1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Some kind of regenerator worm (?)

Discussion in 'Virus & Other Malware Removal' started by stevem5000, Oct 16, 2003.

Thread Status:
Not open for further replies.
  1. stevem5000

    stevem5000 Thread Starter

    Joined:
    Oct 16, 2003
    Messages:
    1
    My first time post here...so if this has been covered, my apologies...

    XP Home, Sony Viao, fully patched, NAV 2003 current, current virus scan, broadband connection thru router, NAT'ed...no software firewall...

    Yesterday morn, computer starts out loading very slow, about 5 minutes to boot up fully...then, Start > Programs choose any program, it will "hang" for 30-60 seconds before it opens the program...AFTER this, then it runs at normal speed, things happen as they should...

    Close program, Start > Programs...same thing all over...

    I go into MSCONFIG, there are 4 items should not be there...didn't write them down but one was Bs3.dll...

    HKLM/../../RUN shows several items should not be there...Most [email protected] this refers to C:\windows\system32\SzfWSln.exe...it is a hidden file, 420Kb in size, dated 9/01/2003...

    I deleted the questionable items in MSCONFIG and ditto in HKLM/../RUN...but with each reboot, this thing (whatever it is) is regenerated and I have the same [email protected] that refers to C:\windows\system32\SzfWSln.exe in the registry...

    I have run BOTH AdAware and Spybot, with current data files...I have found CommonName and BookedSpace...

    It looked like for a while that the Trojan.download.swizz might be the culprit, but now I don;t think so...

    After I got rid of the Bs3.dll the machine speeded up considerably, but still not as fast as it should be...

    Found 3 items in the Task Manager / Processes stopped them...
    But they start up again with a reboot...
    they are...
    UPnPFramework.exe
    SzqT0w1A.exe
    YifU.exe

    I think they are redirectors...

    I'm stumped, and I hope someone can provide me some direction...

    thanx
    Steve
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    re-enable everything in msconfig & post a hijackthis log

    go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.


    I suspect from your description it is peper.a trojan, the only guaranteed way to remove it is:
    Download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then run a full system scan.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172390

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice