Here's a description of my problem:
There's a program active on my PC (Windows 7 Ultimate, running AVG Internet Security for both the firewall and antivirus) that creates new folders in the c:\windows\temp directory containing 'fake' svchost.exe files that try to make a connection to an external IP to download more trojans to my PC. AVG's shield notices this and blocks it, but cannot remove it, since it only knows the origin of the svchost.exe file and not the program that creates the new folders.
There is a single infected svchost.exe process running at any given time, but when you end it is when the program creates a new folder and a new svchost.exe file. I'm able to notice whether it's running by looking at the svchost.exe process that uses an excessive amount of memory (28Mb+) it also causes ping to spike sometimes.
I've tried pretty much every spyware/malware removal program I've heard about, but no luck as of yet. This includes:
- MBAM
- Hitman Pro
- Avast!
- AVG
- NOD32
- Kaspersky Online Scanner
- Ccleaner
- SuperAntispyware
- Spybot Search & Destroy
Here are the logs:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:05:10, on 21-5-2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\NewsLeecher\newsLeecher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - G:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\Windows\system32\hasplms.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 2667 bytes
Uninstall list:
µTorrent
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 8.1.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AMD Drag and Drop Transcoding
Apple Application Support
Apple Software Update
Assassin's Creed II
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
ATI AVIVO Codecs
ATI Catalyst Install Manager
avast! Internet Security
AVG 9.0
Battlefield: Bad Company 2
Battlefield: Bad Company™ 2
Call of Duty: Modern Warfare 2
Catalyst Control Center - Branding
CCleaner
Connect
Crysis WARHEAD(R)
Crysis WARHEAD(R)
Dragon Age: Origins
ESET Online Scanner v3
HiJackThis
Hitman Pro 3.5
HydraVision
kuler
Launchpad Enhanced
Left 4 Dead 2 Demo
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
MediaInfo 0.7.30
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.5.9)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
myphotobook 3.67
NewsLeecher v4.0 Beta 7
NVIDIA PhysX
PDF Settings CS4
Photoshop Camera Raw
Profotonet Printservice
PunkBuster Services
QuickPar 0.9
QuickTime
Realtek High Definition Audio Driver
Spybot - Search & Destroy
Star Wars Galaxies
Steinberg Cubase 5
Steinberg Drum Loop Expansion 01
Steinberg Groove Agent ONE Content
Steinberg HALionOne
Steinberg HALionOne Additional Content Set 01
Steinberg HALionOne Expression Set
Steinberg HALionOne GM Drum Set
Steinberg HALionOne GM Set
Steinberg HALionOne Pro Set
Steinberg HALionOne Studio Drum Set
Steinberg HALionOne Studio Set
Steinberg LoopMash Content
Steinberg REVerence Content 01
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
THE SETTLERS - Rise of an Empire (All products)
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
Torchlight
Ubisoft Game Launcher
Ventrilo Client
VLC media player 1.0.2
Winamp
Windows Driver Package - MobileTop (sshpmdm) Modem (01/26/2008 2.6.0.0)
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WinRAR archiver
Hope you can help.
Cheers,
Ralf