Greetings,
Hope someone can help. I can't find enough information on my issues online, and I have run out of ideas.
I'm running Windows XP SP3. I fairly computer savvy, and I have Process Explorer pop up on start up and usually notice pretty quickly if something is amiss.
This all started yesterday while browsing the interwebs on Firefox 3.5.5. Avast gave me these two alerts, to which I aborted the connection and deleted files:
2009-12-15 14:45:12 1260909912 SYSTEM 1304 Sign of "Win32:Small-NDO [Trj]" has been found in "C:\WINDOWS\TEMP\~TMD4.tmp" file.
2009-12-15 14:45:28 1260909928 SYSTEM 1304 Sign of "Win32:Small-NDO [Trj]" has been found in "C:\WINDOWS\TEMP\~TMD5.tmp" file.
At a later point I noticed CMD.exe running at 50% CPU and srsdllpro.exe or some other DLL as a descendant if I remember correctly. I killed both and sometime later restarted the computer. At this point I discovered
srsdllpro.exe running. I killed it and did some research and realized that I had a security breech. The date srsdllpro was created was about 8 seconds after Avast detected Win32:Small-NDO.
Very little information out there on srsdllpro:
http://www.threatexpert.com/report.aspx?md5=7929718fb45fad85244d9a4cf2ab1ab4http://comprolive.com/remove/harmful/exe/srsdllpro-exeIt's called
Sandboxie Start in the exe properties, and also uses the same icon as this program:
http://www.sandboxie.com/I deleted:
C:\Windows\srsdllpro.exe
HKEY_USERS\.DEFAULT\Software\Microsoft\InetData
HKEY_CURRENT_USER\Software\Microsoft\InetData
I originally did not find C:\Windows\System32\abcdefg.bat. I just now found C:\Windows\System32\
fjhdyfhsn.bat which i deleted. It was also created within seconds of srsdllpro. The contents of this file:
@echo off
:try
@del /F /Q "C:\Program Files\Internet Explorer\iexplore.exe"
if exist "C:\Program Files\Internet Explorer\iexplore.exe" goto tryI found windows firewall service to be turned off as was described at the above links. I have turned it back on, and it seems to be running normal since. I examined start up programs in MSCONFIG and discovered suspicious entries for:
srsdllpro
siszyd32
rundll32.exe "C:\WINDOWS\unotovunikanujuq.dll",StartupThe unotovunikanujuq.dll is dated from 2006/2008 so I don't see how it is involved with the current attack, but I have never seen it before, there is no information on the internet about it, and it looks really suspicious. I disabled all of these.
Siszyd32 of course does not actually exist at C:\Documents and Settings\Joel\Start Menu\Programs\Startup\siszyd32.exe. But it continues to reenable itself in the startup list. I found a registry reference for the siszyd32 location in this key which I deleted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Joel^Start Menu^Programs^Startup^siszyd32.exe
HKEY_USERS\S-1-5-21-1935655697-1767777339-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache
Of course I updated Avast and did a boot time scan overnight. I checked the logs when I woke up and there was no reference to anything being detected. Of course I have cleared Temp folders also.
I attempted to run Spybot, but during the update process the program froze and I had to kill the process. It has not started up since, and just uses max CPU until I kill it. Not sure if that is related but either way I am down one weapon.
At this point the
only indication that anything is wrong is that SVCHOST is running at 50% cpu. (Since I have a dual core it seems that some programs run at 50% when really they want 100%.) What is odd is that if I start up with my network disconnected, everything is normal until I connect to the internet, then SVCHOST goes to 50%.
While I await a helpful reply I will try running CCleaner and MBAM.
