Infected Files Regenerating in Temporary Internet Files and System32 folders

Hi,

Some malware has been giving me constant grief for the past few weeks. I've spent a lot of time trying to unsuccessfully solve this myself and am now at a loss for how to proceed. Symptoms as follows:

Whenever I'm connected to the internet, avast keeps detecting infected files in a couple of places on my hard drive. Most commonly, they're files with a false extensions that appear in my Network Service folder's Tempoary Internet Files e.g:
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5EMN1H8B\zhwh[1].gif
These seem to get created every couple of hours when I'm connected, regardless of whether or not I have a web browser open. avast will delete these files, but they'll reappear later with a different filename and extension (always something like .gif .bmp .jpg etc).
Slightly less frequently, avast detects an infected file at C:\WINDOWS\system32\x. Again, avast successfully deletes this file, only for it to regenerate later (filename is always the same for this one).

This has been a problem now for about a month (see attached avast log from Jan 29 2010 - I'm not sure if it's relevant that avast at first recognised the infection as Win32:Confi [Wrm], but is now picking it as Win32:Rootkit-gen [Rtk]). I suspect a couple of potential sources from around that time:
1) A flash drive that was infected by a colleague's PC (when I plugged it into my computer avast detected a mass of viruses - I'd hoped avast intercepted everything but maybe not)
2) A keygen that I foolishly ran in a fit of frustration - this and the associated software (which was actually legitimate) has since been deleted from my drive.

Anyway, I've followed the "Run & Read Me" a couple of times now, and all requested scans are attached, with an avast log from the beginning of 2010. I've included my external drive (K: ) in most of the scans as it's almost always connected to my laptop and I have the bulk of my data and programs installed on it (my resident HDDs are tiny). It's also likely to be the original source of the problem in the case of 2) above. That said, that the infected files regenerate and are detected by avast with or without my K:\ drive connected.

Aside from the requested scans, I've also previously run full scans with: avast; Spybot S&D; Dr Web CureIt; gmer; F-secure Blacklight; RootkitBuster; Sophos Anti Rootkit. Nothing seems to get picked up aside from a few tracking cookies etc and my symptoms persist. Rootrepeal shows up an MBR rootkit on my K: drive, which I haven't been able to remove, but I'm not sure if this is a false positive, as no other scan seems to pick this up. Rootrepeal also seems to do some weird things when it's scanning my external drive: a lot of the file pathways that it's scanning don't actually exist on the drive (for example, in the RRlog, all of the .jpgs in the K:\DARKEYE folder aren't actually in the DARKEYE folder - those .jpgs all exist, but not at that path. Same goes for all of the folders/files that the RRlog identifies in K:\Movies\....). At the end of the Rootrepeal scan, I also get a list of errors about "Could not enumerate files in..." (see error log attached).

One other thing - not sure if it's related. I'm getting a lot of svchost application errors at the moment, which causes explorer to lock up and means I have to do a force shutdown. On booting back up I often get a Data Execution Prevention message telling me that "General Host Process for Win32 Services" has been prevented from running. I'm sure this has happened to me in the past, before the above issue of the infected files, but nowhere near as frequently as it is at the moment (maybe once or twice a day).

 

Other attachments...

 

Thanks for the reply, Tim. Much appreciated.

I've just completed CCleaner and ATF Cleaner with all available options checked (they cleared 3.2 MB and 3.8MB respectively).

I'd previously run CCleaner a few times, including as part of the "Run & Read Me" procedure, and the problem was still there afterward.

To expand a bit on the info in my original post, avast (real time scanner) keeps finding infected files in my Temporary Internet Files (Network Service, not my profile), and also an infected file at C:\WINDOWS\system32\x. I delete them each time, but they reappear a few hours later if I'm connected to the internet (I don't need to have a browser open or be doing anything active on the web - I just need a live connection). The system32/x often seems to be detected immediately after the Temporary Internet Files one. Doesn't seem to matter how many virus scans I do or how many times I purge all my temporary files, the infected files keep reappearing (with a different filename in the case of the Temporary Internet Files one). As per instructions, I've set it so I can see hidden and system files - figured this may be important since the infected files are in the Network Service folder.

avast finds viruses in these files, but it's obviously missing whatever corrupted file(s) there is on my system that's generating them.

If it's of any interest, SAS found two of the Temporary Internet Files viruses in the scan I ran during the XP cleaning procedure (see SAS log in my first post). These files would normally get picked up by avast real time scanner, but I assume avast only identifies them once they activate or attempt to do something malicious, which means they must sit dormant in Temporary Internet Files for a short while after they're generated (?).

I've got to head out for a few hours now, but will leave this connected to the internet to see if the infected files reappear after the latest CCleaner and ATF Cleaner runs - will post back to advise.

Thanks again for your help!

 

OK, I've been connected for 12 straight hours now and no infected files have appeared in either of the problem locations (avast hasn't picked anything up and I've also manually checked the folders for suspect files). That's the longest clear patch I've had in over a month, which is great.

It may still be a little early to count my chickens but ATF Cleaner might have done the job. I'll leave it connected overnight and through tomorrow - if it makes it that far without a recurrence, I'll be pretty happy that I'm in the clear. Will post back with results.

Also, thanks for confirming the false positive on the external drive.

 

I seem to be clean! 36 hours on line with no problem, so hopefully that's the end of it. ATF Cleaner must've cleared out some nasties that CCleaner didn't - Java cache maybe?

Must admit it feels kind of unsatisfying (and more than a tiny bit embarrassing) that a few seconds' cleaning was all it took to get rid of such a persistent and annoying problem.

Thanks heaps - appreciate your help, and think it's awesome what you guys do here.

 

Done. Cheers.