Automatic scan after boot inconsistent with manual scans...

[johnemig]

I've got a virus notification about D:\windows\system\svchost.exe and something in operating memory that only shows up about ten minutes after I boot. 

When I run the Avast simple user interface, to manually check for the virus, it doesn't throw a warning during the memory check or when I scan D:\windows\system\ with a "through scan".

Here are more details...

Windows XP Home Version Service Pack 3
Avast 4.8 Home version - VPS version 1-14-10 10014-1
Pentium 4, 2ghz - 768 MB RAM
cable modem with Windows firewall
Windows live mail for hotmail account
Firefox for Gmail account

Latest Windows updates:
Security Update for Windows XP (KB972270)
Windows Malicious Software Removal Tool - January 2010 (KB890830)
Update for Windows XP (KB955759)

Note:  the date on the D:\windows\system\svchost.exe file is the same date as when I ran the last Windows update.

Latest software updates:
Google Earth
Flash for Opera and Firefox
Quicktime

Here's what happened...

After doing all the updates and working afterward with the computer for several hours, the computer seemed slow so I decided to reboot.  (It has not been running sluggishly since then.)

About ten minutes after logging on to Windows after the reboot, there was an Avast pop up window:
Suspicious file found using heuristic method
May be sign of malware
Submit to lab for analysis
File: D:\WINDOWS\system\svchost.exe
Type:  Rootkit: hidden process
Recommended action: Ignore

I clicked on ignore and submitted the file to ALWIL for analysis.

Immediately another pop up window came up:
Avast has found a virus in the operating memory
Strongly recommend restart with data scan

I did just that.

(One infected file was found and deleted from Google Chrome's cache on an inactive drive with an alternate OS on it.  In my opinion, this is coincidence and not relevant to the current situation.  I haven't used that OS nor Google Chrome for months.  Here's the entry from aswBoot.txt:  File E:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00004b is infected by Win32:Ups [Cryp], Repair: Error 42060 {The file was not repaired.}, Move to chest: Error 0xC0000034 {Object Name not found.}, Deleted.)

Hours later, when every last file on my computer had been scanned, I rebooted only to have the same thing happen again. 

About ten minutes after logging on to windows, there was an Avast pop up window:
Suspicious file found using heuristic method
May be sign of malware
Submit to lab for analysis
File: D:\WINDOWS\system\svchost.exe
Type:  Rootkit: hidden process
Recommended action: Ignore

I clicked on ignore and submitted the file to ALWIL for analysis again.

Then immediately another pop up window came up like before:
Avast has found a virus in the operating memory
Strongly recommend restart with data scan

So now I've rebooted again escaping out of doing another hours-long scan of all the files and still the same thing happens after about ten minutes after logging on to Windows. 

Right now, when I start the simple user interface, there is an initial memory scan that returns no warning.  Also, when I scan  D:\WINDOWS\system\ using the most rigorous "thorough scan" setting, no warning is generated.

What should I do next?

[Pondus]

Follow this guide from Essexboy and post the logs here

http://forum.avast.com/index.php?topic=53253.0

[johnemig]

Thank you for your reply, Pondus.

I will do what you suggest and follow the guide from Essexboy.

Meanwhile, here are results from Jotti's malware scan of svchost.exe.  7 out of 20 scanners reported malware.
http://virusscan.jotti.org/en/scanresult/96838e3c980c423d3eec607c81f4ce05e4130c27

[johnemig]

Here is the log from MBAM.

Malwarebytes' Anti-Malware 1.44
Database version: 3568
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/15/2010 5:09:00 AM
mbam-log-2010-01-15 (05-09-00).txt

Scan type: Quick Scan
Objects scanned: 119430
Time elapsed: 18 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
D:\WINDOWS\system\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7149e79c-dc19-4c5e-a53c-a54ddf75eee9} (Adware.MediaMotor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenU) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wupd32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Backdoor.Bot) -> Data: d:\windows\system\svchost.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
D:\Documents and Settings\John\Local Settings\Temp\0.9504061849877466.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

[johnemig]

By the way, after running MBAM and rebooting, I didn't get the Avast notices like I was getting before. 

Beautiful.

Will continue on now with OTL...

[johnemig]

And here's the OTL logs as attachments...

[Pondus]

i will send Essexboy a PM so he will see your logs

Do you have any problems or are they gone after the MBAM scan?

[johnemig]

I will try another reboot now to be sure, but after the MBAM reboot, there was no longer any alert from Avast.  The situation seems to be resolved.

[essexboy]

Looks as though MBAM has cleared the great majority

Run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

Code: [Select]

:OTL
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No CLSID value found.

:Commands
[purity]
[emptytemp]


• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done

[johnemig]

I did what you suggested.  Here is the resulting log.

By the way, OTL generates a warning from Windows as an Unknown Publisher. 

I'm still not getting any further warnings from Avast.  The computer seems to be running smoothly.



All processes killed
========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}\ not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
 
User: All Users
 
User: Default User
 
User: Entertainment
 
User: John
->Temp folder emptied: 172934 bytes
->Java cache emptied: 5695131 bytes
->FireFox cache emptied: 128895220 bytes
->Google Chrome cache emptied: 8813509 bytes
->Opera cache emptied: 16060244 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 32768 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 13923164 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 193166513 bytes
 
Total Files Cleaned = 350.00 mb
 
 
OTL by OldTimer - Version 3.1.24.1 log created on 01152010_113842

Files\Folders moved on Reboot...
File move failed. D:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.
D:\WINDOWS\temp\Perflib_Perfdata_4e4.dat moved successfully.

Registry entries deleted on Reboot...

[johnemig]

I'm not experiencing any more symptoms here.  I'm assuming you're satisfied my machine is clean again.  If so, thank you very much for your assistance.