something awful

[philtro]

Hello, something nasty has infected my computer. For some reason I tried to fix it myself, failed, then decided a fresh install of windows was needed. I wiped my HD clean, rebuilt the nlite install from a fresh windows install, then reinstalled with my nlite sp3 version of xp. But sadly I am experiencing all the same problems again (and I already called Microsoft to reactivate windows).

Basically, executables that are downloaded from the net or transferred from a disk (like a computer music mag dvd) are being replaced by nasty files that I can't delete and which aren't showing up on any scans. From what I can tell, trojans and other malware are being installed here and there. Some files are showing the correct size upon download, others aren't at all. The former will generally (mostly) install as though normal, the latter don't even try to act like they're a safe file and won't (appear) to work or don't get very far if an install manager does pop up.

Most scans I have tried are not showing anything at all.

I also ran combofix a bit earlier and included the log along with the others.

Particular targets seem to be my evoluent mouse drivers, nvidia drivers, and spyware/antivirus/firewall programs i've tried to install, although any .exe seems to be vulnerable. Once I try to delete or clean infected files my computer quickly grinds to a halt on startup and/or shutdown. Windowblinds also seems to have been severely destabilized, especially on start up (a moment after my desktop appears the display will flash in the colors of the skin I have loaded, then the desktop returns to normal - at this point the computer will freeze up on occasion).

I am so ready to get over this junk!

[philtro]

i've been tinkering around, haven't made things worse but there still seems to be something fishy going on. I've added new HJT logs, plus a log from rootkitrevealer.

any help would be extremely appreciated!

[jholland1964]

Sorry to take so long. Thanksgiving you know. Will go through all your logs and get back with you later
Judy

[philtro]

I understand, and Happy Thanksgiving

[jholland1964]

I honestly see nothing. Try this:
Please download Dr Web-Cureit!
Save the folder to your desktop.
Don't run it yet.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Run Dr Web-Cureit!
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer back to normal mode.
Post back here with the log.

[philtro]

ok this program found some stuff:

Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

MixedInKey_3.0.1.exe\data012;F:\My Documents\programs\Mixed In Key\MixedInKey_3.0.1\MixedInKey_3.0.1.exe;BackDoor .Bifrost.740;;

MixedInKey_3.0.1.exe;F:\My Documents\programs\Mixed In Key\MixedInKey_3.0.1;Archive contains infected objects;Moved.;

A0000270.exe\data012;F:\System Volume Information\_restore{735ADBFB-D616-4DC5-8780-444AE0870117}\RP2\A0000270.exe;BackDoor.Bifrost.74 0;;

A0000270.exe;F:\System Volume Information\_restore{735ADBFB-D616-4DC5-8780-444AE0870117}\RP2;Archive contains infected objects;Moved.;

I also ran across a computer scan at http://onecare.live.com/site/en-us/d..._cid=WLService, which found a few things earlier today. I couldn't find any log files left behind from it though...

[philtro]

ok this program found some stuff:

Process.exe;C:\WINDOWS\system32;Tool.Prockill;;

MixedInKey_3.0.1.exe\data012;F:\My Documents\programs\Mixed In Key\MixedInKey_3.0.1\MixedInKey_3.0.1.exe;BackDoor .Bifrost.740;;

MixedInKey_3.0.1.exe;F:\My Documents\programs\Mixed In Key\MixedInKey_3.0.1;Archive contains infected objects;Moved.;

A0000270.exe\data012;F:\System Volume Information\_restore{735ADBFB-D616-4DC5-8780-444AE0870117}\RP2\A0000270.exe;BackDoor.Bifrost.74 0;;

A0000270.exe;F:\System Volume Information\_restore{735ADBFB-D616-4DC5-8780-444AE0870117}\RP2;Archive contains infected objects;Moved.;

I am still baffled as to how these results didn't make it clear that I had more than a C: drive/partition. I assumed all along that you were seeing other drive letters than C:.

Once again, I thank you for your time and help.

Phillip

[jholland1964]

Now update MBA-M. Delete Combofix and download a new copy. Shut down the computer
Disconnect from the internet, I mean remove the cable from the computer so there is no way any connection can be made by any nasty program on the computer. Reboot the computer. Run full scan with MBA-M and remove everything found.
Reboot. But still stay disconnected from the internet.
Turn off antivirus, firewall and all other anti-spy programs and run Combofix.
When that completes save the log.
Shut down the computer. Reconnect the internet cable.
Reboot and post those two logs here.

[philtro]

ok here are the next ones

[jholland1964]

Download SDFix.exe and save it to your desktop.
Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.

1. Next, please reboot your computer into Safe Mode by doing the following:
   
   1. Restart your computer
   2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
   3. Instead of Windows loading as normal, a menu should appear
   4. Select the first option, to run Windows in Safe Mode.
   5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
   
   
2. When your computer has started in safe mode, and you see the desktop, close all open Windows.
3. Click on the Start button, click on the Run menu option, and type the following into the Open: field:
   
   C:\SDFix\RunThis.bat
   
   Then press the OK button.
4. The SDFix window will open containing some brief info and a disclaimer on the use of the tool.

If you want to continue, please press the Y key on your keyboard and then press enter.
SDFix will now start scanning your computer for known infections.
This process can take a while, so you may want to do something else and periodically check back on the status of SDFix. As the scanning process continues you will continue to see new messages on the screen.
When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue.

At this point you should press any key on your computer's keyboard in order to restart the computer.
After your computer reboots SDFix will automatically start and perform a last check.
You will now be presented with a screen stating that SDFix has finished.
At this point you should press any key on your computer's keyboard in order to continue to your desktop.
When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad.
Please save this log and post back here with it. I ask that you please copy/paste the log and don't attach it.