I have a bug in my system which is not detectible by SpybotSD and more than that bug effectively destroys SpybotSD. I got it with a freeware downloaded of the Internet on 12/31/07. I can’t find the executable. I think it uses svchost.exe and iexplorer.exe. It starts on windows startup and in couple of minutes it creates a folder in C:\windows\exefld. Then it downloads 2 executables to this folder named with numbers only, like: 9047842.exe. Then sleeps for about 4 hours and downloads more. These executables periodically pop up with IE advertisements.
I noticed that if I immediately on start up suspend iexplorer.exe process ran by svchost.exe executables are not downloaded any more. Blocking svchost.exe makes system unresponsive. During infection bug cleaned my system by deleting some executables including hardware monitor, AVG, SpybotSD and TeaTimer, plus it removed all references from registry.
I tried to install SpybotSD on top, though as soon as SpybotSD.exe and TeaTimer.exe are placed in to directory they are deleted by some process. To work around it I installed SpybotSD on another computer renamed executables and copied all updates and both files and run on the infected computer. After scan SpybotSD congratulated me with no spy found message. But as soon as I copied exec files and renamed them to SpybotSD.exe and TeaTimer.exe they got deleted. I also can not switch to Windows Safe Mode, it chocks on one of the *.sys files, but restarts fine in regular mode. Registry does not have any references to anti_troj.exe or FirstRRRun.
Any help would be appreciated
I noticed that if I immediately on start up suspend iexplorer.exe process ran by svchost.exe executables are not downloaded any more. Blocking svchost.exe makes system unresponsive. During infection bug cleaned my system by deleting some executables including hardware monitor, AVG, SpybotSD and TeaTimer, plus it removed all references from registry.
I tried to install SpybotSD on top, though as soon as SpybotSD.exe and TeaTimer.exe are placed in to directory they are deleted by some process. To work around it I installed SpybotSD on another computer renamed executables and copied all updates and both files and run on the infected computer. After scan SpybotSD congratulated me with no spy found message. But as soon as I copied exec files and renamed them to SpybotSD.exe and TeaTimer.exe they got deleted. I also can not switch to Windows Safe Mode, it chocks on one of the *.sys files, but restarts fine in regular mode. Registry does not have any references to anti_troj.exe or FirstRRRun.
Any help would be appreciated
resent: