Please help stuck with last 3 viruses

Welcome to Majorgeeks!

Your problems are worse than you think. Take the below seriously.

IMPORTANT NOTE: You have been infected with a TWO Password Stealing Trojans: Trojan.W32.Torpig

See this links for what you have: http://www.liutilities.com/products/wintaskspro/processlibrary/ibm00001/


Since you appear to use this PC for financial related matters, you must take this possible threat seriously.

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

I will try to work up some fixes for you when I get back in. Gotta run for awhile but in the meantime you should do what the above recommends.

 

No you are not even close to clean and you must do what I indicated anyway. Even if you were totally clean right now, you still had a password stealer on your PC which means your personal security may have been compromised. Can you afford to ignore this?

Why do you have a C:\windows folder and a C:\Winnt folder

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.

Run Pocket Killbox by double clicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\SYSTEM32\rock.exe
C:\WINDOWS\YSTEM32\senssrv.dll
C:\WINDOWS\SYSTEM32\syshost.exe
C:\WINDOWS\System32\eventwvr.exe
C:\WINDOWS\SYSTEM32\taskdir~.exe
C:\WINDOWS\SYSTEM32\srshost.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Now run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [Microsoft Windows System] syshost.exe
O4 - HKLM\..\Run: [rock] rock.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] syshost.exe
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [Key] C:\DOCUME~1\ADMINI~1.JEF\LOCALS~1\Temp\5C.tmp
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (some we already got with killbox):
C:\WINDOWS\SYSTEM32\rock.exe
C:\WINDOWS\YSTEM32\senssrv.dll
C:\WINDOWS\system32\__delete_on_reboot__senssrv.dll
C:\WINDOWS\SYSTEM32\syshost.exe
C:\WINDOWS\System32\eventwvr.exe
C:\WINDOWS\SYSTEM32\srshost.exe
C:\WINNT\del.tmp
C:\Documents and Settings\ADMINI~1.JEF\Local Settings\Temp <--- delete all files in this temp folder
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe <--- look for any files here that begin with ibm00 and end with anything else and delete them.

[/color]Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Empty your Norton Internet Security\Norton AntiVirus\Quarantine folder as instructed in step 0 of the READ ME.

Now since you had some real nasties, I want to be safe and have you run another scanning removal tool. Run the below procedure and attach the Ewido log:

Running Ewido Anti-Malware

Now also attach a new HJT log

Also tell me how things are working!

 

You're welcome!

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!