My name is Carl. My computer was taken down last week due to a malware infection. I am somewhat computer literate, so I tried my usual virus scans/removals etc. However, the problem remains. I use Norton Antivirus and called their support, however their solution did not work. My system is Windows XP Professional SP3 (Core2Duo E6600+2GB RAM).
Norton Antivirus 2010
There are two files that appear to be the root of the problem.
C:\System Volume Information\services.exe
C:\System Volume Information\smss.exe
The above files are started at login (in addition to the legitimate processes). However, the two files above use a significant amount more of RAM (like 40MB instead of 1.5MB). Also, it is impossible to kill these two processes (they always restart when killed). When removed, the files are regenerated. Each process is started as a child of winlogon.exe
Multiple iexplore.exe processes start and attempt to connect to the internet. These iexplore.exe processes do not show themselves on screen. They only start when there is an active internet connection, in which case they attempt to connect of hundreds of IP addresses (See picture).
When not connected to the internet, there is a lot of disk activity by these two process (lots of reads and writes). I do not know what it is reading or writing to the disk.
This malware runs in Safe Mode as well. SuperAntimalware does not detect much (just my browser cookies). MalwareBytes detected something at first and cleaned, but problem came back and subsequent scans do not detect anything.
I suspect a possible rootkit infection as it has evaded all my attempts to detect/remove it.
I would greatly appreciate the expert advice that is offered on these forums. I have tried googling the symptoms and I do not find anything relevant.
This is the running process (without internet connection)
Here is the details of the bogus smss.exe (Notice the parent is winlogon.exe)
The attempted connections made by all the iexplore.exe threads.
Process details of iexplore.exe
Apparently, there are 4 winlogon.exe processes running (with 4 different PIDs). However, only one shows up in ProcessHacker.
Edited by iform, 11 June 2010 - 12:11 AM.