Hijackthis Log-Inability to open Task Manager

[kobaj]

I'm sure it's my own stupid fault, too trusting with downloadable content. Basically I'm unable to open my task manager in Windows XP with the standard "Ctrl-Alt-Delt" and my .mp3 files have been converted into useless Zip Archives. Ran Ad-Aware, it says I'm clean, soo....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:16:01 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\raymond\Desktop\HiJackThis_v2.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {DB0B918E-A0A8-482B-8D75-A682816B0C7B} - C:\WINDOWS\system32\opnllig.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dllhost.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Christmasville\Images\stg_drm.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183603009265
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Christmasville\Images\armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC03CE2D-3BF7-4109-A34E-7F3F82E85CB8}: NameServer = 192.168.2.1
O20 - Winlogon Notify: opnllig - C:\WINDOWS\SYSTEM32\opnllig.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 7407 bytes

 

[Buzz1927]

Ceewi1 should be around soon, to save him some time do this first.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

[kobaj]

Sure thing, and thanks a ton for the assistance. I know this is asking a lot for no real reconciliation, and I think it's great you guys are so willing to help out. Very appreciated from my end.

the Combofix Log:

ComboFix 07-12-21.4 - raymond 2007-12-23 23:22:47.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.193 [GMT -6:00]
Running from: C:\Documents and Settings\raymond\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
C:\temp\tn3
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\abc2\bmbrpl2.exe
C:\WINDOWS\system32\opnllig.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE


(((((((((((((((((((((((((   Files Created from 2007-11-24 to 2007-12-24  )))))))))))))))))))))))))))))))
.

2007-12-23 23:15 . 2007-12-23 23:15	<DIR>	d--------	C:\WINDOWS\ERUNT
2007-12-23 15:31 . 2007-12-23 15:31	<DIR>	d--------	C:\Program Files\Eidos
2007-12-18 19:00 . 1998-10-29 16:45	306,688	--a------	C:\WINDOWS\IsUninst.exe
2007-12-18 18:59 . 2007-12-18 18:59	0	--a------	C:\WINDOWS\OpPrintServer.INI
2007-12-18 18:58 . 2004-04-22 23:00	116,736	--a------	C:\WINDOWS\system32\CNMLM5y.DLL
2007-12-18 18:58 . 2004-03-11 18:06	86,016	--a------	C:\WINDOWS\system32\CNMCP5y.exe
2007-12-18 18:58 . 2004-04-23 07:00	7,680	--a------	C:\WINDOWS\system32\CNMVS5y.DLL
2007-12-18 18:57 . 2007-12-18 18:57	<DIR>	d--------	C:\WINDOWS\StartHtmico
2007-12-18 18:57 . 2007-12-18 18:57	<DIR>	d--------	C:\WINDOWS\IP1500
2007-12-18 18:57 . 2007-12-18 22:09	<DIR>	d--------	C:\Program Files\Canon
2007-12-17 23:42 . 2007-12-17 23:42	<DIR>	d--------	C:\Program Files\tamasoftware
2007-12-15 12:19 . 2007-12-15 12:19	68,096	---------	C:\app.exe
2007-12-15 12:19 . 2007-12-15 12:19	357	--a------	C:\WINDOWS\system32\x.dat
2007-12-15 12:19 . 2007-12-15 12:19	167	--a------	C:\WINDOWS\system32\8534.bat
2007-12-15 12:18 . 2007-12-16 11:30	<DIR>	d--------	C:\WINDOWS\system32\shel9
2007-12-15 12:18 . 2007-12-15 12:18	<DIR>	d--------	C:\WINDOWS\system32\oc9
2007-12-15 12:18 . 2007-12-15 12:18	<DIR>	d--------	C:\WINDOWS\system32\ipd1
2007-12-15 12:18 . 2007-12-15 12:18	<DIR>	d--------	C:\WINDOWS\system32\ineWc07
2007-12-15 12:18 . 2007-12-15 12:18	<DIR>	d--------	C:\WINDOWS\system32\ex1
2007-12-15 12:18 . 2007-12-15 12:18	<DIR>	d--------	C:\Temp\tpBe12
2007-12-15 12:18 . 2007-12-23 23:23	<DIR>	d--------	C:\Temp
2007-12-15 12:18 . 2007-12-15 12:18	78,360	--a------	C:\Program Files\uy.exe
2007-12-15 12:18 . 2007-12-15 12:18	256	--a------	C:\WINDOWS\system32\z.dat
2007-12-15 12:16 . 2007-12-15 12:16	147,456	--a------	C:\WINDOWS\system32\vbzip10.dll
2007-12-15 12:14 . 2007-12-15 12:14	<DIR>	d--------	C:\Program Files\ReflexiveArcade
2007-12-15 12:10 . 2007-12-15 12:10	<DIR>	d--------	C:\Documents and Settings\raymond\Application Data\SpinTop

