Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Suspected, Though Unknown, Trojan Infection

  • Please log in to reply
1 reply to this topic

#1 tjackson80


  • Members
  • 6 posts
  • Local time:04:47 AM

Posted 14 June 2008 - 07:26 AM

Greetings all,

I am new here but have run out of places to turn, so it is my hope that you'll be kind enough to offer me some aid in my hour of desperation. Basically here's my scenario.

Recently, I noticed extremely decreased usage speed in my Windows XP Pro install. I have had SP3 installed for a bit, and it was working fine prior to the decreased efficiency, so I don't think it is a factor. I have, since noticing the decrease, done the following.

Run a full scan with Norton 360 (after liveupdating)
Installed Ad-Aware, updated, ran a full scan
installed SpyBot, updated, ran a full scan

My symptoms aren't incredibly distinct so as to warrant an effective internet search. Shortly after noticing the speed decrease, I noticed the emergence of firefox popups and unauthorized new tabs. This was new as I had previously had wonderful luck with firefox's popup blocking. I checked in the following places for suspicious items;

Registry ... current user and local machine windows run and runonce folders
startup folder in menu

the registry hunt returned a couple suspicious items, but i suspect their namings are so random that they don't offer much in the way of leads. Basically they were rundll commands for a few gibberish files in system32. I removed them and rebooted and they returned. Here's where it gets annoying.

I also safebooted, went into the system32 folder and removed the gibberish files there. I rebooted, and they too returned. Upon the installation of Spybot, I have been receiving notification (which I have set for automatically deny) that something is trying to recreate another of those rundll commands in the registry. I have a lurking suspicion that my problems are related somehow to activeX, but I haven't found anything substantial to support such a suspicion.

BRIEF EDIT: Upon a post, spybot clean reboot, it appears this pesky notification still remains, though the dll it is trying to setup for run has randomed its name. the consistent naming is given to the entry itself, 'BM6f0e9528'.

There are also two or three extremely quick command windows popping up on reboot. They say something to the effect of failing to find a file. I suspect this is a partial success, in that I probably have removed some suspect dll files from system32 and the lovely 'whatever it is' can no longer find them. I do however, continue to have an unusually high amount of rundll and svchost processes sitting in my task manager now and this is what concerns me most.

My questions are these, what do you think I have? and what could I do to better facilitate aid in diagnosis and treatment?

-tom jackson

Edited by tjackson80, 14 June 2008 - 07:31 AM.

BC AdBot (Login to Remove)


#2 usasma


    Still visually handicapped (avatar is memory developed by my Dad

  • BSOD Kernel Dump Expert
  • 25,091 posts
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:05:47 AM

Posted 14 June 2008 - 07:43 AM

Try a couple of these free, online scanners to see if anything has slipped by your protection:
(Be advised that some of these scanners will pickup things in "quarantine" from other anti-virus programs - so review the results carefully)

http://www.kaspersky.com/virusscanner Scan Only - no removal

<links compiled on 02/14/2008>
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users