Endpoint Protection

 View Only
  • 1.  svchost.exe and trojan.adclicker constantly being blocked

    Posted Dec 04, 2014 01:51 PM

    I have scanned in and out of safemode with symantec endpoint protection (unmanaged)and malwarebytes.

    I have deleted temp files in user folders and in browsers.

    I would like to know how to deal with this issue. I think it keeps deleteing and coming back somehow through cache or temp files and im unsure how to proceed.

    the trojan bit doesnt seem to be in the traffic log but the svchost is listed numerous times.



  • 2.  RE: svchost.exe and trojan.adclicker constantly being blocked

    Posted Dec 04, 2014 05:00 PM

    The problem is this piece of malware injected itself into a valid, critical Windows file. You can easily replace it booting off the windows disk and doing a recovery. You may also try running a scan in safe mode with AdwCleaner or JRT to see it can be cleaned. ComboFix is another option.
     



  • 3.  RE: svchost.exe and trojan.adclicker constantly being blocked

    Posted Dec 04, 2014 06:03 PM

    adwcleaner and JRT deleted a few reg keys but thats it. ill post back tomarrow with if combofix does it. i really hate resorting to recovery but i think thats whats going to happen. thanks brian.



  • 4.  RE: svchost.exe and trojan.adclicker constantly being blocked

    Posted Dec 04, 2014 06:10 PM

    When malware injects into legit Windows processes, that's usually the case. SEP can't/won't delete it because it will brick the system. Replacing the file or a re-image are usually the only two ways to go, unfortunately.