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 21:37	98,304	----a-w	C:\WINDOWS\system32CmdLineExt.dll
2007-12-23 21:37	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-21 00:27	---------	d-----w	C:\Program Files\Lexmark X1100 Series
2007-12-20 04:19	---------	d-----w	C:\Documents and Settings\raymond\Application Data\OpenOffice.org2
2007-12-15 18:13	---------	d-----w	C:\Documents and Settings\raymond\Application Data\LimeWire
2007-12-15 18:11	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-01 15:25	---------	d-----w	C:\Program Files\Java
2007-11-28 04:52	---------	d-----w	C:\Program Files\Trillian
2007-11-14 12:12	---------	d-----w	C:\Program Files\iTunes
2007-11-14 12:12	---------	d-----w	C:\Program Files\iPod
2007-11-14 12:12	---------	d-----w	C:\Documents and Settings\raymond\Application Data\Apple Computer
2007-11-14 12:11	---------	d-----w	C:\Program Files\QuickTime
2007-11-14 12:11	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-14 12:10	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-14 12:10	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 23:28	---------	d-----w	C:\Documents and Settings\raymond\Application Data\uTorrent
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 06:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]
"bcmwltry"="bcmwltry.exe" [2003-07-25 17:28 C:\WINDOWS\system32\bcmwltry.exe]
"removecpl"="RemoveCpl.exe" []
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-02-08 18:09]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-15 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-30 11:51 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 07:42 C:\WINDOWS\soundman.exe]
"C-Media Mixer"="Mixer.exe" [2002-01-28 02:16 C:\WINDOWS\mixer.exe]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 10:43]
"NvMediaCenter"="RunDLL32.exe" [2006-03-15 06:00 C:\WINDOWS\system32\rundll32.exe]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 05:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]
			bsjfbe.exe
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
			C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 20:22]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 20:23]
S3 FXDRV;FXDRV;C:\Program Files\SuperUtility\Fxdrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11f4294d-a7e5-11db-872e-00016ce45ac7}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cba0c6b5-a2de-11db-9986-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 23:25:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-23 23:26:44 - machine was rebooted
.
2007-12-23 05:07:58	--- E O F ---

And the SDFix log:

SDFix: Version 1.119

Run by raymond on Sun 12/23/2007 at 11:15 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 

Name:
core

Path:
system32\drivers\core.sys 

core - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

Trojan Files Found:

C:\X.DAT - Deleted
C:\Z.DAT - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe  - Deleted
C:\Program Files\a.zip  - Deleted
C:\Program Files\b.zip  - Deleted
C:\Program Files\c.zip  - Deleted
C:\Program Files\A.ico  - Deleted
C:\Program Files\B.ico  - Deleted
C:\Program Files\Setup.exe  - Deleted
C:\Program Files\Track_03.exe  - Deleted
C:\Program Files\Video.exe  - Deleted
C:\DOCUME~1\raymond\LOCALS~1\Temp\removalfile.bat  - Deleted
C:\DOCUME~1\raymond\LOCALS~1\Temp\uninstall.exe  - Deleted
C:\n.bat  - Deleted
C:\d.exe  - Deleted
C:\winlogon.exe  - Deleted
C:\x.dat  - Deleted
C:\z.dat  - Deleted
C:\WINDOWS\retadpu1000520.exe  - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk  - Deleted
C:\WINDOWS\system32\drivers\core.sys  - Deleted
C:\WINDOWS\system32\f.exe  - Deleted
C:\WINDOWS\system32\p2pnetworking.exe  - Deleted
C:\WINDOWS\system32\pac.txt  - Deleted
C:\WINDOWS\system32\WINLOGO.EXE  - Deleted

x.dat and z.dat data copied to \SDFix\Data.txt


Folder C:\Temp\1cb - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found. 

C:\WINDOWS\system32
No streams found. 

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-23 23:19:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"="C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe:*:Enabled:Apache HTTP Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Enabled:BitLord"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"="C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo"
"D:\\gameprogramfiles\\steam\\steamapps\\innerrayg\\counter-strike source\\hl2.exe"="D:\\gameprogramfiles\\steam\\steamapps\\innerrayg\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue  5 Jun 2007           353 ...H. --- "C:\Boot.BAK"
Thu  2 Aug 2007         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 18 Jan 2007             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"

Finished!

