I've got the same darned problem as this thread: http://www.bleepingcomputer.com/forums/t/227790/trojan-horse-agent-rnj/
It's driving me nuts. AVG detects that an SVCHOST.EXE process is trying to contact: binuser.fileave.com/IC/zhvntnlgecngmdn.exe and it's blocking it from downloading the file. The problem is trying to find out what is actually causing the d/l. AVG does nothing to let you know how to fix the actual cause of the problem, but does prevent my machine from becoming further infected.
I took the drive out and scanned on another box with Malwarebytes, CureIT, SuperAntiSpyware and AVG (my normal running antivirus) and they find nothing.
When the drive is running on it's own however every few minutes AVG pops up because one of the svchost.exe processes is trying to download that same link listed in the first message which is an IE replacement. AVG picks out the proper process ID and I can kill it but it still re-appears.
The process will always run, but one way to prevent it from actually being able to download is to turn off BITS (background Intelligent Transfer Service) which is normally used by Windows Update. But, that only stops the malware from downloading the crap IE... it still is running. If you kill it using task manager, it'll pop back in a few minutes later.
What's driving me absolutely bonkers is trying to find out what's loading it. Something in startup or in the registry has to be calling this thing, and it doesn't look like malware since none of the regular malware detection products seem to find it.
Any ideas where I can look? I"ve gone thru the startup folders, used msconfig to look thru any registry based startup items, but can't find it. I'd hate to have to rebuild the OS for something like this... but it's hidden pretty well.
Edited by christr, 24 May 2009 - 11:50 AM.