Re: how to locate hidden trojan horse that repeatedly installs spyware

From: Lawrence Abrams (grinler-AT=bleepingcomputer.com)
Date: 09/27/04 

Date: Mon, 27 Sep 2004 12:45:40 -0400

You may also have something still running that keeps infecting you.
Create a directory on your hardrive to save HijackThis.exe. A directory
like c:\hijackthis. If you do not do this, you will not be able to use the
backup/restore features.

Download HijackThis from:

http://www.bleepingcomputer.com/files/hijackthis.php

Save this file into the directory you made previously and then run the
program named hijackthis.exe. When the program opens click on the Config
button, then click on the Misc Tools button, and click on the Check for
update online button. When it completes checking/applying updates press the
back button.

Now click on the Scan button and when it is finished click on the Save Log
button. A Notepad window will open with the contents of this log. Click on
Edit then click on Select all. Then click on Edit and then Click on Copy.

Register an account at http://www.bleepingcomputer.com and post this created
log into the Hijackthis Logs forum at that site. To do this, once you are
registered, create a new post, right click in message area and select paste
to paste the log into the post.

An expert will reply to you after reading this post. DO NOT fix any entries
unless you are absolutely sure you know what you are doing as you may cause
more damage to the system

To see a tutorial on using HijackThis you can click on the link below.
http://www.bleepingcomputer.com/forums/tutorial42.html 

-- 
Lawrence Abrams
http://www.bleepingcomputer.com
Source for Original Content, Tutorials, and Support for the beginning 
computer user.Create a directory on your hardrive to save HijackThis.exe.  A 
directory like c:\hijackthis.  If you do not do this, you will not be able 
to use the backup/restore features.
Download HijackThis from:
http://www.bleepingcomputer.com/files/Merijn/hijackthis.zip
Save this file into the directory you made previously and then run the 
program named hijackthis.exe. When the program opens click on the Config 
button, then click on the Misc Tools button, and click on the Check for 
update online button.  When it completes checking/applying updates press the 
back button.
Now click on the Scan button and when it is finished click on the Save Log 
button. A Notepad window will open with the contents of this log.  Click on 
Edit then click on Select all.  Then click on Edit and then Click on Copy.
Register an account at http://www.bleepingcomputer.com and post this created 
log into the Hijackthis Logs forum at that site.  To do this, once you are 
registered, create a new post, right click in message area and select paste 
to paste the log into the post.
An expert will reply to you after reading this post.  DO NOT fix any entries 
unless you are absolutely sure you know what you are doing as you may cause 
more damage to the system
To see a tutorial on using HijackThis you can click on the link below.
http://www.bleepingcomputer.com/forums/tutorial42.html
-- 
Lawrence Abrams
http://www.bleepingcomputer.com
Source for Original Content, Tutorials, and Support for the beginning 
computer user.
"Ross K." <battlingtheTrojans@discussions.microsoft.com> wrote in message 
news:406b01c4a44e$630542b0$a601280a@phx.gbl...
> Hello all,
> Unfortunately my PC has been infected with what I am
> guessing is a hidden trojan horse. Symantec Anti-virus
> can't find it. Whatever it is, it repeatedly installs
> several files on my PC with XP Home 5.1 Build
> 2600.xpsp2.030422-1633: Service Pack 1. Some of the files
> are .exe (nthpwwrr.exe, wupdt.exe, wupdsnff.exe,
> systb.exe, and maybe others), and some are registry mod.
> attempts. Thank goodness for Adwatch by Lavasoft, which
> pops up each time and shows repeated attempts to mod. my
> registry. I successfully blocked those attempts with
> Adwatch, then use Ad-aware to clean my files, then I
> restart. Thereafter, at a random time, the same .exe
> files are installed again and registry mod. attempts
> again. One more thing: When I look at the running
> processes, I find that nthpwwrr.exe is running. If I kill
> that process, then delete nthpwwrr.exe, then run Ad-aware
> to clean the PC's files, no more installation attempts
> are made for many hours, maybe up to a day. SO.... Is
> there some audit trail that I can view that would show me
> what is installing these files? Any other solution? THANK
> YOU IN ADVANCE FOR ANY HELP!
> Kind regards,
> Ross K.