As a side note: I am now able to fully utilize my Task Manager, however if there are other problems that need fixed feel free to let me know. Again, it's all very appreciated.

 

[ceewi1]

Thanks Buzz.

kobaj, you infections include a password stealing trojan. Please navigate to C:\SDFix and open up the Data.txt file. Any passwords contained within that file are very likely compromised. You should find a known clean computer and change them immediately. If this includes any passwords to online banking it would be wise to contact those financial institutions and inform them of your situation.

Do you know this file: C:\app.exe? If not, delete it.

• Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINDOWS\system32\x.dat
  C:\WINDOWS\system32\8534.bat
  C:\Program Files\uy.exe
  C:\WINDOWS\system32\z.dat
  C:\WINDOWS\system32\vbzip10.dll
  
  Folder::
  C:\WINDOWS\system32\shel9
  C:\WINDOWS\system32\oc9
  C:\WINDOWS\system32\ipd1
  C:\WINDOWS\system32\ineWc07
  C:\WINDOWS\system32\ex1
  C:\Temp
  
  Registry::
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update Machine]

• Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
  
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

 

[kobaj]

Alright, checked the passwords; didn't recognize anything in it or see anything important, so nothing to worry about there.

ComboFix 07-12-21.4 - raymond 2007-12-24 22:50:13.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.197 [GMT -6:00]
Running from: C:\Documents and Settings\raymond\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\raymond\Desktop\CFScript.txt
 * Created a new restore point

FILE
C:\Program Files\uy.exe
C:\WINDOWS\system32\8534.bat
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\x.dat
C:\WINDOWS\system32\z.dat
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\uy.exe
C:\Temp
C:\Temp\tpBe12\etFr.log
C:\WINDOWS\system32\8534.bat
C:\WINDOWS\system32\ex1
C:\WINDOWS\system32\ex1\kolcidr311.exe
C:\WINDOWS\system32\ineWc07
C:\WINDOWS\system32\ineWc07\ineWc071084.exe
C:\WINDOWS\system32\ipd1
C:\WINDOWS\system32\ipd1\zpr121dll.exe
C:\WINDOWS\system32\oc9
C:\WINDOWS\system32\oc9\qopre83122.exe
C:\WINDOWS\system32\shel9
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\x.dat
C:\WINDOWS\system32\z.dat

.
(((((((((((((((((((((((((   Files Created from 2007-11-25 to 2007-12-25  )))))))))))))))))))))))))))))))
.

2007-12-24 22:34 . 2007-12-24 22:34	167	--a------	C:\WINDOWS\system32\9102.bat
2007-12-23 23:15 . 2007-12-23 23:15	<DIR>	d--------	C:\WINDOWS\ERUNT
2007-12-23 15:31 . 2007-12-23 15:31	<DIR>	d--------	C:\Program Files\Eidos
2007-12-18 19:00 . 1998-10-29 16:45	306,688	--a------	C:\WINDOWS\IsUninst.exe
2007-12-18 18:59 . 2007-12-18 18:59	0	--a------	C:\WINDOWS\OpPrintServer.INI
2007-12-18 18:58 . 2004-04-22 23:00	116,736	--a------	C:\WINDOWS\system32\CNMLM5y.DLL
2007-12-18 18:58 . 2004-03-11 18:06	86,016	--a------	C:\WINDOWS\system32\CNMCP5y.exe
2007-12-18 18:58 . 2004-04-23 07:00	7,680	--a------	C:\WINDOWS\system32\CNMVS5y.DLL
2007-12-18 18:57 . 2007-12-18 18:57	<DIR>	d--------	C:\WINDOWS\StartHtmico
2007-12-18 18:57 . 2007-12-18 18:57	<DIR>	d--------	C:\WINDOWS\IP1500
2007-12-18 18:57 . 2007-12-18 22:09	<DIR>	d--------	C:\Program Files\Canon
2007-12-17 23:42 . 2007-12-17 23:42	<DIR>	d--------	C:\Program Files\tamasoftware
2007-12-15 12:14 . 2007-12-15 12:14	<DIR>	d--------	C:\Program Files\ReflexiveArcade
2007-12-15 12:10 . 2007-12-15 12:10	<DIR>	d--------	C:\Documents and Settings\raymond\Application Data\SpinTop

