Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked, EXE disacoiations, trojan rootkit


  • Please log in to reply
3 replies to this topic

#1 vajmh

vajmh

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 14 December 2010 - 01:00 AM

I've had some viruses in the past on my PC running windows XP home and usually managed to deal with them through manual deletion, msconfig and regedit. I would usually google search or lurk these very forums to find instructions, so I never really needed to bother anyone with my troubles since most of what happened to me had already happened to someone else. I'm not sure just what this is. AVG identifies it as 3 trojan agents r.XJ working out of svchost.exe explorer.exe and wuauclt.exe which AVG identifies to be inaccessible. MBAM didnt find anything except a ton of entries for the whitesmoke toolbar. super anti spyware found nothing. rkill.exe kills
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
The trojans cause some minor annoyances: I'm randomly sent to a site that offers a free 1000 dollar walmart card (yeah right) and my search results are redirected. I'm running firefox as my browser and I have browser hijack retaliator active. Also, I'll sometimes hear that little windows tone that lets you know theres an error or a system message, but when I look theres nothing like that onscreen.

What's really frightening is that the stuff is starting to make my computer lose function. It messed with my ability to open any .exe file, so that when trying to do so I was prompted to mess around in folder options to find the associated program (which doesnt work, although it prompted me to open an internet search for the associations, whichy got me on the internet and allowed me to find a tool to fix the problem). I've had one .dll file error that cuased a system crash, and then something went wrong with, I think, rstrui.exe or .dll which made my system's start up kind of sporadic, sometimes it freezes at the welcome screen now before loading windows.

I'm really worried that this will lead to permanent systems failure if it keeps messing with my file associations and exe abilites, and the problems with starting up are frightening too. Any help would be greatly appreciated.

Oh, I've also used spybot search and destroy. I think it got rid of one (probably unassociated) trojan that it identified but I can't get the logs to show this.

processes running:

system
spoolsv.exe
svchost.exe local service
agrsmsvc.exe
avgwdsvc.exe
agentsvc.exe
lssrvc.exe
nasvc.exe
smss.exe
rthdcpl.exe
ctfmon.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
superantispyware.exe
svchost.exe system
svchost.exe network service
svchost.exe system
teatimer.exe
svchost.exe local service.
avgcsrvx.exe
svchost.exe network service
CCSVCHST.EXE system
avghsvx.exe
avgrsx.exe
spyboysd.exe
avgcsrvx.exe
schedulersvc.exe
richvideo.exe
avgemc.exe
taskmgr.exe
firefox.exe
alg.exe.
trillian.exe
explorer.exe

Edited by vajmh, 14 December 2010 - 11:22 PM.


BC AdBot (Login to Remove)

 


#2 vajmh

vajmh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 14 December 2010 - 03:19 AM

Additional info: Windows media player and task manager not functioning at the moment. No idea why a virus would mess with media player and cant get task manager up to restart it.

#3 vajmh

vajmh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 15 December 2010 - 03:50 AM

I'm now fairly certain I have a TDSS or other such rootkit due to the google redirect activity I'm seeing. Downloading a rootkit killer and Hitman Pro to help deal with it.

#4 vajmh

vajmh
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 15 December 2010 - 04:27 AM

TDSSKiller just found rootkit.win32.tdss.tdl4 and I'm moving to cure now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users