Blaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaarg.

Okay, now that that's out of the way: my wife's computer has recently received a trojan. I don't know which one. I'd be able to tell you but for what it's actually doing.

Symptoms
Popups. Like any malware, it seems the primary function of this is to create ads.
Slow system response.
Google Chrome, Spybot S&D, System Restore, Java, and installation attempts on most antivirus software (including MalwareBytes) do not function, even in safe mode. Exception: Spybot's Secure Shredder still functions.
There are about 22 different versions of svchost.exe running when I look at the running processes tab in the Taskmanager.
lsass.exe (a system process) intermittently takes up to between 0 and 45% CPU, with varying degrees of frequency. (see What's Wrong, below).
Ad-Aware found some errors but has not been able to repair them consistently.

What's Wrong
There are two BHO/.dll files found by HijackThis! that are unidentifiable, undeletable, and resist all attempts at removal. They have randomly generated alphanumeric names and are located in C:\Windows\System32\ .
Between two and four copies of iexplore.exe start invisibly at any given time even when the program is not otherwise being used, using up to 50mb of available memory. Killing them results in their restart about a minute later.
The svchost.exe line in startup is altered, and I cannot seem to repair it. Instead of just starting svchost.exe, it starts svchost.exe;ext.exe. Attempts to locate ext.exe result in failure.
lsass.exe loads the two BHO/.dll files listed in #1. I cannot seem to get them to disappear or unload.
msconfig's and Add/Remove Programs functions are hampered: the only account on the computer, despite being listed as an administrator, gives an error requiring administration privileges.

So, that being said, help?

If you located the problem and have difficults to disable it. Use killbox.exe just google it. But remember KILLBOX.exe kills ANYTHING you order it to kill. So make sure its nothing valuable, or part of windows.
Killbox always worked for me, but be carefull. There is no way to get a file back killed.


Another approach:
Its oviously malware. So where do you get it? Used any cd, dvd, usbstick or visit a not so usuall site (porn, not so bright corners of the internet etc... maybe u should visit them again. If they are trustworthy maybe they left a note that someone hacked/infiltrated their site and they warn you with what they possible infect you)
Or ask those people you get those cd/dvd usbsticks from.
Email's could also bring some "friends" on your computer.


If you manage to get the exact name of that what run havoc on your computer chanches are good to get rid of it. But judging by those multiple effects I think of some programs that download more things. So you need to kill the main problem.

What firewall do you use?

Backup all her data (and only data).
Reformat.
Reinstall fresh copy of OS.
Put firewall software before going on internet to download anything.
Reinstall software from original CD / Developer website.


I'm sorry, but these days, a compromised os just can't ever be trusted again. There are so many places where infection could hide that I would simply not take the risk or effort to disinfect the PC. At least by reinstalling you will have a safe base.

I'd wipe her system but for one thing: I can't find my XP install disks.

I'd wipe her system but for one thing: I can't find my XP install disks.

I don't think you don't need the original install disks. You primarily need the CD-key, and can install with that key, using a borrowed disk (possibly your own or a friends). Windows piracy checks look up the CD-key rather than the source disk.

1) Try an online scanner. HouseCall. (http://housecall.trendmicro.com/)

2) Try a program specific to removing trojans. Can't recommend one, unfortunately.

3) If you can, try to set up a partition with linux on the same machine. Then install a virus scanner onto your linux. Use it to scan and clean the windows partition.

4) Set up another computer with linux + scanner as above. Remove the hard drive from the infected machine and connect it as a slave drive on the linux machine. Scan and clean.

5) Reformat. I don't think it needs to come to this.

I don't think you don't need the original install disks. You primarily need the CD-key, and can install with that key, using a borrowed disk (possibly your own or a friends). Windows piracy checks look up the CD-key rather than the source disk.

I'm not sure, but I don't believe you'll be able to do this if you have an OEM copy of XP, i.e. if you bought the computer with XP preinstalled. You may be able to get replacement system restore disks from the manufacturer (for a fee).