Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Respawning Trojan diffiuclt to remove


  • Please log in to reply
1 reply to this topic

#1 Amenrenet

Amenrenet

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 30 December 2011 - 04:59 PM

First I wish to point out two things: One, I am not a tech specialist so I may use the wrong names for stuff and I apologize in advance. Two, I am making this post from a borrowed netbook for reasons that shall be explained further in the post.

My computer having this problem is a 1 year old Gateway laptop, model # NEW90; NEW91, Machine type NV59C series, Intel core i3-370M processor. The operating system is Windows 7 Home Premium edition 64 bit.

How it started: About December 17th, I got this popup for Windows 7 Antivirus 2012 (or something extremely similar in name) saying I was infected and my computer was on the virge of death and all kinds of other melodramatic stuff. I didn't buy into it (it helps having a friend in tech college) and instead used Norton and Malwarebytes to slay it. At the time I thought that was that. Then the next day it was back. I killed it again, from safe mode both times. Then off and on for the next few days I keep getting trojans and malware and stuff and having to purge my system. And then last night is when the whole thing decided to go to hell in a handbasket.
I return from a brief outing, and wake up my laptop to find it had rebooted while I was out. It then proceded to have a BlueScreen of Death 7 more times through the night and early morning hours. Whenever I would boot the computer normally, it would have another BlueScreen about 5-10 minutes later. Safe mode was the only way I could really do anything. I used Safe Mode with Networking so I could use YIM to connect with my more tech-proficiant friends and get some help. One friend got a friend of hers to try teamviewer to my computer since he is a coder, and he tried helping me. We tried everything we could think of: Malwarebytes, Norton, Avast, downloading special tools, he tried running ComboFix while in teamviewer, killing via task manager, killing via command prompt, killing via simply renaming the file extension to something not executable. None of it worked. Then this morning I got up and tried contacting Norton customer services, and using norton power eraser. No dice. Eventually my college friend found a method to try, but I had to reboot and open Safe Mode with Command Prompt. Which brings me to where I am now...

The Current Situation: Upon attempting to shut down and reboot, I could not load Windows. I cannot access the boot menu (F8 key) on my computer. It either does nothing or gets these series of beeps like the thing is swearing at me. I can access the F2 BIOS menu, and the F12 boot options, but I cannot get the advanced startup options from the F8 boot menu. I've turned my computer off and on several times. It either gets stuck in this loop where it flashes the Gateway logo, then blank, then logo again, then blank, etc. or it just goes to the Gateway logo and then to either a blank screen or a blank screen with a little white horizontal line flashing in the upper left corner. I can't even access safe mode, let alone boot normally. Which is why I'm making the post on this borrowed netbook.

What I know about the source: Unfortunately due to not being on my own computer I cannot provide scan logs, screenshots, or anything of that nature. However I do know some information that may be useful to anyone more technologically knowledgeable than me. The trojan in question is called svchost.exe, and the primary difference from the legit version that shouldn't be messed with is that it has the wrong filepath. The fake is located in C:/Windows, while the legit version is found in C:/Windows/System32. Another difference is that in the Processes tab of Taskmanager, the trojan has "*32" after its name, distinguishing it from the non-malignant processes. Attempting to delete it simply causes another copy to respawn in its place. Attempting to kill the process in Taskmanager or even the whole process tree causes it to auto-reboot instantly. Trying to do "del svchost.exe" from command prompt has so far resulted in an 'access denied' message. Doing "ATTRIB -H -R -S svchost.exe" does nothing. Antivirus scans either fail to remove it or mistake it for the legit file and give it the green light.
And what may be the freakiest part is, whenever I come across something that seems like it has a viable chance to remove it (downloading Avast after successfully downloading other tools that failed, or not letting me boot at all when I need to boot in safe mode with command prompt for example) something seems to happen to screw up the attempted removal, like the thing is actively trying to thwart me.

My college friend is going to try and help me do a force boot from the BIOS menu, but I am not sure how that will work. Nuke and pave is kind of out of the question, since I currently cannot locate the CD to restore Windows. If we manage any progress I will try to edit this post with updates. Any and all assistance is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:10:28 AM

Posted 02 January 2012 - 09:19 PM

Hi Amenrenet,

Since you have already run Combofix, please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users