"Hijacked By Sasser"

I showed my log from HijackThis and was told to delete all scrgrd.exe files. I have downloaded CWShredder and Bazooka to no avail. The files STILL come back everytime they are deleted. I have now discovered 5 ways to delete the files and EVERY time they come back and my Browser does not work effectively.

There HAS to be a way to get rid of these files PERMANENTLY!

Thank You to everyone who has tried to help, hopefully we all can get to the bottom of this eventually! I just ran another search on HijackThis. Here is the log:

Thanks

Derek


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\IC Media Corp\ICM532\Launchpad.exe
C:\WINDOWS\System32\scrgrd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1086864401854
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://static.flingstone.com/cab/200...Inc/bridge.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...148.0616319444
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.serviceurl.de/StarInstall.ocx
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBC04A87-A74D-4E5D-ACF9-408C6E9ABBFC}: NameServer = 207.69.188.187 207.69.188.186

ok I FInally found out EXACTLY what I have at ww.sophos.com. Unfortunately they are the only company as of now who has a program to get rid of it and its only for large businesses and costs money. Here it is. Maybe one of the Techs will be able to figure out how to get rid of it now that we have fully identified the problem.



At the time of writing, Sophos has received just one report of this worm from the wild.


Description
W32/Rbot-AA is a worm which attempts to spread to remote network shares. It
also contains backdoor Trojan functionality, allowing unauthorised remote
access to the infected computer via IRC channels while running in the
background as a service process.
W32/Rbot-AA spreads to network shares with weak passwords as a result of the
backdoor Trojan element receiving the appropriate command from a remote user.

W32/Rbot-AA copies itself to the Windows system folder as SCRGRD.EXE and
creates registry entries MICROSOFT RESTORE under the following
keys so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Rbot-AA may set the following registry entries:

HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrict anonymous = "1"

W32/Rbot-AA may try to delete network shares on the host computer.

I recently had this as well. The file that keeps making it load is located in c:\windows\prefetch. Do a search for scrgrd.exe on your computer and it should find SCRGRD.exe xxxxxxxxxx xxxxxxxx.pf (where x is a bunch of numbers). Delete that and it won't start back up again.