Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Persistent Trojan/malware


  • Please log in to reply
3 replies to this topic

#1 rhennessy

rhennessy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 04 August 2007 - 12:39 PM

Hello,

A couple days ago the tell-tale signs showed up, seemingly out of nowhere. Popups, music playing even though nothing was open (turned out to be ads for heavy.com), weird error messages and even a few blue screens. I have gotten my machine back to a stable point but there are some lingering problems that I haven't been able to root out.

My environment:WinXP Home Edition v2002 service pack 2

Here is what I have tried in the last couple days:
AdAware scan
Clamwin scan
Installed Kaspersky and scanned (ran every scan they offer)
HiJackThis.exe (researched every entry and removed all bad entries, which just reappeared)
VundoFix.exe
virtumundoBeGone.exe
spybot scan

I ran each of these multiple times, in different orders, both in and out of safe mode. Each scan found problems and I neutralized/fixed/quarantined/etc what I could. I don't remember everything they found but it was a ton of stuff, stuff like keylogger, loader, trojan this and that (sorry for the poor detail).

The problems that still show up which get caught by Kaspersky when after the OS loads:
Trojan-Spy.win32.Montp.h
Heur.Invader
And I can see the file system32/locafox2_0.sls is infected

And I get the following error after the operating system loads after rebooting:
svchost.exe has encountered a problem and needs to close.
Appname:svchost appver:0.0.0.0 modname:unknown modver:0.0.0.0 offset:00000000

I still get popup windows for heavy.com and other sites every once in awhile.

I don't know what to do next, any help will be greatly appreciated

BC AdBot (Login to Remove)

 


#2 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:10:41 PM

Posted 04 August 2007 - 12:55 PM

Hi rhennessy,

At this point the best thing for you to do is post a HijackThis Log in the in the Hijack and Analysis Forum by following the directions in this link; Preparation Guide for use before posting a HijackThis Log .

Please do not post the log in this forum.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#3 rhennessy

rhennessy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 04 August 2007 - 12:56 PM

Will do,
Thanks

#4 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:10:41 PM

Posted 04 August 2007 - 01:14 PM

Good Luck rhennessy.

Once you get your HJT log posted in the HijackThis Logs and Analysis forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users