I'll try to be brief but thorough. I am an intermediate computer user and know my way around Windows. My machine is a Pentium 4 with 512MB ram running Windows XP Pro SP3. This is a work computer connected to a small office network.
Prior to the infection, I was not running any anti-virus software. I scan regularly with Super Antispyware, and Malwarebytes. System Restore and Automatic Updates were turned OFF.
Last week I noticed that several instances of iexplore were running as processes in the background and suspected that something was wrong because I NEVER use IE, only Firefox. After complete scans with SAS and MWB, the iexplore was still running in the background. At that point I downloaded Spybot - Search and Destroy, and I believe I unfortunately downloaded a nasty virus at the same time.
Symptoms:
1. Regedit is disabled. I found a script online that will turn it on so I CAN access it, but after a couple of minutes, the registry is changed and it is disabled again.
2. Tweak UI is disabled.
3. "Folder Options" in the tools menu is disabled in explorer and the settings for "show hidden files", and "show file extensions" are turned off. So I can't browse the system files to look for anything without getting into the registry and turning them back on.
4. An errant .exe file is everywhere. It is a random mix of letters and numbers. It has appeared as "sm346llr.exe"; vp6tr6cxa.exe; currently it is cfqiia2x.exe. Two instances of it are running at all times. When I click "end process" it disappears for a split second and then appears in the list again. It is listed in the startup tab under msconfig. I tried un-checking it in msconfig and then re-booting. It simply comes back, sometimes as a different name. The file shows up in the registry under HKCU\Software\Microsoft\Windows\Currentversion\Run. When I try to delete it from the registry, it simply reappears. It is also located in the Docs and Settings\current user\Local Settings\Temp folder.
5. I believe other processes that look like system processes are bogus, like winlogon.exe, services.exe, lsass.exe, csrss.exe, etc. I know these are legit system processes, but when I run the scans, they are detected as illegitimate files.
6. The computer has slowed significantly because all of the processes are hogging memory.
7. A weird popup appeared this morning that said "Thank you for use iexplore"
I have since installed Avira Antivirus. I did a complete scan today. It found several trojans, but was unsuccessful in cleaning them out. I also cannot start the "Guard" feature in Avira. It is listed in Windows services as automatic, but it does not start at bootup or when Avira starts. When I try to start the service manually, Windows tries to start it and then it stops on its own. I suspect the virus is preventing this.
Everything I have tried so far has failed. The virus is listed by SAS and MWB as smitfraud variant-Gen/Bensorty. Avira found TR/Patched.AA.522 Trojan.
Below are the logs from Super Antispyware, Malwarebytes, Avira, and the most recent Hijack This log.
Any help would be very much appreciated.
~Chris
[attachment deleted by admin]
