something awful

[jholland1964]

...I was wondering if it might be possible to tell what the primary infection(s) might have been or even where they came from, ie internet browsing or downloading an infected executable. I even suspect my original install of nlite was infected from months ago, is this possible?

I can't say whether your original install of nlite was infected, this is out of my realm of knowledge as I honestly don't know anything about nlite. Though I can honestly say, as far as I know, your thread is the first one I have worked on with an nlite install AND this is the first time I have ever seen the BackDoor .Bifrost Trojan but this doesn't necessarily mean this nlite install was the reason for the infection, I just don't know.
But I can tell you a "bit" about the infections found. First of all they were Trojans, not viruses. Most anti-virus programs won't stop them or even find them. Spybot is an anti-malware program and generally doesn't stop items from coming onto the computer, though it certainly will remove many.
Trojan do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include spam emails, IRC, P2P networks, newsgroup postings, etc.
The ones found by the Dr. Web-Cureit program were
BackDoor .Bifrost. Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Vista which are the result of "drive by downloads" meaning these are installed without the users knowledge. This one is possibly the result of a Windows Metafile vulnerability in 2005 the Windows WMF exploit was used to drop new variants of Bifrost to machines. There is a patch available from Microsoft for this vulnerability.
Computers can also be affected via the spread of infected e-mails which may carry the hacked WMF file as an attachment. Infection may also result from:

* Viewing a website in a web browser that automatically opens malicious WMF files, in which case any potential malicious code may be automatically downloaded and opened. This includes Internet Explorer, the default Web browser for all versions of Microsoft Windows since 1996.
* Previewing an infected file in Windows Explorer.
* Viewing an infected image file using some vulnerable image viewing programs.
* Previewing infected emails in older versions of Microsoft Outlook and Outlook Express.
* Indexing a hard disk containing an infected file with Google Desktop.
* Clicking on a link through an instant messaging program such as Windows Live Messenger, AOL Instant Messenger (AIM) or Yahoo! Messenger.

I honestly cannot say how your computer was infected.
Now for anti-virus programs, like I said, they work to protect your computer from Viruses and a Trojan is not a virus. Myself, I use the FREE version of Antivir and am very satisfied with it. It doesn't automatically scan this must be done manually but it does automatically update, at the very least daily, sometimes more than once a day. I use Spybot for scanning and I also use MBA-M for scanning and it does normally remove most Trojans. I also use the Windows Firewall and also am very satisfied with it and I use SpywareBlaster. I wouldn't run my computer without it. It is FREE. It does NOT run in the background but it DOES protect a computer from spyware, adware, browser hijackers, and dialers and to quote it's website

Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
Block spying / tracking via cookies.
Restrict the actions of potentially unwanted or dangerous web sites.

I can tell you it works, without a doubt.

I would suggest to be safe that you run a scan with ESET Online scanner and allow it to fix or remove whatever is found. This online scan picks up a lot of things that other online scanners don't and it DOES fix.

• You will need to use Internet Explorer to to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Checked
  
• and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Let me know if it finds anything and their locations.

[philtro]

Thanks so much for explaining my situation in some detail. I'm going to try your suggestions for protection in this next chapter of my computer's life.

here's the ESET log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3651 (20081129)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=288391cf951c144cbbbaed2390ca3185
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-30 07:48:20
# local_time=2008-11-30 12:48:20 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=187012
# found=0
# scan_time=1299

[jholland1964]

Looks good to me. Are things running better or not?

[philtro]

Oh yeah, it's a definite improvement, especially when i'm browsing. Explorer seems to have it's old snappiness back too. I'm going to do another reinstall for a nice clean start...
I really must say thank you once more, this infection wreaked havoc on me for the last couple of weeks and it feels so good to have it gone!
Phillip

[jholland1964]

Oh yeah, it's a definite improvement, especially when i'm browsing. Explorer seems to have it's old snappiness back too. I'm going to do another reinstall for a nice clean start...
I really must say thank you once more, this infection wreaked havoc on me for the last couple of weeks and it feels so good to have it gone!
Phillip

If you were going to do a clean install then none of this was necessary. All of these would have been removed with the format and reload.

[philtro]

I already tried a reformat and reload, it's failure is what led me here finally. I even used a file wiper to clean my installation drive. I have a few data drives that weren't wiped, and I know things were found in them by all the scans I've run.

[jholland1964]

If things were found and cleaned then they are clean. Sorry but I found your statement somewhat dismaying. Makes me wonder why I took the time if now you are going to wipe the drive and start over. Your choice I guess but a waste of time for me.

[philtro]

I don't know if you're missing something, or possible I am, but I fail to see how this was a waste of time.
As I mentioned in my first post, this is already a fresh install from a day or two before I came here asking for help. You are saying a fresh install at this point renders the help you gave me useless, but why would another reinstall fix it when the first one didn't? Considering I have multiple hard drives and only the Sys Drive was wiped, isn't it still necessary to clean the whole computer, or any reinstall is going to end up infected again? If not then I just had incredibly bad luck in getting an new instant infection after my re installation attempt.

I don't want to waste anymore of your time. I am extremely grateful for your help and I'm quite convinced it was necessary. I'm sorry for any misunderstanding.

Phillip

[jholland1964]

Considering I have multiple hard drives and only the Sys Drive was wiped, isn't it still necessary to clean the whole computer, or any reinstall is going to end up infected again?

Well yes, but what I am saying is, I guess, I had no idea you had multiple drives on the computer. What you said originally was

I wiped my HD clean

meaning to ME ONE hard drive period.
You said other files were

executables that are downloaded from the net or transferred from a disk (like a computer music mag dvd) are being replaced by nasty files that I can't delete and which aren't showing up on any scans.

You never gave me complete information. I had no idea there were

multiple hard drives

until just now. If I had known this I would have had you go about this in a different way because this tells me the infection originates on one of these OTHER hard drives NOT the one we just worked nearly 5 days to clean. We could have cleaned them all at one time in this same time and you would have been done with it. If you keep wiping this drive we just worked on it is going to be infected again, just as fast, it isn't going to keep it clean because the originating infection just doesn't reside on it. It lives someplace else. But the entire system could have been 100% infection free right now if I had been given full information.

[philtro]

Ok I understand what you mean. I didn't realize I left out 'system' from "i wiped my HD clean" and it appeared I only had one drive on my computer. The only other clues are in the rootkit reveal log where it shows a drive C: and E: and the infections found by DR web, which shows an f: drive, but they could easily be assumed as partitions on the same disk, hence all wiped at once.... I'm glad you see that my ultra fresh install wasn't going to have made this all in vain, but i'm very sorry the misunderstanding has created this newer issue... hopefully it's not far from cleaned, if not already?