Ok, here goes, this may be a bit lengthy, but I have done a lot of work on this issue myself before turning here.
System - Windows XP SP1
Browser - IE6
Tools already used - Spybot S& D, Ad-aware, Avast, AVG, HiJack_This
Description -
This computer has been infected with malware. At first I ran Hijack This, and cleaned everything it recommended. Then I downloaded and installed Spybot, and it cleaned 200+ files. Then I downloaded Avast and installed it. The malware wouldn't let me execute the application. I would get an hourglass for just a moment, but the app never initialized. Avast will run in Safe Mode, so I cleaned 50+ viruses from the system.
I felt that I had done enough for the day, I was able to surf the net with out getting an 403 error anymore.
The next day I had this on my desktop "A fatal error in IE has occured at 0028:C0011E36 in VXD Vmm<01> +
0010E36 Error was caused by Trojan-Spy.html.smitfraud.
c" It had domineered my desktop and I could change the background image. It had even removed the tab from the properties for the desktop. I deleted the C:\wp.exe and the C:\wp.bmp, and fixed the registry settings for the desktop. I ran Spybot, came back clean, ran Hijack This - came back clean, ran Avast - came back clean. However the system isn't clean! I still couldn't start Avast in Normal Mode, so I started to end processes one by one. I focused on the processes corresponding to the User Name of the user account. There was one that kept restarting itself after I ended process. So back to Safe Mode I went, search the Registry and cleaned out the Access Network key, which had the same value as the directory and name of the process that kept running. I also cleared the Run Key instance of the malware. The malware resided in the Windows/System32 directory, so I went there and deleted it.
Rebooted the computer, all was fine so I figured I better place a firewall on this computer so I downloaded ZoneAlarm. After the installation it required me to reboot. It rebooted, I went to log onto the user's account, and the machine immediately rebooted again. Now in Normal Mode, I can't run ZoneAlarm, Avast, Avg. I started with the same process of going to the registry and deleting the process that kept restarting itself, and to the Windows/System32 directory to delete it. I kept seeing "Connect2Party" in the Windows/system32 directory and kept deleting it.
Charataristics of the malware;
1. After deletiing it from the Registry and Windows/System32 directory, in Safe Mode, it renames the process in Normal Mode
2. Won't let me run any of the following in Normal Mode;
a. Avast
b. Avg
c. ZoneAlarm
d. Windows Updates
3. In Safe Mode HiJack This shows clean
Spybot shows clean
Avast shows clean
How do I get rid of malware that keeps changing it's .exe name, and the corresponding Process name
I can't reformat the drive, the user doesn't have any way to back up their data on the machine.
What other options have I overlooked?
Any and all help is welcomed. Thank you in advance. All answers, warranting good ideas, will be awarded points.
