This first post of mine will be a little long, but I wanted to let the experts know what I was up against.
I've got a smart one, and it's driving me crazy trying to get rid of it. I need help very badly. Dell Inspiron 1100 laptop running Windows XP/SP3; Internet browser IE8; recently downloaded Firefox (to try and workaround malware-caused browser crashes, see below); wireless Internet connection, disabled (for now). Until recently, running McAfee 2009 as the AV using both McAfee's and Windows' firewalls.
The symptoms I've noticed, organized roughly from from most to least annoying:
- The malware will not let me connect to any AV websites (immediately crashes browser upon connection).
- It will not let me download AV from other websites (such as mirror sites or Download.com)
- It has completely disabled my AV (McAfee); will not let McAfee scan, report on malware activity or conneect to website.
- It seems to know what AV will kill it, and will not let me load such on my machine through setup, even with renamed filenames (tried HJT, MBAM, Avira, Avast, AVG). Of course, being unable to load HJT, I cannot provide a log file.
- Along with the above, it seems to know what is useless against it and lets me run those all I want (so far tried ClamWin, McAfee Stinger, Spybot S&D (did find some minor spy/adware which it killed), Sysclean and Microsoft's Malware Removal Tool). All were run in both Safe and normal modes.
- It sometimes will begin using 100% of the CPU (as reported by Task Manager). This is not a regular thing, however. Sometimes, the computer rolls merrily along at normal usage.
- A string of icons appears in the system tray as though McAfee is trying to scan or connect, but the icons go away to instant I move my cursor over them.
- It can apparently infect and travel over USB sticks, becuase it tried to infect another computer from one of them (see below)
- Sometimes it looks as though McAfee is trying to run an onboard scan but it runs extremely slowly. Even with me constantly booting and shutting down the machine, it's taken over a week to scan 30,000 files (there are over 900,000 on the machine)
- My printer/scanner (a Lexmark 3600) will not scan from the console or from PhotoShop; I can only get it to scan through Windows' Printer/Scanner Wizard
- I can't double-click on either USB stick or my c:/ drive to open them; I have to right-click>Open to open them
- Autorun will not shut off, even though I have gone in and set the parameters ("Take no action") several times. Noticed a little while ago that two Autoruns appeared in the dialogue box when I plugged in my flash.
- Thinking at first I had Conficker (even though I took steps to prevent Conficker infection) I ran a Conficker Removal Tool, which found nothing.
- I've run Microsoft's latest security patches. I realize it was closing the barn door after the horse had escaped, but still...
- I've tried to research this thing; I have a tentative identification of it (obtained only because it tried to infect a protected computer): Trojan.Agent.akza, but I can't find much useful information on it.
- In the course of providing info for this post, I had no choice but to plug my USB in and found out the first bug tried to infect this computer along with another: Trojan.Agent.zzba.
- I've thrown whatever (free) AV will run on my machine at it; in fact, I've come to realize that if it runs at all, the bug "knows" the AV is useless against it.
- Some of the AV I've used has supposedly identified infections, but then wanted me to buy an upgrade; TrojanHunter 5.0 found two suspicious registry errors, but would not fix them without payment. I removed TH 5.0 and another that supposedly found over 600 infections before I realized it was just a scam and stopped it (name escapes me at the moment, but I don't believe it was more malware)
- I've disabled the radio so the machine can't connect to the Internet (and maybe whistle up more bugs). I don't dare reconnect until this thing is dead.
- I've opened the registry (it will let me open RegEdit) and looked at it, comparing what little I knew of it with info I've gleaned from the Internet. I did delete the two suspicious entries that TH 5.0 found, but only after backing them, and the entire registry, up. So far, there has been no lack of performance
- I've looked in Task Manager for suspicious processes (particularly any extra smss processes) but found nothing.
- I've rendered all files visible and glanced through some folders I thought might harbor the thing. Nothing found.
- I found a program called HJTFree that the bug seems to let me load and run; I've used it to make some log files, but I don't think they approach HJT's thoroughness. I can post these if anyone asks.
- After reading on another forum that the bug might be using the Hosts file to block the AV sites, I downloaded a copy of HostsXpert to reset my Hosts file. No apparent change in the bug's behavior.
- Before I disabled the Internet connection, I tried to run a few online virus scans. They went very slowly and I always stopped the scan and killed the connection before they finished for fear this bug would summon more if its friends or export my personal info
Thanks in advance for any and all help.