This virus keeps coming back, and I can’t figure out why.

It keeps being detected and I select ‘Delete’ (Move to chest fails) and yet it keeps returning…

Some of the things I’ve tried.

Several diffrent virus scanners, including live.com, AVS, and Avast.

Safe Mode scan.

Manually chasing down the register entries with msconfig and regedit.

On boot scan.

The virus is detected with all these scans…But it returns immediately.

I’m thinking root kit now, but I’d done rootkit scans and can’t find it there ether.

Here’s a copy of hijackthis log, if that helps.

Follow the guide here, and post the logs http://forum.avast.com/index.php?topic=53253.0

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

Thank you for the replies.

I’ve actually done most of these steps already…though in some cases I used a different version, or title of the category of scanner from that you suggest.

I suggest:

1. Clean your temporary files.
   Done, with surprising difficultly resorting to safe more and the utility ‘removeonboot’ because some system processes is locking the most annoying files and when I ran ms toy, procexplorer to try to figure out what was doing the locking, I found it was dll’s that were used by all sorts of system processes. Think I got them all in safe mode. but they recreate very fast.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
   Done, avast DOES find the files, fails to move it to the chest due to the locking, but does appear to be able to ‘delete’ the files…until the recreate themselves short while later.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and Trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
   using Adaware and Malwarebytes for this effect. (will try your suggestions as well) they DO detect the infection, detect …tries to clean…fails…detect…tries to clean…fails…repeat. Even in safe mode.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
   No detected rootkits from RootkitBuster. OTS found some stuff which it claimed to have cleaned. (Back again soon after)
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
   Done already, see my first post and the attached file.
6. Clean your Hosts file (replacing it) with HostsMan tool.
   host file is clean. (I edit it myself regularly for web site testing)
7. Disable System Restore and then reenable it again.
   Done
8. Immunize your system with SpywareBlaster.
   Will try, though I’ve already gone though, CCleaner, Extermiante It! RegScrupXP and Windows Live Safety Center…I think I’m reaching the point that I have more Anti Virus/Anti-Spam software installed than real software.
9. Check if you have insecure applications with Secunia Software Inspector.
   Yes, it did find some old java versions…interestingly their not listed in add remove programs. But Sun is notorious for bad cleanup.

I’ll post more when I have more info…but frankly I’m getting depressed. Luckly I have backups but with this sort of virus, can I trust my backups?

Welcome to the forums, cosmofur.

An analysis of your HJT log shows the following problems :

We couldn’t detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own firewall.

You have 2 active antivirus scanners which is not at all recommended as they will conflict with each other causing less protection rather than better protection. This may have also contributed to the computer infection.

O1 - Hosts: 172.16.1.205 backups
Unknown URLs should be fixed. Unknown entries within the HOSTS-file should be fixed.
This one might be OK. http://www.robtex.com/ip/172.16.1.205.html

O1 - Hosts: 65.199.31.21 www.studyforalz.com
Must be fixed! http://www.robtex.com/dns/studyforalz.com.html

O2 - BHO: (no name) - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6&search=SAS-Search (numbers 4 & 6 on the list)

O2 - BHO: (no name) - {eab1d8e7-1d9b-4ad0-8da9-3bfca6d506f6} - (no file)
Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: (no name) - {F0626A63-410B-45E2-99A1-3F2475B2D695} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=F0626A63-410B-45E2-99A1-3F2475B2D695&search=SAS-Search (numbers 6 through 10 in list)

O4 - HKLM..\Policies\Explorer\Run: [RTHDBPL] C:\DOCUME~1\Steven\LOCALS~1\Temp\soxmenawcr.tmp
Should be fixed. Sign of a trojan dropper. http://www.systemlookup.com/Startup/20964-lsass_exe.html
http://www.sophos.com/security/analyses/viruses-and-spyware/trojtattersa.html?_log_from=rss (see More Information tab)

