Fax Celestis
2008-12-03, 01:32 PM
Blaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaarg.
Okay, now that that's out of the way: my wife's computer has recently received a trojan. I don't know which one. I'd be able to tell you but for what it's actually doing.
Symptoms
Popups. Like any malware, it seems the primary function of this is to create ads.
Slow system response.
Google Chrome, Spybot S&D, System Restore, Java, and installation attempts on most antivirus software (including MalwareBytes) do not function, even in safe mode. Exception: Spybot's Secure Shredder still functions.
There are about 22 different versions of svchost.exe running when I look at the running processes tab in the Taskmanager.
lsass.exe (a system process) intermittently takes up to between 0 and 45% CPU, with varying degrees of frequency. (see What's Wrong, below).
Ad-Aware found some errors but has not been able to repair them consistently.
What's Wrong
There are two BHO/.dll files found by HijackThis! that are unidentifiable, undeletable, and resist all attempts at removal. They have randomly generated alphanumeric names and are located in C:\Windows\System32\ .
Between two and four copies of iexplore.exe start invisibly at any given time even when the program is not otherwise being used, using up to 50mb of available memory. Killing them results in their restart about a minute later.
The svchost.exe line in startup is altered, and I cannot seem to repair it. Instead of just starting svchost.exe, it starts svchost.exe;ext.exe. Attempts to locate ext.exe result in failure.
lsass.exe loads the two BHO/.dll files listed in #1. I cannot seem to get them to disappear or unload.
msconfig's and Add/Remove Programs functions are hampered: the only account on the computer, despite being listed as an administrator, gives an error requiring administration privileges.
So, that being said, help?
Okay, now that that's out of the way: my wife's computer has recently received a trojan. I don't know which one. I'd be able to tell you but for what it's actually doing.
Symptoms
Popups. Like any malware, it seems the primary function of this is to create ads.
Slow system response.
Google Chrome, Spybot S&D, System Restore, Java, and installation attempts on most antivirus software (including MalwareBytes) do not function, even in safe mode. Exception: Spybot's Secure Shredder still functions.
There are about 22 different versions of svchost.exe running when I look at the running processes tab in the Taskmanager.
lsass.exe (a system process) intermittently takes up to between 0 and 45% CPU, with varying degrees of frequency. (see What's Wrong, below).
Ad-Aware found some errors but has not been able to repair them consistently.
What's Wrong
There are two BHO/.dll files found by HijackThis! that are unidentifiable, undeletable, and resist all attempts at removal. They have randomly generated alphanumeric names and are located in C:\Windows\System32\ .
Between two and four copies of iexplore.exe start invisibly at any given time even when the program is not otherwise being used, using up to 50mb of available memory. Killing them results in their restart about a minute later.
The svchost.exe line in startup is altered, and I cannot seem to repair it. Instead of just starting svchost.exe, it starts svchost.exe;ext.exe. Attempts to locate ext.exe result in failure.
lsass.exe loads the two BHO/.dll files listed in #1. I cannot seem to get them to disappear or unload.
msconfig's and Add/Remove Programs functions are hampered: the only account on the computer, despite being listed as an administrator, gives an error requiring administration privileges.
So, that being said, help?