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 04:40	---------	d-----w	C:\Program Files\LimeWire
2007-12-23 21:37	98,304	----a-w	C:\WINDOWS\system32CmdLineExt.dll
2007-12-23 21:37	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-12-21 00:27	---------	d-----w	C:\Program Files\Lexmark X1100 Series
2007-12-20 04:19	---------	d-----w	C:\Documents and Settings\raymond\Application Data\OpenOffice.org2
2007-12-15 18:13	---------	d-----w	C:\Documents and Settings\raymond\Application Data\LimeWire
2007-12-15 18:11	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-01 15:25	---------	d-----w	C:\Program Files\Java
2007-11-28 04:52	---------	d-----w	C:\Program Files\Trillian
2007-11-14 12:12	---------	d-----w	C:\Program Files\iTunes
2007-11-14 12:12	---------	d-----w	C:\Program Files\iPod
2007-11-14 12:12	---------	d-----w	C:\Documents and Settings\raymond\Application Data\Apple Computer
2007-11-14 12:11	---------	d-----w	C:\Program Files\QuickTime
2007-11-14 12:11	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-11-14 12:10	---------	d-----w	C:\Program Files\Apple Software Update
2007-11-14 12:10	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple
2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 23:28	---------	d-----w	C:\Documents and Settings\raymond\Application Data\uTorrent
2007-10-29 22:35	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-12-23_23.26.23.09   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-24 05:15:31	3,661,824	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2007-12-25 04:44:05	3,661,824	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2007-12-24 05:15:31	208,896	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2007-12-25 04:44:05	208,896	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 06:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 15:56]
"bcmwltry"="bcmwltry.exe" [2003-07-25 17:28 C:\WINDOWS\system32\bcmwltry.exe]
"removecpl"="RemoveCpl.exe" []
"nTrayFw"="C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-02-08 18:09]
"NvCplDaemon"="RUNDLL32.exe" [2006-03-15 06:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-30 11:51 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 07:42 C:\WINDOWS\soundman.exe]
"C-Media Mixer"="Mixer.exe" [2002-01-28 02:16 C:\WINDOWS\mixer.exe]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 15:22]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 10:43]
"NvMediaCenter"="RunDLL32.exe" [2006-03-15 06:00 C:\WINDOWS\system32\rundll32.exe]
"UltraMon"="C:\Program Files\UltraMon\UltraMon.exe" [2007-04-01 05:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
			
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
			C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

R2 UltraMonUtility;UltraMon Utility Driver;C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [2006-09-24 20:22]
R3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys [2006-09-24 20:23]
S3 FXDRV;FXDRV;C:\Program Files\SuperUtility\Fxdrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Launcher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11f4294d-a7e5-11db-872e-00016ce45ac7}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cba0c6b5-a2de-11db-9986-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-24 22:51:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2007-12-24 22:51:33
C:\ComboFix2.txt ... 2007-12-23 23:26
.
2007-12-23 05:07:58	--- E O F ---

And the new Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:03:19 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\raymond\Desktop\HiJackThis_v2.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Christmasville\Images\stg_drm.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1183603009265
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Christmasville\Images\armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC03CE2D-3BF7-4109-A34E-7F3F82E85CB8}: NameServer = 192.168.2.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 6268 bytes

So, tell me the good news?

 

[ceewi1]

Those logs look clean, I'd just like to see the result of one online scan first.

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add Or Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

 

[kobaj]

Alright, so I got a huge list of problems from this; however, a lot of it looks like it's just stuff from my Restore Points. I also got a huge list of stuff from
C:\RECYCLER that looks like the kind of stuff I haven't used in years, so I'm assuming that's all archived as well. I had to delete stuff, so I picked those. I can try and post a truncated version of them later, but I'm not too worried.

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Tuesday, December 25, 2007 10:50:52 AM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 25/12/2007
 Kaspersky Anti-Virus database records: 493540
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	A:\
	C:\
	D:\
	E:\
	F:\

