Can't shake this virus!

[phishphreek]

I can't shake this virus. I'm not sure even which one it is.

I get some reports that it is trojan agent.ba from trendmicro online scan, and just downloader trojan from NAV.

I have disabled system restore, rebooted to safe mode w/networking so I can download all updates.

I've updated all definitions for NAV, The Cleaner, Adaware, Spybot, CWShreader and Trend Micro. All the applications come up clean in safe mode. When I reboot to regular mode it finds the virus right away and can't remove it. It keeps changing the filename and I can't track this sucker down.

I'd run a hijack this, but I'm in the middle of another scan...

Any suggestions?

It is on a client's PC and I'm supposed to give it back tomorrow... hopefully I can shake it tonight. I don't want to do a full reload... after all the time I've spent on it so far...

Oh, I can't get symantec to get fully updated either. Symantec redirector fails and I can't update the rest of NIS 2k3 without that update...

[moxnix]

Phish,
Try Swatit, http://swatit.org/. It is one of the best trojan removers I know of. It does take a long time, but it goes really in depth through your system.

And its free.

[phishphreek]

moxnix:

Thanks for the suggestion. I'm going to run it now.

Hopefully that'll take care of it... this is driving me crazy.

I've never had this much trouble getting rid of malware on PCs...

[Tedob1]

someone else seemed to have this problem and following the advice given at the site given below was successful in removing it. response 23 seems to do the trick.

http://www.computing.net/security/ww...rum/12291.html

[phishphreek]

The manual removal that tedob1 referenced cleared it up.

I'm still running swatit just in case...

I've been bugging with that thing for hours now...

Thanks you two!

[Soda_Popinsky]

Just to make sure you didnt miss any good ideas:
http://www.antionline.com/showthread...702#post768817

Get us that HJT log when you can... I know groovicus is an ace when it comes to checking those.

If this is smart malware, try more obscure tools to gather startup information like the ones here:

http://www.sysinternals.com/ntw2k/fr...autoruns.shtml
http://www.spywareinfo.com/~merijn/f...tartupList.exe

Also, take the box off the web and leave it on a network, try port scanning it and netcat-ing to any suspicious ports to help fingerprint the virus. Sniff the trafic for any mass-mail attempts, and try some file monitoring as well.
http://www.sysinternals.com/ntw2k/source/filemon.shtml

[phishphreek]

Soda:

I did try using a couple of different tools.

Filemon and Regmon along with some other normal tools.

netstat -an, tcpview, fport, norton firewall logs, etc.

It was hard to trace it down, but I finally got it removed.

Thanks again!

[MadBeaver]

If your Nav still isn't up updating try deleting the Update log files. I had to do this on a 2000 server to get to complete updating once.

What finaly got it?

[phishphreek]

MadBeaver:

I uninstalled, rebooted, deleted any folders it left behind and reinstalled.

I think the virus was preventing it from updating? Not sure why it wasn't updating...

It was Norton Internet Security that couldn't update because the Redirector was failing.

Norton Antivirus was updating just fine.

Dunno what the problem was... but its fixed by reinstall of NIS2k3

[groovicus]

Something that may help in the future. Next time you get one of these mutating files that you can't identify, go to one of these two sites:

Virus Total,
or
Virus Scan

And they will allow you to upload the file to be scanned by several different scanning engines. Then it is usually just a matter of surfing to the appropriate site and finding the tool that targets that specific infection.


http://www.pandasoftware.com/download/utilities/
http://www.ravantivirus.com/pages/download.php
http://securityresponse.symantec.com...ools.list.html

Other AV sites have free tools available also, you just need to dig for them.