pernicious smanager.7.exe infection

hello friends

i won't post any hijackthis logs off the bat since it appears those are the ground rules for the forum.

my computer has come down with a baaad case of the scaries today. i've made a firm decision never to use a key site again for the rest of my life. i downloaded what i thought was a legitimate keygen from a site reported to be clean by asta-killer.com. i soon discovered i had a rampant vundo/mundo/whatever-it-is infection.

searching around on google i downloaded all the tools recommended (vundofix, virtumundobegone, hijackthis) and as of right now i've been working on killing creepy-crawlies in adaware, kapersky, spybot s&d, ccleaner, and hijackthis for about five hours.

a while ago i reached the point where only two processes were left, and i'm convinced these two are very new and VERY mean. i'm not a n00b by any means, and i've been actively using computers for over 20 years... but i've NEVER seen any spyware this mean before. who knows, maybe i've just been lucky so far?

anyway, i've got it bad this time. there's a particular process called smanager.7.exe (which never seems to be anywhere in particular and always seems to be dynamically renaming itself to things in some temp folder somewhere) and another one called win32.alphabet.gen. these are turning my life into a living nightmare. i've been in and out of safe mode running every possible cleaner i can think of and just praying that they will DIE somehow. it really feels like i'm in some horrible b-monster movie.

i've read a bunch of threads on this that seem very recent (last 10 days or so) and very much like my situation, but i haven't been able to get clean here.

if anyone could guide me through the process of killing these things i will sing your praises till the end of time.

 

sorry about not following the instructions right away... that was a lot to process..!

but i did it. i tried my best to follow the whole procedure step by step.

the first time i ran counterspy i couldn't figure out how to save a log... i realize now i was supposed to copy the text out manually. i did write down the names of the two files it found and neutralized... one under 'files' was called HermanAgent1.0 Trojan.; the other, under 'registry', was called Trojan.Win32.Agent.qt. Counterspy told me it quarantined these, but i didn't know how to save a log the first time...

I tried it again so I could save a .log for this site, but counterspy came up clean, and i couldn't figure out how to save a log from that. but the results were mem:664/0; files:36414/0; registry:93720/0; cookies 0/0.

bit defender also came up clean, and i'm attaching the .txt file for that here... i'm sorry that there's a few files listed in there that were found to be clean... some .mp3s and stuff... i clicked on the tab to watch while it was running, and i didn't know it would save that stuff in the log.

panda thinks it found two "rootkits," but i don't think that's what they are. the files it found were "vBeGone.exe" (which i renamed from virtumundobegone.exe) and "PowerReg SchedulerV2.exe," which i believe came with my game splinter cell chaos theory.

then i rebooted into normal mode and ran the two batch files. i'll attach those logs in this post or the next.

finally i ran hijackthis as "analyse.exe," which i carefully followed your instructions about.

i think my system is almost clean now, thanks to you. it is still exhibiting some disturbing behavior.... kaspersky gives me alerts that something bad is happening whenever i attempt to open windows explorer or internet explorer.

now i'm exclusively using firefox with adblock+ and noscript, but i'd still like to kill whatever's still living in the depths of my machine.

thanks for your support, and here are my pertinent .log files. i hope that this will be able to help other people who are having this issue, too.

 

here are the rest of my logs.

 

chaslang,

thanks for the detailed and quick response. i'm a little bit more concerned all of a sudden because you seem so sure i'm running with hidden files and extensions not displayed..... I always have extensions displayed because it bothers me not to see them, and i did follow step 2 precisely in making sure that hidden files were visible, both before i submitted my original reports and just before i followed your recent instructions. i thought "maybe the setting change when i boot into safe mode??" but i checked it there, too, and hidden files and extensions were still visible.

here's the play-by-play as i wrote it down while i was following your instructions:

1. double-checked extensions and hidden file settings
2. uninstalled counterspy, rebooted into normal mode at its request
3. checked for the two folders you named to delete... they were already gone.
4. did a windows search for "sunbelt" which yielded no results
5. ran HJT with no other apps open (unless you count kaspersky on the tray) and selected and selected the items requested, including removing alltel from the trusted zone (i agree with your philosophy, and thanks for the recommendation)
6. clicked "fix" and exited HJT
7. rebooted into safe mode (with no networking and no ethernet cable)

Here's where it gets WEIRD

8. i looked in C:\WINDOWS\system32\ for klnmp.bak1 and klnmp.ini... they weren't there!! i checked again right on the spot for the extensions and hidden file settings, they were set to display all hidden files and not hide file extensions.
9. i did a windows search for "klnmp". no results.
10. ran ccleaner anyway (both tabs)
11. rebooted in normal mode
12. created fixME.reg (all files / ANSI) from your quote
13. double-clicked fixME.reg and allowed it to merge with the registry
14. i ran your batch file "GetRunKey.bat"... at the very start of the process, in the black cmd/dos window, the program reported "Error: the system was unable to find the specified registry key or value" twice.
15. i ran "shownew.bat"
16. i made sure everything (except kaspersky) was closed and ran HJT.

i think i can see where you're coming from... in shownew.bat, those klnmp monsters are there.... but as i reported, i can't see them or delete them in windows.

i'll attach my logs here and then give you a short report of any weirdness that is happening in another post.

 

ok. things with the computer are generally running a lot better now, especially since i ran counterspy according to the instructions and it killed the two things no other program had been able to touch.

last night i was in full freakout mode because warnings were popping up on my screen literally every 2 seconds, so i set all of kaspersky's settings to HIGH. i believe that some of the warnings i'm getting now may be false alarms because of those "high" settings.

In general, the system feels quite a bit more sluggish than it did, say, 30 hours ago, but i think that may be because Kaspersky has the system on such a tight leash... i'm not sure.

just to give you an idea, i've made a few screen captures of some of the error messages, so you'll know what's going on.

the first is a capture of some of the Events tab on Kaspersky's "Protections" screen.

the others are warnings that Kasperksy generates when i try to use windows explorer or internet explorer, or when windows boots and something happens with "inkmonitor" or "motiveSB" i think those two in particular may be normal, but it freaked me out the way the alerts were reported..."trying to inject module into all processes"!?!? sounds scary. i hate inkmonitor anyway, and i'd love to make it stop putting itself on the taskbar and re-creating its start menu program group after i delete it, every time the computer boots.

i understand that motiveSB is alltel checking the DSL connection or something, but i was just scared that the virus/spyware thing was smart enough to use startup processes to hide itself... so i've been habitually denying those processes/alerts.

other details.... i see in HJT and the other logfiles that there are still traces of bitdefender on the system? also, in HJT (O23) apparently there's a file missing for kaspersky? i know that avp was one of the bad processes that i think got killed in combat, but kaspersky itself seems to be running properly. what should i do about these?

i'm sorry to take up so much of your time with my long posts..... i can't thank you enough for what you've done so far to help me out. i'll be waiting for your response when you have time. thanks!

 

another mugshot (see attachment):

the "explorer.exe" alert doesn't appear as a pop-up window anymore because i think i somehow set a rule for it to be always denied. now i can't figure out how to make it come back and smile for the camera, but the events are still occurring and getting logged in kasperksy > protection every time i open windows explorer (by right-clicking on Start)

thanks!