Greetings,
Hope someone can help. I can’t find enough information on my issues online, and I have run out of ideas.

I’m running Windows XP SP3. I fairly computer savvy, and I have Process Explorer pop up on start up and usually notice pretty quickly if something is amiss.

This all started yesterday while browsing the interwebs on Firefox 3.5.5. Avast gave me these two alerts, to which I aborted the connection and deleted files:

2009-12-15 14:45:12 1260909912 SYSTEM 1304 Sign of “Win32:Small-NDO [Trj]” has been found in “C:\WINDOWS\TEMP~TMD4.tmp” file.
2009-12-15 14:45:28 1260909928 SYSTEM 1304 Sign of “Win32:Small-NDO [Trj]” has been found in “C:\WINDOWS\TEMP~TMD5.tmp” file.

At a later point I noticed CMD.exe running at 50% CPU and srsdllpro.exe or some other DLL as a descendant if I remember correctly. I killed both and sometime later restarted the computer. At this point I discovered srsdllpro.exe running. I killed it and did some research and realized that I had a security breech. The date srsdllpro was created was about 8 seconds after Avast detected Win32:Small-NDO.

Very little information out there on srsdllpro:
http://www.threatexpert.com/report.aspx?md5=7929718fb45fad85244d9a4cf2ab1ab4
http://comprolive.com/remove/harmful/exe/srsdllpro-exe

It’s called Sandboxie Start in the exe properties, and also uses the same icon as this program:
http://www.sandboxie.com/

I deleted:
C:\Windows\srsdllpro.exe
HKEY_USERS.DEFAULT\Software\Microsoft\InetData
HKEY_CURRENT_USER\Software\Microsoft\InetData

I originally did not find C:\Windows\System32\abcdefg.bat. I just now found C:\Windows\System32[b]fjhdyfhsn.bat[/b] which i deleted. It was also created within seconds of srsdllpro. The contents of this file:

@echo off
:try
@del /F /Q “C:\Program Files\Internet Explorer\iexplore.exe”
if exist “C:\Program Files\Internet Explorer\iexplore.exe” goto try

I found windows firewall service to be turned off as was described at the above links. I have turned it back on, and it seems to be running normal since. I examined start up programs in MSCONFIG and discovered suspicious entries for:
srsdllpro
siszyd32
rundll32.exe “C:\WINDOWS\unotovunikanujuq.dll”,Startup

The unotovunikanujuq.dll is dated from 2006/2008 so I don’t see how it is involved with the current attack, but I have never seen it before, there is no information on the internet about it, and it looks really suspicious. I disabled all of these.

Siszyd32 of course does not actually exist at C:\Documents and Settings\Joel\Start Menu\Programs\Startup\siszyd32.exe. But it continues to reenable itself in the startup list. I found a registry reference for the siszyd32 location in this key which I deleted:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Joel^Start Menu^Programs^Startup^siszyd32.exe
HKEY_USERS\S-1-5-21-1935655697-1767777339-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache

Of course I updated Avast and did a boot time scan overnight. I checked the logs when I woke up and there was no reference to anything being detected. Of course I have cleared Temp folders also.

I attempted to run Spybot, but during the update process the program froze and I had to kill the process. It has not started up since, and just uses max CPU until I kill it. Not sure if that is related but either way I am down one weapon.

At this point the only indication that anything is wrong is that SVCHOST is running at 50% cpu. (Since I have a dual core it seems that some programs run at 50% when really they want 100%.) What is odd is that if I start up with my network disconnected, everything is normal until I connect to the internet, then SVCHOST goes to 50%.

While I await a helpful reply I will try running CCleaner and MBAM.

Also found another suspicious file: C:\WINDOWS\Ytapapevafiyup.dat
Created about 30 seconds after srsdllpro was created, but was modified later that night.

I also ran a Quick Scan with MBAM:

Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: winexpg.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\winexpg.dll (Trojan.Vundo.H) → Delete on reboot.
C:\Documents and Settings\Joel\Start Menu\Programs\Startup\siszyd32.exe (Trojan.Agent) → Delete on reboot.
C:\RECYCLER\ADAPT_Installer.exe (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Joel\Local Settings\Temporary Internet Files\udRemove.exe (Trojan.Agent) → Quarantined and deleted successfully.

Upon restart everything looks nominal. SVHOST is running at a typical CPU usage. I’m running a MBAM Full Scan now, but if nothing if found do you think it is safe to access my online banking site?

Welcome to the forums, Exothermic.

I think you have done very well and, if a full scan by MBAM comes back clean, you should be ok.

But, please wait for opinions from other members here.

Well. I guess I hit the nail on the head?!

Yes, I also think you hit the nail on the head. Good job of it.