Windows 7 Malware maybe?

Hey all,

So i updated from Vista 32 bit to 7 64 bit last night and i have everything up and running finally. I ran malware today and i have a couple of items that wont go away even after a restart forced by malwarebytes. Ive attached the log from my most recent scan. Any help at all would be much appreciated! Thanks!

Also, IE 8 freezes on me CONSTANTLY now so i dont know what is up with that but i have all but abandoned it for safari... i dunno if its related to the objects found

Malwarebytes' Anti-Malware 1.41
Database version: 3064
Windows 6.1.7600

10/31/2009 1:55:41 AM
mbam-log-2009-10-31 (01-55-41).txt

Scan type: Quick Scan
Objects scanned: 89397
Time elapsed: 9 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ey0kat7-134k-ic08-40l8-6o0127s53167} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon (Trojan.Delf) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Josh\AppData\Roaming\svchost.exe (Generic.Bot.H) -> Quarantined and deleted successfully.
C:\Users\Josh\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.

 

Welcome to MajorGeeks!

Did you format and install Win 7 or install over Vista? And is this a Windows Disk or a download from the Internet?

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Yep it was a clean install with a format and install. Its a download from the internet. I'm doing everything that was in that thread at the moment. While i was disabling my UAC i came across a startup service i was unfamiliar with...
The item name is: hwvmGQL The manufacturer is gRJORP The command is C:\Users\Josh\AppData\Roaming\svchost.exe The location is: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I disabled the service so we'll see if that helps at all and ill post back with the logs requested. THANKS!

 

Ok so here are all the logs i have gotten from Malware Bytes, Superantispyware, and MGtools in that order

MALWARE BYTES:
Malwarebytes' Anti-Malware 1.41
Database version: 3090
Windows 6.1.7600

11/2/2009 10:08:22 PM
mbam-log-2009-11-02 (22-08-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 214142
Time elapsed: 58 minute(s), 26 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Users\Josh\AppData\Roaming\svchost.exe (Trojan.Delf) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ey0kat7-134k-ic08-40l8-6o0127s53167} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon (Trojan.Delf) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon (Trojan.Delf) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Josh\AppData\Roaming\svchost.exe (Generic.Bot.H) -> Quarantined and deleted successfully.
C:\Users\Josh\AppData\Roaming\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.


SUPERAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/02/2009 at 08:06 PM

Application Version : 4.29.1004

Core Rules Database Version : 4223
Trace Rules Database Version: 2124

Scan type : Complete Scan
Total Scan Time : 01:15:49

Memory items scanned : 761
Memory threats detected : 1
Registry items scanned : 7363
Registry threats detected : 2
File items scanned : 42232
File threats detected : 3

Trojan.SVCHost/Fake
C:\USERS\JOSH\APPDATA\ROAMING\SVCHOST.EXE
C:\USERS\JOSH\APPDATA\ROAMING\SVCHOST.EXE
[ctfmon] C:\USERS\JOSH\APPDATA\ROAMING\SVCHOST.EXE
[ctfmon] C:\USERS\JOSH\APPDATA\ROAMING\SVCHOST.EXE
C:\Windows\Prefetch\SVCHOST.EXE-5FDAA12C.pf
C:\Windows\Prefetch\SVCHOST.EXE-F66F5AD0.pf


MGTools
See Attachment

I hope this helps guys. Thank you!

 

If you start disabling services it makes it harder for me to find them for removal. Please just stick to the guide and don't disable anything.

Where was it downloaded from?