download and run process explorer

Thank you nsindian. I have downloded and run process explorer. I need to look into it a bit further to understand the results however it has sown me that I am connecting to ruthless.snoke.nl. sounds like a nasty that I don't need.

you may also want to use autoruns, which can be downloaded from sysinternals site

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebyt...are_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
post the log back here

OK so here is the log from Malwarebytes (this is before the removal actions were taken as I did not save the file again after removal and restart). I has found a couple of things that my SuperAntiSpyware Pro hasn't found however it has also disabled msconfig and two of the below "malware" removals have had to be restored to fix msconfig.

The process zvsarc.exe is still there. I have manually removed it with regedit from the Run and Run services folder.

This is what I know about the process so far. It connects me to an IRC server in the Netherlands (ruthless.snoke.nl/217.67.230.216). It has an active connection which constantly downloads and uploads. It resides in c\windows\system32 and runs as a service calling it self "Microsoft Update Machine" from an unknown vendor.

I have disabled the service and deleted from the system32 folder, I have blocked the IRC port and the domain. Now to see if it has gone completly or if it will come back. I will keep the quarantine items incase I find any other tools have been identified as a backdoor.bot.

I am still curious as to what the process is? and how it has attached itself to the pc.

Malwarebytes' Anti-Malware 1.30
Database version: 1340
Windows 5.1.2600 Service Pack 3

30/10/2008 22:35:15
mbam-log-2008-10-30 (22-35-09).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 104675
Time elapsed: 21 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3cab59b4-55a3-4737-9fd5-b93c6430bf75} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msconfig (Backdoor.Bot) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Documents\Drivers\Computer Hardware info\Windows Server 2003 R2 Enterprise Edition With SP2 (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\All Users\Documents\Drivers\Computer Hardware info\Windows Server 2003 R2 Enterprise Edition With SP2 (Malware.Tool) -> No action taken.
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\BMbfd20034.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BMbfd20034.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> No action taken.
C:\Program Files\Setup.exe (Rogue.Installer) -> No action taken.

are u sure msconfig wasn't already disabled before you ran malwarebytes

Hi caperjack. thanks for your support, I am sure msconfig was enabled I have used it a couple of times today to enable and disable the "microsoft update machine" service.

zvsarc.exe, when i google this file ,this thread is the only results found .i would suggest you re-post in our virus and other nastiest forum here, and maybe get and run hijackthis and post a hijackthis log there

Thanks caperjack. I will try hijackthis and see if it shows anything. I am fairly sure that I have removed the process now though. If it shows anything I will post in the virus section. Thankyou to all who helped.