RobertMfromLI

Thank you verybusy!!! That worked!!! Best, Robert

Thanks verybusy... And to all, yes, Whistler was one of the pieces of malware that was on the system (though nothing detects remnants of it now).

Here is a thread with someone else who has the same problem, if that helps: http://forums.malwarebytes.org/index.php?showtopic=50663 While his solution wont work for me (Dell, with no restore partition), perhaps it will be helpful to one of the Experts here who has reviewed his situation. Also, AVG Anti-Rootkit shows clean. Currently running avz4.zip from: http://devbuilds.kaspersky-labs.com/devbuilds/AVZ/avz4.zip as suggested by Maniac to another user (for a different problem). It has (so far) detected that C:\Dell\h8112\install.exe is a trojan - still doing thorough scan and have a few more hours until completion.

Sorry I forgot to highlight these (though I am sure you all would have noticed) - these are the running culprits (though what's firing them up and recreating the first two is where I am stuck): C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe (infected) C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe (infected) C:\Program Files\Internet Explorer\IEXPLORE.EXE (not infected, but shouldnt be running) C:\Program Files\Internet Explorer\IEXPLORE.EXE (not infected, but shouldnt be running)

Hello all, I've finally run into a trojan that I cannot seem to remove (it keeps recreating itself). Sorry for the length of this, but I figure maybe it will help save people from suggesting that which I have already done. The syptoms/actions caused by the trojan (that I have noticed): Spawns IE windows (often in background, with no entry on task bar) IE windows usually seem to be directed to an ad site of some sort an infected copy of SVCHOST.EXE keeps getting created in the System Volume Information folder an infected copy of SMSS.EXE keeps getting created in System Volume Information folder (both of these in a sub folder with a name that looks like a registry key) System eventually bogs down The steps I have taken so far: Run Combofix Run Malwarebytes Run Spyware Terminator (with ClamAV enabled). Enabled full comprehensive scan for ST run. Run SuperAntiSpyware (also enabled full comprehensive scan) Run AVG Full (also enabled full comprehensive scan) Run Microsoft Security Essentials (hey, I was running out of options) Run cCleaner There are others I have run that escape me at the moment (NOD32 perhaps?) Manually removed certain entries from the registry (for instance, the one associated with this and similar): R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.redlineroofing.com/web.php?q=43...3f2d.1.55202359 Interesting things to note that might be helpful: All of the above removed "a bunch" of malware (but not this one) AVG, even though now recognizing this one, cannot seem to combat it because even if it's forced removal on reboot is working, something recreates the files before bootup is complete anyway (confirmed by new file date/time). Up until about 12-14 days ago, all reported the system clean - including the two infected files in the System Vol Info folder (even scanned the folder directly, after unlocking it) - now AVG reports them infected with "Crypt.VUB" trojan. It was kinda neat watching every AV/AS/AM app I tried report the machine clean, while IE windows were popping up - at least now AVG recognizes the files as malware. I have booted off BartPE and UBCD (dependent on mood) to manually delete the files and their directory - the files and directory get recreated on boot I have searched the registry for both files and removed any non-legit references I have disabled System Restore - which while deleting all restore points, does not (obviously) prevent the recreation of these files With or without the System Vol Info folder being marked read only, these files still get recreated Though the iexplore.exe processes can be force killed from Task Mangler, they (as expected) respawn Killing the infected svchost/smss processes triggers the (probably expected) Windows restart due to a critical service being stopped Sadly, reformatting isnt quite an option on this system (per the customer) - though I am getting to the point where I may try to force him to reconsider. That aside, the most interesting problem that I see in all of this is the following: AVG is only finding those two files infected. Which is obviously not the case, since when I delete them, something recreates them and starts controlling IE sessions. Anyway, attached are the HJT logs. Any help or suggestions you all have would be greatly appreciated. This is the first piece of malware I've run into in a while that a combination of ComboFix, MalwareBytes and AVG (and a little registry work) havent been able to handle. Thanks in advance! Robert Hijack This Log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 6:49:09 PM, on 5/15/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\System Volume Information\_restore{d5fffa500b1b}\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe C:\System Volume Information\_restore{d5fffa500b1b}\smss.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe C:\Program Files\Intel\AMT\atchksrv.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\AVG\AVG9\avgfws9.exe C:\Program Files\Intel\AMT\LMS.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Intel\AMT\UNS.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\AVG\AVG9\avgui.exe C:\Program Files\AVG\AVG9\avgscanx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Alan\My Documents\Downloads\HiJackThis.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.redlineroofing.com/web.php?q=43...3f2d.1.55202359 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [spywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Crawler Search - tbr:iemenu O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1273266911296 O16 - DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} (DellSystem.Scanner) - http://xserv.dell.com/DellDriverScanner/DellSystem.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Intel® Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe -- End of file - 6896 bytes