Hi guys, hope I find you all well and rested after the festivities and raring to get back into helping me - sorry everyone - with their problems!!

OK My sister in law has a games computer whixh is mainly used for WOW. Sometime this week she has been severely infected with a number of virus and trojans.

But the the strangest thing is that a new User account has been made - password protected - in the name of Adminestrator. No matter how I try and delete this account it reappears after every restart. This I have never seen before!

OK the steps I have taken and all to no avail.:banghead:

Boot in to safe mode
Disable system restore
run AVG Antispyware
run adaware
run Spybot
Run AVG Antivirus (free edition)
Run HJT (in safe mode)

Logfile of HijackThis v1.99.1
Scan saved at 12:01:26 PM, on 1/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\winrcc.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Load DLL Services Drivers] winrcc.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [Load DLL Services Drivers] winrcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Microsoft Sata emulation (mside) - Unknown owner - C:\WINDOWS\system\mside.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
O23 - Service: Microsoft Windows DMR Service (Windows DMR Service) - Unknown owner - C:\WINDOWS\dmrproc.exe


There are 4 files in C: directory that keep reappearing they change each time but are something like lkjnf.exe (in other words just randonly named files)

Every time the system starts AVG flags the following and whichever option is taken - to heal or move to vault they ALWAYS reappear within a minute.

PSW.Generic2.ZSL
Trojan Horse Collected.Z
IRC/Backdoor.SdBot2.MNX
Clicker.DUU
ProcKill.DJ
Small.bs

There are a few processes that will not be killed -even with KillBox they keep reappearing (but I cant remember them now - Sorry)

Anyway thats all I have done and it made not one bit of difference.

Should I run HJT in normal mode?

Thanks in andvance

Siggy - (now only one PC folding for the team :( )

Hi Siggy,

Because of the infections present on the computer, I need to give you this warning. :(

The computer is infected by SDBot Trojans that have Backdoor functionality.
This gives intruders complete control of your computer, logging key strokes, stealing information, etc. :(

You are strongly advised to do the following immediately!:
Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:

Danger: Remote Access Trojans (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx).
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud? (http://www.dslreports.com/faq/10451)

Should you have any questions, please feel free to ask

Please let me know your decision and we'll get started with clean up if that's what you choose.

Trogan - many thanks for the response - after chatting to the Sister in Law we are going to go down the route of reformatting and starting again - I am worried that any clean up may leave some nasties behind.
Thanks again for your quick reply - sorry its taken so long to come back to you!
Siggy

No problem about the delayed response. Formatting is definitely the safest option.

Good luck!

hi siggy, since you decided reformat, may we close this thread?:)

Thread closed!