[b]O16 - DPF: {CF38E898-0A6B-11D6-83C6-0080AD7D6076} (NPRemvuPluginControl) - http://172.16.1.21/common/NPRemvu.cab[/b]
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O21 - SSODL: laloyifuj - {2c0e253f-89b5-4a6d-b71a-66421a9bca78} - (no file)
O21 - SSODL: lunujowit - {d34ac6ef-3e33-4db7-9470-0f0eac9dea33} - (no file)
O21 - SSODL: hiwunapan - {f19d3934-0a6f-4025-9bd5-ae61dd65e343} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {2c0e253f-89b5-4a6d-b71a-66421a9bca78} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {d34ac6ef-3e33-4db7-9470-0f0eac9dea33} - (no file)
O22 - SharedTaskScheduler: gahurihor - {f19d3934-0a6f-4025-9bd5-ae61dd65e343} - (no file)
Research on the above 6 entries suggest that there might be a Vundo infection.

O23 - Service: JZTJBUZV - Unknown owner - C:\DOCUME~1\Steven\LOCALS~1\Temp\JZTJBUZV.exe (file missing)
Unnecessary (deactivated) entry that can be fixed.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

avgchsvx.exe
Virusscan
AVG Internet Security

avgrsx.exe
Backgroundtask
avgrsx.exe

avgcsrvx.exe
Virusscan
AVG Internet Security

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

ACService.exe
Backgroundtask
ArcSoft Connect Service

avgwdsvc.exe
Backgroundtask
avgwdsvc.exe

svchost.exe
System task
Microsoft Service Host Process

jqs.exe
Backgroundtask
Java Quick Starter Service

CommandService.exe
Unknown task
Unknown task http://www.bleepingcomputer.com/startups/CommandService.exe-24500.html

mdm.exe
Application
Machine Debug Manager

NMSAccessU.exe
Backgroundtask
NMSAccessU.exe

nvsvc32.exe
Application
NVIDIA Driver Helper Service

svchost.exe
System task
Microsoft Service Host Process

UAService7.exe
Backgroundtask
SecuROM User Access Service

avgnsx.exe
Backgroundtask
avgnsx.exe

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

Explorer.EXE
System task
Microsoft Windows Explorer

smax4pnp.exe
Application
Soundmax agent

svchost.exe
System task
Microsoft Service Host Process

avgtray.exe
Backgroundtask
avgtray.exe

ashDisp.exe
Virusscan
Avast AntiVirus

ctfmon.exe
System task
Alternative User Input Services

GoogleUpdate.exe
Backgroundtask
GoogleUpdate.exe

GoogleUpdate.exe
Backgroundtask
Google Updater

hpqtra08.exe
Backgroundtask
Hewlett Packard Imaging

GoogleCrashHandler.exe
Backgroundtask
Google Update

GoGear_Vibe_DeviceManager.exe
Backgroundtask
GoGear VIBE Device Manager

hpqimzone.exe
Driver
HP Imaging Module

TurbineLauncher.exe
Unknown task
Unknown task http://www.tallemu.com/oasis2/file/turbine__inc_/turbine_launcher/turbinelauncher_exe/1275093

hpqSTE08.exe
Driver
HP Imaging

SyncBackPro.exe
Unknown task
Unknown task http://www.tallemu.com/oasis2/file/2brightsparks_pte_ltd/syncbackpro/syncbackpro_exe/2682553

dllhost.exe
System task
Microsoft DCOM DLL Host Process

AAWService.exe
Anti Add/Spyware software
Ad-Aware 2007 Service

AAWTray.exe
Backgroundtask
AAWTray Application

winlogon.exe
System task
Microsoft Windows Logon Process

HPZipm12.exe
Driver
HP Taskbar Utility

Ad-Aware.exe
Virus http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=778
RBOT-SO WORM!

iexplore.exe
Application
Microsoft Internet Explorer

iexplore.exe
Application
Microsoft Internet Explorer

HijackThis.exe
Application
Merijn Hijackthis

Thank you.

While I had already run several virus scans with different products, it appears that Malwarebytes was the one I needed this time. It found a root kit and removed it.

Since then I’ve not seen the problem return.

Thanks again.

You are welcome and glad you got it solved.