Jump to content

Recommended Posts

Hi All,

I've used search to get some information about this topic, but so far no good.

I'm working on a computer with WinXP Home and I have trojans found in the Sys Vol Folder, smss.exe and svchost.exe files. SAS is saying that there is 2 found in memory and 4 files, but found nothing in my registry.

I've used MBAM, SAS, Avast, to clean everything but those 2 files. I've tried almost everything possible and these files will not go away, and still getting random IE popups, though Avast is keeping the virus communications over the web well confined.

I've ran all software in safe mode and normal. I've tried to manually delete the files with Killbox and Pkill, but they are always in use and always come back. Any suggestions besides, reformat

BTW, MBAM doesn't detect them anymore, though SAS is still detecting them.

Thanks in advance!

Link to post
Share on other sites

I forgot to mention, the trojan signatures found are Trojan.Dropper/SVChost-Fake and Torjan/Gen-Virut. location in the C:Sys Vol Restore\restore (50B...)\smss.exe and svchost.exe

Sorry I'm not at the computer right now (at work), but I'll be checking this thread periodically.

Link to post
Share on other sites

Howdy vilecomp.

Which one of your utilities noted the "Gen-Virut" ?

A Virut infection (if confirmed) is extremely bad and you would wind up needing to reformat (wipe HDD) and clean install everything.

Have you run a full scan with Avast? and did it note "Virut" ?

Link to post
Share on other sites

Hello vilecomp, :):)

As Maurice Naggar has stated its a hard one to remove..... before a format, you could give the HJT section a try.....

Please read the following so that you can begin the cleaning process:

We don't work on Malware removal in the general forums.

Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

If you are a corporate customer please send an email to corporate-support@malwarebytes.org. (NOTE: An order number is required for corporate support.)

Also, when replying, please use the "ADD REPLY" button or erase what the person you are replying to said, as this makes the forum easier to read.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Thank you :)

Link to post
Share on other sites

@vilecomp

Before using the Malware sub-forum, please answer the prior questions I posed.

Plus, tell me if the MBAM scan was the Quick option or Full scan?

Has this system been without active antivirus protection recently?

While the issue of old System restore folders can be set aside for the time being, any indication of a true Virut elsewhere on the system is of deep concern.

That is why I recommend a pause to first check with your AV.

As to Virut, see what miekiemoes has noted here http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html

Link to post
Share on other sites

Not my machine, but I can tell you the friend that I'm doing this for doesn't know a lot about computers, I'm doing minor motherboard repairs and virus cleaning.

- It had an out-dated AVG AV, probably not run in a while, wasn't up to date on definitions. I uninstalled it and installed Avast.

- MBAM ran a deep scan 3 times, then finally a couple of quick scans. As noted above it will not find the 2 remaining threats. All AV scans are negative.

- I can connect to the internet and download anything, it's not stopping me from doing much.

Link to post
Share on other sites

Not my machine, but .......

- It had an out-dated AVG AV, probably not run in a while, wasn't up to date on definitions. I uninstalled it and installed Avast.

- I can connect to the internet and download anything, it's not stopping me from doing much.

Your acquaintance was regretably careless in not keeping the antivrus current & up-to-date. I really believe it is the safest thing and quicker too, to wipe the system and start fresh.

Don't jump to the malware removal sub-forum. Give the following a quick try. Just do not post any logs here.

Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP

http://bertk.mvps.org/html/diskclean.html

Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

Temporarily disable Avast, then do an online scan at ESET

ESET Online Scanner

Tell me a digest of the finding by Eset online.

Link to post
Share on other sites

Unfortunately he's in his 60's and doesn't know much about computers, so I'm stepping in to try to fix his CP. Everything is scheduled on CP, virtually runs itself, just hit a brick wall with these viruses...

Cleaned with "Disk Cleanup" / Ran Eset Online Scanner.

- (4) found items - Scanner found Win32/trojan downloader.unruy.BP trojan

Link to post
Share on other sites

The pc owner needs to be made aware to never be without current AV and also to have multiple layers of protection (router, firewall, anti-malware & safe surfing habits....etc.)

Did ESET online remove all items?

If and only if there's no indication of Virut, do as Firefox has suggested on getting guided help in Malware Removal forum.

A whole battery of checks will have to be done.

But again, if there's any sign of Virut, you must do a wipe & re-install.

Good luck.

Link to post
Share on other sites

Yes, inherently I'm letting him know where these issues are coming from and what we need to do to keep this from happening again, I know computers but not viruses (especially seemingly un-deletable viruses). And it looks like I'm up against the godfather of viruses...

Thanks for the help guys... Eset did remove the 4 items it found, but the original 2 are still there.

Wipe Out seems to be the best of 2 evils at this point. Thanks Again!

Link to post
Share on other sites

  • 2 months later...
Yes, inherently I'm letting him know where these issues are coming from and what we need to do to keep this from happening again, I know computers but not viruses (especially seemingly un-deletable viruses). And it looks like I'm up against the godfather of viruses...

Thanks for the help guys... Eset did remove the 4 items it found, but the original 2 are still there.

Wipe Out seems to be the best of 2 evils at this point. Thanks Again!

OK, here's how I did it and think it worked.

Background: I've had this nasty pair of files for months now, and xp recovery, and partition resizing did nothing (I did not do a full format, as I have a netbook with no CD and recovery is in a partition of the hard drive). Virus scans with this and that. Some managed to see the files. None to remove it. I ran live Linux USBs and removed manually. Only to find them again at next startup. They reside (still) in C:\System Volume Information\Whistler\

Yesterday I tied BitDefender free online scan. The thing found them, but cannot delete them. They a have a trial software for their saleable software. So i said, I'll try it. I mean, if the online version saw them like in a couple of minutes of scanning, the full version should do the trick. So In installed it and... it did not see the virus. So I rescaned online. And they were there still. Hmmm. OK. I restarted the computer and... again only the online scan saw them. So then i tried seeing them manually. The folder, mentioned above, was not 'hidden' - it was invisible. So I typed the address in the Windows exlporer and it appeared. Clicked on it and entered. And then thought. Wait a minute. I had tried entering from windows explorer before and couldn't do it. So I went for the files and happily deleted them.

So, I restarted the computer once more. Actually with very faint hope after so many things tried. And there they were again, as it could be expected by now. But still 'frozen' and deletable. Then, I did this:

- I created a couple of textpad files, left them empty and called them smss.exe and svchost.exe, where I had deleted the real viruses

- Since I did not remember how to change extensions in the explorer I did so manually from the command prompt

- After that, from W explorer, I right clicked and changed their properties to 'read only'

I suspect that Bitdefender is blocking the process that allows their communication to the online 'service' the virus was providing. And they stood just lying there.

After another restart, the computer:

- Started faster

- Stopped sending me stupid popups asking me if I wanted to 'execute this program as which user' (what program!?) or to activate the 'antiphishing' service. I know some of these things seem to be proper programs, but over the months the system behaved weird to say the least: those popups, obvious unwanted IE pop-ups, a Windows balloon informing of 'updates' (on every use!!) and if not done and shut off, XP would not attempt a download, impossiblity to update the antivirus, and a long etc of crazy behaviors.

- the online version of bitdefender does not see any more virus.

So I still have them. But they are my own files.

I'll see how that goes.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.