Let Me Introduce The Ultimate Undetectable Trojan/Rootkit

Ok...I am not a noob, in fact I do consider myself an expert when it comes to viruses and trojans, but recently at my office I have encountered the most stealth and tough trojan/rootkit of all times.
Its the RECYCLER trojan. I have been searching for any info about this and although I have found a lot of people reporting it but no antivirus/antispyware detect it, I have used avira, avg, mcafee,kaspersky,spyware doctor, webroot spy sweeper, spybot, super antispyware and none detects it.
The problem is on 5 systems running xp pro sp2 with NTFS. FAT32 is safe.
Normally I do not need antiviruses or antispywares to remove a trojan, I know every place from where a trojan can start with windows. But there is NO place in registry I found where there is any entry for this trojan. Most of the people who are reporting about this has an autorun.exe or autorun.inf on their root drives from where this trojan is executed, but in my pc there is no such files, I have used icesword for this in case windows is unable to show me any file although I have set windows to show me even the superhidden files. But there is no such file on my root drive. When I open the recycler folder there is an icon of recycle bin with following name

S-1-5-21-606747145-1770027372-839522115-1005
or sometimes there are two icons and the second one is
S-1-5-21-606747145-1770027372-839522115-1004

when i open this recycle bin it directs me towards the normal windows recycel bin, but through ice sword I have accessed the real files inside this and they are

Info.exe
desktop.ini

Although I did manually removed the recycler folder many times, but whenever I delete ANY file the folder reappears. I have searched and searched in registry for any suspicious entry but I did'nt found one. And believe me I have searched EVERY starting point a trojan can use.
So is this the ultimate hiding machine or what??that I cannot see its registry entries even with a great program like icesword??
What is making me mad is that I cannot even find how it is starting with windows in the first place because there is no entry, no autorun file..then how is it doing this?? I have disconnected my pc from network hoping that it somehow copies itself from other computers but thats not the case, it has some file on my pc that I cannot see, antivius can't detect. One thing more when I access any of the infected pc through network although I can access the pc BUT I cannot access windows, program files and documents and settings folders, everything else like other drives is accessible. So I cannot see these folders through network and I think if and only if I can do that then maybe I will be able to see the malicious file.

I can always do a low level format and can solve this issue, but its kinda hurting my ego, I have removed so many trojans manually and now this undetectable thing is destroying my ego, besides I have read at some places that this thing does'nt go even after formatting. So I want to know what is this, why it is able to bypass antiviruses and antispywares, how is it starting with windows and so on.
My hijackthis and combofix logs are attached.

Can anyone help me??

~Logs removed per Policy - Ron~

 

Hello,

Except the quirky thingie you see in the Recycle Bin, what else? Any symptoms?

Now, solution:

Boot from live CD (Ultimate Boot CD for Windows, for instance).

Access drive C.

Delete strange items (info.exe etc).

Look for strange entries in unusual places. Maybe there's a rootkit or something replacing the missing files, so look for folders that do not exist in normal boot and see if there are any culprits there. Google for strange things.

Oh, use rootkitty (UBCD4WIN tool) once booted in Windows, once from live CD, then compare the two files. It will give you an output of all differences. You'll be able to spot strange new .dlls and .sys files and such.

Google if you're unsure. But normally, there should be no strange drivers that rootkitty cannot see normally. Still, be careful!

Once sure, delete these as well.

Reboot, clean up remnants, enjoy ...

Beware killing your machine - backup your data!

Mrk

 

Thanks for the reply, I have booted from hiren boot cd and browsed with dos based file managers but the problem is that there is NO autorun.exe or autorun.inf file anywhere.
The trojan somehow is uploading some data at high rates thus consuming bandwidth and choking it. I have to restart my router many times.

 

Send the info.exe file to Avira and maybe they will add definition and you can heal your PC.

 

I´m afraid you did get an infected flashget-file via flashget-updater.
I think you have to verify kcom.sys (known as TR/Dldr.Agent.Khg --> Avira) and rose.exe (known as W32/Setrox-A --> Sophos).

 

@DevilFrank

Thanks for this tip about rose.exe, That did seem suspicious to me but I think I was so frustrated by that time that I kinda skip that file.. I will check this and then post about it.

 

Ok.. I have checked both files.
kcom.sys is the driver installed by pc tools spyware doctor and therefore is clean.
About rose.exe, only one reference in the registry is found which is

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ddffa17c-15bf-11dd-9ae1-001cc01b73b8}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL rose.exe

I have removed the rose.exe from that registry entry and checked it has not been back. Other than that no file with the name of rose.exe is found on my pc. I have checked with icesword and indeed there is no rose.exe file on my pc.

Its getting weird...anymore suggestions??

 

A friend had a trojan from downloading and installing a particular program. The AV detected the virus, displayed its location (something along the lines of C:/$recycler$#%^).

I suspected it was still there. Avira (running for a month), Cureit several times, SAS, malwarebytes on-demand scans. ThreatFire, it's AV and rootkit scanned several times.All clean.

Nothing unusual appeared as a running process or in the registry.

I later found his internet usage was higher than usual.

I decided to trial Sunbelt's new spyware/anti-virus program VIPRE (still in beta stage) as it's also running their CounterSpy spyware engine built in. http://beta.sunbelt-software.com/viewtopic.php?t=6770

This performed a deep scan, detected a portable program of the instant messaging program Pidgin (now reported on their forums as a false positive). Otherwise all clean. The next time his system booted up, VIPRE performed a boot scan which found a trojan bancos file, and quarantined the file.

The Trojan bancos variant receives the highest threat rating as it monitors internet usage and sends the details back to the attacker.
http://www.threatexpert.com/threats.aspx?find=bancos&x=0&y=0

I was surprised it had been undetected with the amount of programs run.

This reinforces that several programs might need to be run to remove a stubborn trojan/virus. This VIPRE program might later miss malware that SAS, Avira, and the rest will detect, but it's worth a shot letting it scan a few times and letting it run its boot scan. But the same can be said for every AV program (Dr Web, Avira, Avast, Kaspersky and so on). Try another AV program in safe mode.

 

Adiels,
Can this malware be removed by
1. Zeroing my HDD and
2. Restoring a clean image ?
Or is this malware stored in other hardware components than HDD's, like motherboard or VGA card or ... ?

 

Does a HijackThis scan run from your hiren boot cd show anything?