I am trying to clean up an infected system. I used a custom-built Windows PE boot CD and scanned the local drives with Clamwin (current defs, etc.). It reported various infected files, including:

C:\Documents and Settings\Home User\Application Data\Mozilla\Firefox\Profiles\sz1nxf4x.default\Cache\069CD5C0d01: Trojan.Downloader-12904 FOUND
C:\pagefile.sys: Trojan.Agent-68 FOUND
C:\Program Files\Online Video Add-on\icthis.exe: Trojan.Downloader.Zlob-1541 FOUND
C:\System Volume Information\_restore529242CE-84E6-4375-B922-5E9F77A96781\RP307\A0082514.exe: Adware.180Solutions-16 FOUND
C:\System Volume Information\_restore529242CE-84E6-4375-B922-5E9F77A96781\RP347\A0084159.dll: Adware.Hotbar-2 FOUND
C:\System Volume Information\_restore529242CE-84E6-4375-B922-5E9F77A96781\RP347\A0084185.exe: Adware.180Solutions-16 FOUND
D:\20061014 XXXXXX 1HD\Documents and Settings\XXXXX\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-38ee7e53-6640bfd2.zip: Trojan.Gummy.Bytverify FOUND
D:\20061014 XXXXXX 1HD\Documents and Settings\XXXXX\My Documents\Games\DESKTOP.exe: Joke.Stressreducer-3 FOUND

(Some file identifiers redacted to protect the irrelevant.)

I deleted the infected files. I removed anything I didn't recognize from the RUN and RUNONCE keys in the registry. I removed everything from the startup group, I did a web search for several of the items and ran VundoFix.exe and f-vmonde.exe on the system, booted in safe mode. AVG found several core Windows files (kernel32.dll, user32.dll, and ntoskrnl.exe) had "incorrect file sizes." Just to be safe, I replaced them from a known-clean machine.

After all the clean-up, the machine scans as clean with Clamwin. I reboot into Windows, shut down, reboot from the CD, rescan, and pagefile.sys is once again infected with "Trojan.Agent-68."

I will likely just be doing a clean restore on the system. Out of curiosity, though, I'm wondering if anyone has any more information on or, knows how to get rid of this Trojan.Agent-68. It's pretty odd to find one with so little information available that's so difficult to kill.

pagefile.sys is the swap area, it contains parts of windows memory (so you may have the virus itself, signatures, etc) and it doesn't get deleted when you shutdown / reboot,
there is a registry key to zero the file at shutdown reboot but I don't suggest you to use it,
just start with winpe cd and delete the file, windows will create a new one

You might want to turn off System Restore in case the malware is also in there--you wouldn't want to later restore your system and get it again. Create a new restore point when you are sure there's no malware. Below is a good list of places on the Web where you can get help if it's a really tough little bug.

https://www.malwarecomplaints.info/viewtopic.php?t=63&sid=dc1eaf765f2fe21ceb18a363e931159b

Regards,

Thanks for the replies.

Sherpya, I guess I wasn't clear: I have been booting from a Windows PE disc and deleting the pagefile.sys. I reboot into Windows XP, Windows creates a new pagefile.sys. I shut down and boot from the Windows PE disc and re-scan with Clamwin. Pagefile.sys is infected with the same agent again. Clamwin shows no other infected files on the machine.

By the way, I am using several of your Windows PE plug-ins. Thank you for all of your hard work.

GuitarBob, I turned System Restore off on the machine first thing.

since clamwin doesn't detect anymore the virus in all the disk
I suspect that the clamav virus db goes somehow in the pagefile so you
get the virus pattern match

Clamwin is not installed on the system itself. I am only running it from a PE disc. So, it is not present when the pagefile.sys is becoming infected.

It is my understanding that most of the better known AV software now does a pretty good job at Trojan removal. This has caused some of the dedicated anti-trojan programs of a few years ago to get out of the business.

You might try one of the commercial antispyware programs. Most of them have trial versions available, and some of them are pretty good at removing specific trojans.

Ewido was pretty well thought of. It was purchased by Grisoft (AVG) and forms the basis for their Antimalware program, which is available in a trial version. I believe there is a also free version available that defaults to lower functionality after the trial period.

Regards,

This is an old thread, but I thought I'd throw in a couple of observations. Windows writes all loaded code into the pagefile. A lot of the malware is repackaged on different sites.

This sounds like a file infecting virus reloading data theft software into memory on reboot. You must reinstall windows if you haven't. If you just gave up and figured it was a false positive, that's a bad way to go.

If you had a baseline system like a VM with the same versions of installed software, and you compared the filesets offline, you'd likely find a number of interesting things.

Sorry if this is way too late, but that kind of software sometimes comes down with the ZLOB installer, and is very stealthy, and maybe packaged with the mostly-just-irritating
180/ncase crap to look more benign. Seriously, I see zlob on a client machine and I wipe and reinstall. YMMV.

Thanks,
Chris

Thanks for the reply. I did finally get the machine to stop re-infecting the pagefile.sys on every reboot. I got more aggressive about disabling things loading on boot and finally found the one that was infected (well, narrowed it down to something in a RUN registry entry anyway).

I had already tried the AVG (Ewido) anti-malware package on the machine and, had it fail to correct the problem before reading GuitarBob's last post (though I appreciate the suggestion).

My general policy is that once a machine has been compromised, you can never be sure it is clean without a re-install. So, I backed up all the data from the system, and restored from the image I created when I built the machine (patched, reinstalled apps, etc.). Then, I went over how to reduce your chances of infection with the user (keep patches up-to-date, don't use IE to browse the web, turn off JavaScript and Java when visiting questionable sites, don't open executable email attachments or MSFT Office documents, don't download warez, etc.).

I'm glad you fixed it. I have suggested to the ClamWin team that they provide additional functionality to that would enable a user to upgrade Windows security. If enabled, a user would be able to do it in ClamWin instead of having to do it via Security Center, Internet Explorer, etc.

Regards,