trojan, but without checking them I can't be sure which is safe to use and worth recommending.
Unless anyone else has any better info...
Adrian
Close regedit
-
The advice given is pretty sound ... my only addition would be to create a backup copy of the registry files before adjusting any of the keys
run type regedit press enter
on menu bar file export select all and create your copy
which can be restored by using import from the same part of the menu.
-
Thanks for your further advice Adrian and Falkryn.
I don't know if this is just a coincidence but earlier today I deleted the latest version of MSN Messenger that I had downloaded and reverted back to a much older version. I remember reading somewhere on the Net that the latest version - the one with the "winks" (funny pictures with music that you send to get the attention of the person you're chatting to) - could cause security problems with your PC.
After deleting it I ran a full Virus Scan and no threats were detected. I am assuming it's gone.
As far as the Registry goes, I did have a quick look at it but decided against doing any amendments - looked far too complicated to me.
Jan
-
That may have been your problem ... without more information its dificult to tell.
It is unusual for trojans like this to disguise themselves in the audio system as yours seems to indicate. Normally they duplicate names of system files and conceal themselves in there, where the average user won't touch.
Any more problems, post the details again and I'm sure somebody will be able to help.
-
:( :( :(Turned the PC on this morning and the same Virus Alert popped up again :( :( :(
Can someone tell me please, if I deleted a program from the PC does the Registry entry get deleted aswell?
Jan
-
A properly constructed "uninstaller" should delete the registry entry as well .... but these are as rare as hens teeth.
try this tool its shareware but its free for 30 days
http://www.simplysup.com/tremover/details.html it boasts that it lists every infected file and at the very least will allow you to identify them.
Have patience, the problem with these self replicating trojans is that if you miss one branch the whole thing is back next time you boot up.
-
Hi Jan,
I have had a Trojan virus before,I was able to get rid of it by down loading another Antivirus..for eg. Housecall, AVG Anti-Virus free edition and did an on line scan.
don't know if this helps ,but I hope it is of some help
Nat
-
Falkryn - thank you for the Trojan Remover link. I have downloaded it, run the scan and done the trojan removing bit. Hurray, I thought, until I restarted the PC.................low and behold there was the alert again!!!
So, I did another scan within the Trojan Remover programme and this time it said No malicious files etc. found ??? ??? but the alert is still there. THIS WILL NOT BEAT ME!!!!!!
Nat - Thank you for your reply too. I will try anything, so will have a look at your suggestion.
Jan
-
Are you running Windows ME or XP as your operating system, if so you will have to disable the system restore before attempting to clean your machine or else windows will restore the files you have deleted.
Cheers
Guy
-
Thanks Guy.
I do use Windows XP and did originally disable the System Restore but forgot to do it when I ran the Trojan Remover. Ooops :-[ :-[
Must go and try again................. ;)
Jan