Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Volume Information Trojans - services.exe and smss.exe - cannot remove.


  • Please log in to reply
27 replies to this topic

#16 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:34 AM

Posted 05 July 2010 - 01:33 AM

The others are only activated when I want a scan - in case I want reassurance or a 2nd opinion.

Even so, both AV applications install kernel level drivers and will detect these of eachother. Since asquared detects basically only false positives, I'd recommend to remove that and keep Avast.

Avast found nothing because there is nothing to find, asquared only detects all bootkit components, plus cookies (which are always low risk).

See below for a few extra steps, including resetting your System Restore.

Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


BC AdBot (Login to Remove)

 


#17 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 05 July 2010 - 02:48 AM

elise025 - "Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm."

These were already set for the settings specified here.


What about the 3rd item which a-squared found - I assume I should delete that?

"Finally, it listed a 3rd item (besides the cookie and the above "Trojan"):

Trojan.Win32.Agent!IK

File:C:\System Volume Information\_restore-{long file name here} \RP841\A0401749.sys

I assume the latter is one of my System Restore points."

Edited by Blixx, 05 July 2010 - 02:52 AM.


#18 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 05 July 2010 - 02:50 AM

"Trojan.Crypt!IK

It then lists 5 Files under that heading:

File:C:Documents and Settings\Owner\Desktop\bootkit_remover.rar/remover.exe

File:C:Documents and Settings\Owner\Desktop\remover.exe

File:C:Documents and Settings\Owner\Desktop\Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00010b/remover.exe

File:C:\WINDOWS\Temp\_avast5\unp124996194.tmp

File:C:\WINDOWS\Temp\_avast5\unp200013713.tmp"

Should I delete any of these?

Edited by Blixx, 05 July 2010 - 02:54 AM.


#19 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:34 AM

Posted 05 July 2010 - 11:56 AM

Yes, you can just delete these, since you do not need bootkit remover any longer :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#20 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 06 July 2010 - 01:15 AM

That was a bleepin' fantastic job, Bleepin' Blonde.

#21 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:34 AM

Posted 06 July 2010 - 01:19 AM

:thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#22 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 06 July 2010 - 01:24 AM

elise025 - "Looks good! Any problems left?"

My other computer is Windows Vista Home Premium.

Recently, I get an icon in my System Tray periodically - don't know what triggers it.


"A Windows Media Center Extender was found" is what it says when my cursor is put on it.

Right clicking the icon, and then clicking on "More Information" brings up a small window which says "Windows Media Center Extender" on the top frame of the window.

Inside the window, it says "XBox 360 Xtender".
"This device was found on your network. Would you like to set it up now?"

I assume this is spyware, as I don't have an xbox and have never sought an "XBox 360 Xtender".

Right clicking also has a "Dismiss" option, which makes the icon disappear.
But it always reappears eventually.

Edited by Blixx, 06 July 2010 - 01:26 AM.


#23 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:34 AM

Posted 06 July 2010 - 01:54 AM

If you have a wireless network, is it possible someone else is using it with Xbox? It doesn't look like malware on first sight.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#24 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 06 July 2010 - 04:51 AM

I am at a hotel using their Ethernet cable system. So you could be correct.

When I've looked at the other computers on the (hotel) network, I see an icon next to a few of them. Perhaps that is an Xbox icon.

Edited by Blixx, 06 July 2010 - 04:51 AM.


#25 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 06 July 2010 - 04:55 AM

One last issue - both of my computers are slow.

I'm not sure what's going on with them - I was doing virus scans to find out if there was a virus problem, which led me to discover the Trojans on the old computer.

Are you able to help with this - running a "Hijack this" or similar software (have never used any of these) to see if there are things on the system slowing it down?
Or any other suggestions?

#26 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:34 AM

Posted 06 July 2010 - 05:31 AM

Please follow the steps here and post back when done.

Best is to do this for only one computer at a time, otherwise things may become confusing.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#27 Blixx

Blixx
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 13 July 2010 - 05:08 PM

Sorry for the delay in responding. Didn't have a chance to get started on following your last link.

But I now have a new problem on my new(er) computer which is urgent.

The "Delete" key on my keyboard is not working.
I use the "Delete" frequently when typing, so this is making life difficult.

I first noticed this early this am. I thought a reboot would probably clear it up.

When I turned computer back on this afternoon, it is still not working.

As far as I know at this time, all of my other system functions are working correctly.

Not only that, but the functions of adjoining keys - PrtSC, NumLk, are all working.

(Don't know how to test the "Insert" function - I'm not really sure of its function since if I place the "typing cursor" at a certain place and type, the characters insert normally without need of a special key).

Stranger still, I went to System Restore. It always has about 2.5 weeks of restore points.
They are all gone.

The only ones there were:
7/12/2010 - System:Scheduled Checkpoint
7/13/2010 - 1:35:30 AM - Install:Windows Update

This is doubly disturbing, as I have Windows Updates turned off ("Never Check for Updates - Not Recommended" setting).

Just did a system restore to the 7/13 restore point (" Install:Windows Update"), but the "Delete" key still not functioning correctly - doesn't delete.

???

I'll do a scan now, but had scanned on 12th or at latest 11th with no problems.

I guess I could restore to the 7/12 "Scheduled Checkpoint", my only other restore option - should've done this instead of using the 7/13 checkpoint - but I'm always a little fearful of doing more than one restore, as I've had a crash in the past from doing that.

Edited by Blixx, 13 July 2010 - 05:14 PM.


#28 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,310 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:34 AM

Posted 14 July 2010 - 02:33 AM

Remember what we did earlier? :thumbsup:

Purging System Restore Points

That is why there are only two restore points :flowers:

Anyway, that keyboard problem is most likely caused by a messy keyboard. You can easily check this by using another keyboard and see if the problem still persists.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users