Interesting Bug/Virus Not Detected

[cak46]

I'm a newbie with a question.  I have a process that when killed, comes back renamed but the exact same size.  Avast and AVG with all the newest updates are not detecting this.  I captured a copy of the .exe file, renamed it, then edited it.  Looks like it uses upx 1.24 to unpack or pack itself.  Wish it would be detected by something.  Also did adaware as well.  This machine had mucho adware, trojan horses, regular viruses.  You name it, she had it.  Now I'm down to just this one buggar.  I've used killbox, no good, the Porgram/process just comes back renamed.  Looks like when you kill the process, it deletes the corrosponding file name on the hd.  BTW, its running from the c:\windows\system32 directory on a Windows XP SP! machine.  (I do not dare get on the net with it until this bug is gone. made that mistake early in the game before)  Can anyone help with this or is Avast interested in the file I have (renamed of course)?
Edit:  Also ran stinger, and perused the registry with hijackthis and used ms's malicious program removal tool at one point......

[Lisandro]

I have a process that when killed, comes back renamed but the exact same size.

Seems that you have to disable System Restore, scan and clean your system, enable System Restore again.

Avast and AVG with all the newest updates are not detecting this.

You'll have problems (conflicts) with two antivirus installed in the same time in the same computer.
Even disabling the residents, I do not recommend.

This machine had mucho adware, trojan horses, regular viruses.

I know it's a generic answer but, can't you scan your system with antispywares and antitrojans applications?
Ad-Aware, Spybot Search and Destroy, A-squared, Ewido or Microsoft AntiSpyware (freewares).
TrojanHunter or TDS-3 (sharewares).

Can anyone help with this or is Avast interested in the file I have (renamed of course)?

Send an email with the file (false positive or infected) to: virus@avast.com

[FreewheelinFrank]

Trend Micro sysclean is worth a try. Run it in safe mode.

You need the engine:

http://uk.trendmicro-europe.com/enterprise/support/tsc.php

and the virus pattern files:

http://uk.trendmicro-europe.com/enterprise/support/pattern.php

You have the option to download the 'Controlled Pattern File Release (CPR)' which has the most up-to-date definitions but which has received less testing.

I would also have a look for rootkits with Blacklight and RootkitRevealer:

http://www.f-secure.com/blacklight/

http://www.sysinternals.com/utilities/rootkitrevealer.html

Also as Tech suggests, scan your system with anti-spyware and anti-Trojan applications, preferably in safe mode and after you have downloaded the latest definitions.

[cak46]

I have a process that when killed, comes back renamed but the exact same size.

Seems that you have to disable System Restore, scan and clean your system, enable System Restore again.

Avast and AVG with all the newest updates are not detecting this.

You'll have problems (conflicts) with two antivirus installed in the same time in the same computer.
Even disabling the residents, I do not recommend.

This machine had mucho adware, trojan horses, regular viruses.

I know it's a generic answer but, can't you scan your system with antispywares and antitrojans applications?
Ad-Aware, Spybot Search and Destroy, A-squared, Ewido or Microsoft AntiSpyware (freewares).
TrojanHunter or TDS-3 (sharewares).

Can anyone help with this or is Avast interested in the file I have (renamed of course)?

Send an email with the file (false positive or infected) to: virus@avast.com

I've doe adaware, AVG (Took the errent process .exe file and scanned it on another machine with full updates and came up clean.  That is what worries me.  Also, Noticed today that its memory usage starts at about 176kb but grows over time.  I finally killed the process at about 4,000kb of memory used.  I haven't used trojan hunter before so I'll give it a try. 

Freewheelinfrank:  I will give trendmicro a try. and will send a copy of the process (program) to avast as well, just in case its a variant. 

I knew the machine had some trouble but still put it online briefly.... that is... until it knocked my firewall router offline 30 seconds after the connection became active.  The machine originally had a multitude of viruses, trojans, adware, malware.... you name, this machine had it .  The only antivirus software I could get installed on it was avast, and even then only in safemode.  This is the only bug left, that I'm aware of, but I hesitate to put it back online until I'm pretty sure its clean.     

Thanks for all of your help and will let you know how it goes. 

Edit:  It is Agent.214, according to TrojanHunter and hunter cannot remove it.  Any ideas on removal software or will this be a blood and guts manual removal?

[cak46]

Sorry about the double post.  I've scanned multiple times and have used trendmicro sysclean, f-bot, rootreveal, Avast, CWS, Hijackthis:Deleting registry entries that weren't supposed to be there, Windows Malicious Software Removing Nothing Scanner,  AdAware, and SpyBot TrojanHunter, all thru safemode.  Had it all cleaned xcept rbot.axo and chanced putting it on line.  Got online ok, but tried to update op sys (XPSP1, and funky page appeared then was virused up again.  A short list would be a number of the trojano variants, look2me, rbot.axo, assorted adware and others I've already cleaned out again.  Are there any other cleaners you could recommend?  I'm facing putting Norton Antivirus 30 day trial on to attempt a clean with that.     Not really paletable, but I'm nearing an impasse.  BTW:  The variant I was having a hard time with creates randomly named hidden files in the system32 directory, each of which is exactly 82KB's in size.....I sent this on to avast, no answer......  Will be trying Ewido and A-squared..........

