I thought I would run MBAM once more (since this log was like 2 days old), before I ran the avast boot-time scan.
Now I have a problem, I realised that MBAM was never able to remove anything during reboot because everytime it was about to reboot it enountered a problem and had to be shut down.
I ran MBAM twice just to be certain and here are the logs:
Scan type: Quick scan
Objects scanned: 109107
Time elapsed: 8 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas (Trojan.Downloader) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) → Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\sshnas21.dll
(Trojan.Downloader) → Delete on reboot.
C:\WINDOWS\Tasks{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
(Trojan.Downloader) → Quarantined and deleted successfully.
C:\WINDOWS\Tasks{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
(Trojan.Downloader) → Quarantined and deleted successfully.
Didn’t reboot so I tried again:
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2010-04-03 22:56:20
mbam-log-2010-04-03 (22-56-20).txt
Scan type: Quick scan
Objects scanned: 109111
Time elapsed: 2 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\sshnas21.dll (Trojan.Downloader) → Delete on reboot.
Once again, mbab encountered a problem, had to shut down and didn’t reboot.
Suddenly, a “DrWatson Postmortem Debugger” encountered a problem and had to close, don’t really know if this is related, but I’ve never seen it before…
I also forgot to say that the file name slightly shifts every time:
For ex.
C:\WINDOWS\TEMP\yorg.tmp\svchost.exe
C:\WINDOWS\TEMP\whug.tmp\svchost.exe
Sorry for writing such a long post without having tried what you wrote, but I thought this could be good to tell you before I do something else.
Edit:
Ran Avast boot-time scan, still get virus warning, now also located in c:\windows\temp\egr.exe.
And now Avast wants to run another boot-time scan… the last one took like two hours
Edit 2:
Ran SAS, which found 360 threats, it removed them all and reboot, but the problem still remains in:
c:\windows\system32\ymamvrxb.dll
Edit3:
I ran SAS a second time, and my problem still remains.
@ DavidR: do you have any other suggestions or should I try Tdsskiller and HMPro next?