Some kind of regenerator worm (?)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

stevem5000

Thread Starter
Joined
Oct 16, 2003
Messages
1
My first time post here...so if this has been covered, my apologies...

XP Home, Sony Viao, fully patched, NAV 2003 current, current virus scan, broadband connection thru router, NAT'ed...no software firewall...

Yesterday morn, computer starts out loading very slow, about 5 minutes to boot up fully...then, Start > Programs choose any program, it will "hang" for 30-60 seconds before it opens the program...AFTER this, then it runs at normal speed, things happen as they should...

Close program, Start > Programs...same thing all over...

I go into MSCONFIG, there are 4 items should not be there...didn't write them down but one was Bs3.dll...

HKLM/../../RUN shows several items should not be there...Most [email protected] this refers to C:\windows\system32\SzfWSln.exe...it is a hidden file, 420Kb in size, dated 9/01/2003...

I deleted the questionable items in MSCONFIG and ditto in HKLM/../RUN...but with each reboot, this thing (whatever it is) is regenerated and I have the same [email protected] that refers to C:\windows\system32\SzfWSln.exe in the registry...

I have run BOTH AdAware and Spybot, with current data files...I have found CommonName and BookedSpace...

It looked like for a while that the Trojan.download.swizz might be the culprit, but now I don;t think so...

After I got rid of the Bs3.dll the machine speeded up considerably, but still not as fast as it should be...

Found 3 items in the Task Manager / Processes stopped them...
But they start up again with a reboot...
they are...
UPnPFramework.exe
SzqT0w1A.exe
YifU.exe

I think they are redirectors...

I'm stumped, and I hope someone can provide me some direction...

thanx
Steve
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
re-enable everything in msconfig & post a hijackthis log

go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


I suspect from your description it is peper.a trojan, the only guaranteed way to remove it is:
Download TDS-3 from http://www.wilders.org/anti_trojans.htm
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
Then run a full system scan.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top