Solved: Difficult Trojan

Hi there,

First, my apologies for a wall of text up front... Hopefully it's all useful information.

I've currently got some virus on my machine that creates other Trojans. The ultimate (noticeable) effect is that IExplorer.exe will randomly start up and go to an advertisement. More often than not, the process name is kBrp0553.exe, if that's of any use. At this point, I've disabled the IE application through Control Panel -> Add/Remove Programs -> Windows Components. However, I still see the process pop up, in the process tree emanating from "services.exe". Additionally, it's opening TCP connections to many IP addresses, which I'd be happy to share if it would provide any use. Most seem fairly random though spanning from "unknown.nscnap.net" to yahoo IP's, and they're fairly dynamic changing relatively quickly. I'm using Process Explorer to determine this.

After noticing this effect, I've begun trying to clean my system. I started using Trend Micro's Housecall, which found a Trojan and supposedly cleaned it. This had no effect, the popups continued. Next I moved to AdAware and a full (legal) installation of Symantec Antivirus. Symantec periodically finds new Win32.Agent.ahdb and Win32.BHO.pe (I've used the Kapersky names, the Symantec equivalent to Agent.ahdb is Trojan.Flush.G) viruses that didn't exist during the last scan, even while the computer's idle i.e. I leave the machine on overnight with nothing but background processes and then run a scan the next morning, boom new Trojan. Recently I've tried Kapersky Online Scan, which found my quarantined files from Symantec, but nothing else.

I've tried using HJT, and haven't noticed anything outstanding in the log, but I'm not an expert by any means. I've also used SDFix, Microsoft Windows Malicious Softare Removal Tool, Look2Me-Destroyer, XoftSpySE, ComboFix, and SpyZooka, all to no avail. I also ran Malwarebytes which found some Weatherbug registry keys in addition to another set of Trojan.BHO and Trojan.Agent, which were probably just new instances of what Symantec AV has been removing periodically. At this point, I'm still getting the popup processes.

I'm pretty frustrated and about to throw in the towl and just re-install Windows, but I was hoping maybe someone had an idea that might help save me that pain.

I've attached my HJT, ComboFix, and SDFix logs, since those are the ones I'm not sure I fully understand.

Sorry for the essay, but I figured most of this information might be useful.

Thanks in advance for any help you can render!

 

Hi Eddie, and thanks for your response. Fortunately I did manage to get it figured out. Turns out it was a TrojanDownloader.Firu which all of the tests mentioned in my first post somehow missed.

I got it using http://www.eset.com/onlinescan/ which I found recommended to another user over on bleepingcomputer.com who was having similar issues.

I was quite surprised to find that none of the other Malware/Virus scanners found it.

Anyway, I'll mark this as solved. Thanks!