[polonus]

Hi cak-46,

Looks like a nasty drive-by spyware infection. Try to run spy audit, download at  http://www.webroot.com/services/spyaudit_03.htm or post your suspected files to jotti at http://virusscan.jotti.org/. Then post your findings here, also to help others, put them all in txt file and safe it.

greets,

polonus

[FreewheelinFrank]

New definitions are added daily, so update all your programs.

You can download Trend Micro's Controlled Pattern Release, which contains definitions for very recent viruses- same link as above.

If you do not have a firewall, download a free one while you are updating your definitions. (Zone Alarm/Kerio/Sygate.)

Also download HijackThis! (See below.)

Go offline and scan again.

Install the firewall.

Come back online and scan here:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

http://support.f-secure.com/enu/home/ols.shtml

Disable avast! first or it will throw up some false positives.

Run HijackThis!

http://www.bleepingcomputer.com/forums/tutorial42.html

Post the log here along with the names and file locations of any malware still appearing.

[cak46]

I'm still locked in mortal combat with this thing.  I'm in the process of recleaning since I went pon line to update the op sys with sp2.  That wen ok, but then it all began yet again.  Rbot.axo is back along with a bunch of different sypware.  Does anyone know of any specific program that target rbot.axo?  Trojan hunter finds it, but does nothing to it.  The rest mentioned above do not even recognize it is there.  Freewheelinfrank and polonus:  I do not dare put the system online for fear I will undo what it has taken me 3 days to clean.  It starts and ends with either an undetected virus or the rbot.axo, in my opinion.  If I had a regular dos prompt, I wouldn't be having this conversation.  MS is bad, and its only going to get worse...........  Any offline suggestions?  I do have another machine that I use for downloading.

Thanks so much for all of your help thus far!

[polonus]

Hi cak46,

You are going to do this yourself.
Open Windows Task Manager
On Windows XP press CTR + SHIFT + ESC
then click Processes tab
In the list of running programs locate the process:
 SNSS32.EXE
select this malware process and press the END TASK or End Process button, depending on your version of Windows;
Now check if the process  is terminated by closing Task Manager and opening it again. No malware process running...Now Close Taskmanager.
If you do it on Windows 98 or ME some processes may not show up,
use Process Explorer from: http://www.sysinternals.com/Utilities/ProcessExplorer.html
to find up SNSS32.EXE

Lots of success with clearing out this malware,

greets,

polonus

[FreewheelinFrank]

Can you post a HijackThis! log for us to look at?

http://www.bleepingcomputer.com/forums/tutorial42.html

Did you run your scans in safe mode? (Tap F8 while booting.) This might allow TrojanHunter to remove the Worm.

And you could try this:

Sophos have a downloadable scanner called SAV32CLI. They also make available their latest virus identity (IDE) files for download. Downloaded SAV32CLI and un-zip the folder. Dowload the latest IDE's and copy them to the folder. Burn the folder to a CD, boot into safe mode with command prompt and run the following commands:

D:

CD SAV32CLI

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

Full instructions for SAV32CLI and download link on this page:

http://www.sophos.com/support/disinfection/trojan.html

IDE's available here:

IDEs for SAV version July 2005 (3.95)

http://www.sophos.co.uk/downloads/ide/

[DavidR]

You can download the full SP2 update as a file 266MB (ish) from the microsoft download site rather download it as an update (on your other computer or a friend with broadband), burn the file to a CD and use that to install SP2 of-line on the infected system.

I'm not sure how this would go not having a clean system to start with, but you have little choice I fear.

[cak46]

Thanks so much for all of your responses.  I did download the sp2 file and installed it.  Had a few issues with updating since there was still garbage on the machine.  Right now, I've cleaned all four profiles ..... and gained a few gray hairs along the way  .  At one point, I had to change the permissions of a file named mhaatext.dll to get rid of ICANNEWS.  It allowed me to change the SYSTEM permissions to DENY on all access.  This disallowed execution at boot time.  A real good thing.   All scanners that found it, would not remove it      MS antispyware did the trick for a few of the uglier ones I could not get.  It would be a great thing if a company came out with one program that eliminated spyware, adware, malware and viruses.  During this whole process not one of them found all of the baddies.........  Going to scan each profile one more time with ms antispy to double check the cleanliness of the machine......
10 antispyware, virus, trojan, and bot cleaners later and a bit of wrangling!  Hopefully success!

Thanks again for all of your responses and suggestions.  If I can help here, just let me know!
cak46

[polonus]

Hi cak46 and others,

There is good news, Hitman Pro now also has Microsoft Anti Spyware aboard.

greets,

polonus