Scan Statistics:
	Total number of scanned objects: 87150
	Number of viruses found: 15
	Number of infected objects: 1790
	Number of suspicious objects: 0
	Duration of the scan process: 00:47:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\cert8.db	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\formhistory.dat	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\history.dat	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\key3.db	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\parent.lock	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\search.sqlite	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\urlclassifier2.sqlite	Object is locked	skipped
C:\Documents and Settings\raymond\Application Data\Realtime Soft\UltraMon\3.0.0\TaskbarBandState	Object is locked	skipped
C:\Documents and Settings\raymond\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\Cache\_CACHE_001_	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\Cache\_CACHE_002_	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\Cache\_CACHE_003_	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Application Data\Mozilla\Firefox\Profiles\8njdtto3.default\Cache\_CACHE_MAP_	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Temp\Perflib_Perfdata_90.dat	Object is locked	skipped
C:\Documents and Settings\raymond\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\Adobe.CS3.Design.Premium.Keygen.exe/data.rar/wr.exe	Infected: Trojan-Downloader.Win32.Small.eqn	skipped
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\Adobe.CS3.Design.Premium.Keygen.exe/data.rar	Infected: Trojan-Downloader.Win32.Small.eqn	skipped
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\Adobe.CS3.Design.Premium.Keygen.exe	RarSFX: infected - 2	skipped
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\InDesign CS3 Keygen VLK.EXE/data0000.cab/rBot.exe	Infected: Backdoor.Win32.Rbot.enq	skipped
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\InDesign CS3 Keygen VLK.EXE/data0000.cab	Infected: Backdoor.Win32.Rbot.enq	skipped
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\InDesign CS3 Keygen VLK.EXE	Rsrc-Package: infected - 2	skipped
C:\Documents and Settings\raymond\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\raymond\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log	Object is locked	skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log	Object is locked	skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log	Object is locked	skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log	Object is locked	skipped
C:\qoobox\Quarantine\C\Program Files\uy.exe.vir	Infected: Virus.Win32.Fontra.c	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ex1\kolcidr311.exe.vir	Infected: Trojan-Downloader.Win32.Small.buy	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ipd1\zpr121dll.exe.vir	Infected: Trojan-Downloader.Win32.Small.gzs	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oc9\qopre83122.exe.vir/data0002	Infected: not-a-virus:AdWare.Win32.TTC.a	skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oc9\qopre83122.exe.vir	NSIS: infected - 1	skipped
C:\SDFix\backups\backups.zip/backups/a.zip/Setup.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/a.zip	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/b.zip/Video.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/b.zip	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/c.zip/Track_03.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/c.zip	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/dllhost.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/f.exe	Infected: not-a-virus:PSWTool.Win32.FirePass.a	skipped
C:\SDFix\backups\backups.zip/backups/p2pnetworking.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/Setup.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/Track_03.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/Video.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups\backups.zip/backups/winlogo.exe	Infected: Trojan.Win32.VB.bky	skipped
C:\SDFix\backups\backups.zip	ZIP: infected - 13	skipped
C:\SDFix\backups_old1\backups.zip/backups/a.zip/Setup.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/a.zip	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/b.zip/Video.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/b.zip	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/c.zip/Track_03.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/c.zip	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/d.exe	Infected: Trojan-Downloader.Win32.Small.gwf	skipped
C:\SDFix\backups_old1\backups.zip/backups/dllhost.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/f.exe	Infected: not-a-virus:PSWTool.Win32.FirePass.a	skipped
C:\SDFix\backups_old1\backups.zip/backups/p2pnetworking.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/Setup.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/Track_03.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/Video.exe	Infected: Virus.Win32.Fontra.c	skipped
C:\SDFix\backups_old1\backups.zip/backups/winlogo.exe	Infected: Trojan.Win32.VB.bky	skipped
C:\SDFix\backups_old1\backups.zip	ZIP: infected - 14	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1D59A55E-F039-45A0-ABF6-A6E62844EB11}.crmlog	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\app_filter_ui.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\Media Ce.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\nmp.log	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\system32\_nvidia_xxx_.log	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped
D:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
F:\hiberfil.sys	Object is locked	skipped
F:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl	Object is locked	skipped

Scan process completed.

 

[ceewi1]

If these are the only items its found other than those in Recycler and System Restore, then that's OK. Your logs appear to be clear of malware, just some final cleanup to do. Please empty your Recycle Bin, and delete the following files, they're trojan infectors:
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\Adobe.CS3.Design.Premium.Keygen.exe
C:\Documents and Settings\raymond\My Documents\My eBooks\CloneHigh\InDesign CS3 Keygen VLK.EXE

Please delete the following folder:
C:\SDFix

Please click on Start -> Run. Type the following command and click OK:
ComboFix /u.

Please also turn off System Restore, and turn it back on again. This will clean out your infected Restore Points. To do so:

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Then to turn it back on again:
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

I notice that you do not seem to be running antivirus software. This is somewhat suicidal in today's digital world. AVG makes an excellent free antivirus client, as do AntiVir or avast!.

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.