Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Volume Information Trojans - services.exe and smss.exe - cannot remove.


  • Please log in to reply
27 replies to this topic

#1 Blixx

Blixx

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 02 July 2010 - 01:16 AM

My problem was perfectly described in this thread: http://www.bleepingcomputer.com/forums/topic326120-30.html

although some have described random audio ad popups and opening IE windows. I'm not getting those, or haven't noticed them yet, but it is turning my Wave Volume all the way down, as reported by all with this problem.
(My gf was using this computer yesterday and twice the IE window she was in closed down - no Error message - it just disappeared - perhaps another symptom?).


Windows XP Home.

A scan by avast revealed 6 problems.
4 of them successfully removed to the Virus Chest.

But 2 cannot be Repaired nor Removed to Chest nor Deleted:

C:\System Volume Information\Microsoft\services.exe
Severity:High
Status: Threat:Win32:Cycler-F [Trj]

C:\System Volume Information\Microsoft\sms
s.exe
Severity:High
Status: Threat:Win32:Cycler-F [Trj]

Also detected by a-squared and Malwarebytes Anti-Malware. But none are able to rid my system of these 2.

A google search reveals recent posts across various anti-virus forums on this problem, but apparently its still unsolved.

I followed the bleepingcomputer thread whose url I list above, and read the various split off threads from the main thread, but no clear solution.


Running avast free as real time anti virus. Have also scanned with a-squared, MAB, Super Anti-Spyware and Spybot. Also have been using Spyware Blaster.

Tried to remove them with any of these programs which detected them, but no success.

Avast discovers them doing a Boot Scan, Quick Scan and Full Scan, but can't solve the problem.


Please help. Thanks.

Edited by Blixx, 02 July 2010 - 02:00 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:09 PM

Posted 02 July 2010 - 06:07 AM

Hello there,

Please download 7zip and install the program on your computer (we need this program in order to be able to unzip a tool).


When 7zip is succesfully installed, please download bootkit_remover.rar and save the file to your desktop.

Right click on the file and select "extract/unzip here".

This will create two readme files and remover.exe on your desktop.
Double click on remover.exe; a command window will open. Please copy/paste the text under "MBR Status" and post that in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 03 July 2010 - 10:31 PM

elise025 - Thank you for helping.

"Please copy/paste the text under "MBR Status" and post that in your next reply."

Under "MBR Status", in brown type it says "Unknown boot code".
Under that, in the same unique brown type, it says "Unknown boot code has been found on some of your physical disks".

Edited by Blixx, 03 July 2010 - 10:58 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:09 PM

Posted 04 July 2010 - 01:30 AM

Could you please let me know how the disk is named where this unknown boot code is found (Including slashes and points).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 July 2010 - 02:41 AM

In the middle of its screen, it has "Size", "Device Name", and "MBR Status" listed horizontally, with a line under them.

If that is what you are referring to, under "Device Name", it states:

\\.\PhysicalDrive0


[Under "Size", it states "111 GB" (without the quote marks)].

Edited by Blixx, 04 July 2010 - 02:45 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:09 PM

Posted 04 July 2010 - 02:51 AM

Yes, thats it :thumbsup:

Please click Start > Run, type notepad in the runbox and press enter.

Copy/paste the following text into Notepad and save it as fixme.bat in the same location as bootkit remover.
@echo off
remover.exe fix \\.\PhysicalDrive0
exit
Exit Notepad and doubleclick on fixme.bat to run it.
After a reboot, rerun remover.exe and let me know what is now listed under MBR status.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 July 2010 - 04:02 AM

"After a reboot, rerun remover.exe and let me know what is now listed under MBR status."

It now says:

OK <DOS/Win32 Boot Code Found>


Sounds like good news. ?
One strange event, however, immediately following the above.
Icon in system tray - "Windows has found new hardware" I think it said. Then a notice that the software needs a restart for the new hardware, or something similar.
I haven't rebooted though.
??

(Haven't installed anything new on the computer since I discovered the Trojans several days ago).

Edited by Blixx, 04 July 2010 - 04:13 AM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:09 PM

Posted 04 July 2010 - 04:19 AM

That is indeed normal :thumbsup:

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 July 2010 - 04:33 AM

Scanning currently.

In case it is relevant - I have a removal of these Trojans in avast (free) antivirus' Virus Chest, and likewise with a-squared free.
(The Trojans were always there again the next time I scanned, but these av's made a removal after scanning).

I mention this in case MAB detects the Trojans in the av's Virus Chests. Don't know if that can happen.

Thanks for your help - I may not be able to post next for 8 hours or so - I think the scan will probably take an hour or more.

Edited by Blixx, 04 July 2010 - 04:39 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:09 PM

Posted 04 July 2010 - 04:54 AM

Its possible it detects them there yes, but it will show the filepath, so I will be aware of that :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 July 2010 - 05:53 AM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4274

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

7/4/2010 3:52:05 AM
mbam-log-2010-07-04 (03-52-05).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 243361
Time elapsed: 1 hour(s), 20 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\Microsoft\smss.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:09 PM

Posted 04 July 2010 - 06:19 AM

Looks good! Any problems left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 July 2010 - 06:29 AM

I hope it is gone. But please leave this case open for a day.
I'm about to go to sleep. But when I get up, will run a few av scans.

I used several av's and they would state that they had Deleted or Removed to Virus Chest the Trojans.
Then I would rerun the scan, and they were still there.

Will report back in this thread later today.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:09 PM

Posted 04 July 2010 - 06:35 AM

Okay, please take your time.

I used several av's and they would state that they had Deleted or Removed to Virus Chest the Trojans.
Then I would rerun the scan, and they were still there.

Its not recommend to have more than one antivirus. If you have more than one, they will only fight each other for control over the system and let malware slip by.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:02:09 AM

Posted 04 July 2010 - 10:59 PM

elise025 - "Its not recommend to have more than one antivirus. If you have more than one, they will only fight each other for control over the system and let malware slip by."

I have only one av in real time - avast (free) is my resident scanner.
The others are only activated when I want a scan - in case I want reassurance or a 2nd opinion.

I ran avast Quick Scan and an avast Boot Scan - both found nothing.

I then ran a-squared free. I know that it can come up with false positives.

It found 3 items. Item #1 is a Trace.Tracking Cookie.

The 2nd item - It called the bootkit remover itself a High Risk - a false positive I'm sure. Specifically -

Trojan.Crypt!IK

It then lists 5 Files under that heading:

File:C:Documents and Settings\Owner\Desktop\bootkit_remover.rar/remover.exe

File:C:Documents and Settings\Owner\Desktop\remover.exe

File:C:Documents and Settings\Owner\Desktop\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00010b/remover.exe

File:C:\WINDOWS\Temp\_avast5\unp124996194.tmp

File:C:\WINDOWS\Temp\_avast5\unp200013713.tmp


Finally, it listed a 3rd item (besides the cookie and the above "Trojan"):

Trojan.Win32.Agent!IK

File:C:\System Volume Information\_restore-{long file name here} \RP841\A0401749.sys

I assume the latter is one of my System Restore points.


Both Trojans (including all of the files) it listed as "High Risk".

Edited by Blixx, 04 July 2010 - 11:01 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users