Just cleaned a friends highly infected Win XP Pro machine of spyware using AdAware 6.0 and SpyBot Search and Destroy. Found and removed a lot of the usual suspects and thought everything was fine. Computer runs fine and the "modifications" to the desktop and the browser are gone, as are the porn pop-ups. Checked the startup in MSCONFIG, which was littered with random character name (malware) and was almost able to get it down to normal with a few tricks. NewdotNet took a little longer for a manual removal, but it's no longer checked in the startup menu.
Unfortunately there's one entry I just CANT SEEM to get rid of:
system32\trjwj.exe.. opps...currently: lysnou.exe
It's a random 5-6 letter name and it changes its name and checks itself off in the startup every time I restart the comp. Clearing/cleaning thus far are ineffective. Of course, its an active process so I haven't been able to delete it. Unfortunately when I try to kill the process and then delete it, it actually has the audacity to rename itself and start back up again. Of course, its active again so I can't delete it. Normally, I'd google away but I havent the foggiest clue what I'm dealing with....
More of NewdotNet?
CoolWeb?
or some new chimera looking to prove itself?
To complicate the matter, this is on a friend's computer and of late his internet connection is shot. (I'm posting from home now) Since this lack of connectivity just occured today, it is possible its only an outtage and is unrelated to the problem. Just to confuse the issue further.
Therefore if any of you have experience dealing with a similarly ill behaved beast, please clue me in on how best to tame it and what I'm dealing with.
And finally, while I'm familar with the spyware removal tools, I'm not at all familiar with Hijack This, which seems to the be order of the day.
Thanks so much for your help.
