0

Just cleaned a friends highly infected Win XP Pro machine of spyware using AdAware 6.0 and SpyBot Search and Destroy. Found and removed a lot of the usual suspects and thought everything was fine. Computer runs fine and the "modifications" to the desktop and the browser are gone, as are the porn pop-ups. Checked the startup in MSCONFIG, which was littered with random character name (malware) and was almost able to get it down to normal with a few tricks. NewdotNet took a little longer for a manual removal, but it's no longer checked in the startup menu.

Unfortunately there's one entry I just CANT SEEM to get rid of:
system32\trjwj.exe.. opps...currently: lysnou.exe

It's a random 5-6 letter name and it changes its name and checks itself off in the startup every time I restart the comp. Clearing/cleaning thus far are ineffective. Of course, its an active process so I haven't been able to delete it. Unfortunately when I try to kill the process and then delete it, it actually has the audacity to rename itself and start back up again. Of course, its active again so I can't delete it. Normally, I'd google away but I havent the foggiest clue what I'm dealing with....
More of NewdotNet?
CoolWeb?
or some new chimera looking to prove itself?

To complicate the matter, this is on a friend's computer and of late his internet connection is shot. (I'm posting from home now) Since this lack of connectivity just occured today, it is possible its only an outtage and is unrelated to the problem. Just to confuse the issue further.

Therefore if any of you have experience dealing with a similarly ill behaved beast, please clue me in on how best to tame it and what I'm dealing with.

And finally, while I'm familar with the spyware removal tools, I'm not at all familiar with Hijack This, which seems to the be order of the day.

Thanks so much for your help.

2
Contributors
1
Reply
2
Views
12 Years
Discussion Span
Last Post by DMR
0

The "morphing filename" trick is one of the methods that many of the newer infectious variants use to avoid removal. The morphing or respawning of such .exe files is controlled by a hidden .dll file (or files), but the names and locations of those "Mother dlls" also vary. Unfortunately, Ad Aware and SpyBot are falling more than a bit behind in their ability to deal with these newer threats.

Given what you've said and tried already, I think it's time for us to see aHijackThis log to get a better idea of what's really going on. Please do the following:

Download the HijackThis utility:

http://www.stevewolfonline.com/Downloads/DMR/Spyware%20Tools/HJT/HijackThis.exe

Once downloaded, follow these instructions to install and run the program:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.