I inadvertantly installed a virus because windows media player asked me to download a mp3codec and I accepted expecting that if it was a virus Norton would catch it.

It mainly seems to effect Internet explorer. when I open it, it will open two windows with various ads ranging from adware removers to a porn site once, it seems to like search engines mainly. I have three users though and it seems that the first user to log in gets the previously mentioned symptoms. Any other user that logs on has Internet Explorer lock up on them on start up.

I have went through the "Read me first" thread so I will post what all I have done:

ran Atf-Cleaner
went through add and remove programs
ran windows malicious software removal tool
downloaded and ran malawrebytes anti-malware
ran the ESET Online scanner

MBA-M Found quite a few things but didn't find the root of the problem everything keeps coming back.

Windows malicious software removal tool didn't find anything.

The ESET scanner would be what I say is the best, it finds everything, but when I look at the log it doesn't delete or clean everything successfully.

one file bugs me, extmgr32.dll and I don't know how to delete it because it says access denied.

I went to c:windows/system32/ and changed the name to extm.dll and something created another extmgr32.dll. I can delete the new extmgr32.dll but everytime I do a new one appears. The extm.dll I can't delete.

I attached all the logs that I have, that I know where they are. I have an eset log a hijackthis log and three MBA-M logs two showing dirty and 1 showing clean. If anyone wants my Norton log and knows where it's at I'll get that for them. Also I have ran Windows Defender with nothing found. I searched extmgr32.dll on ask.com and found an antivirus site called Prevx CSI, I downloaded thier free trial and it found extmgr32.dll as a problem but you have to buy a license to clean it. I figure there's a good chance it will only clean it as good as ESET which after multiple boots and multiple scans has yet to successfully delete the main problem.

Please and Thanks for any help you can give me.

Recommended Answers

All 15 Replies

Hi welcome to daniweb, I am presently going through your logs and will post back ASAP, a request however, next time don't attach logs but copy pasted them to the post.
Judy

Ok, several things I see here in the logs.
#1 the ESET scanner clearly says this in the log created at 6:01

C:\WINDOWS\system32\extmgr32.dll Win32/Agent.OAF trojan (unable to clean - deleted (after the next restart))

meaning you should have shut down immediately after the scan and restarted, did you do this then or at a later time after you had renamed the file?
The first MBA-M scan was done at 7:09 and found and removed all those Adware.MyWebSearch, this was a Quick Scan not a full scan. The second MBA-M run was at 7:31 and nothing was found. The third MBA-M scan was done at 8:25, was a full scan and DID again find Adware.MyWebSearch BUT what this tells me is that this scan was done AFTER a reboot because all of these were found in your System Restore so they were of no harm unless you had used that restore point to do a system restore, I know you didn't, MBA-M then removed those items from System Restore so they should be gone now. The restore point was made when MBA-M first removed the Adware.MyWebSearch but didn't show up until you did a reboot. This is quite common for this to happen, it is a change to specific files so Windows automatically backs those up in case they are needed.

You need to go in and UNINSTALL that Prevx CSI. It may have found something but it's website clearly says

It will also remove Adware infections for free!

well obviously that is not true if you were told you would have to purchase to remove so Uninstall this program. It IS running on your system, it shows in your HJT log, which can interfere with fixes attempted.
I would like you to try the following AFTER Uninstalling the Prevx CSI program.
Make sure that Windows Defender is TURNED OFF. Leave it off, the same goes for Diskeeper. There is no reason this program needs to be running at start up or running all the time. It can be run manually.

Update MBA-M, there have been two database updates since you last updated. It is now database version 1401 your database version shows as 1399.
Reboot the computer in Safe Mode
Run MBA-M again, Full System Scan. Let's see if it will pick up more items. Let it fix everything it finds. Reboot if it is necessary for cleaning.

After rebooting run a new HJT scan and place a check mark next to the following entries if they still exist.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Morpheus Premium\Plugins\RazaWebHook.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\extmgr32.dll
O20 - Winlogon Notify: 10f6fd16502 - C:\WINDOWS\System32\extmgr32.dll
Once you have placed the check marks then click the Fix Checked button.
Exit HJT.
Reboot.
Run a new scan with HJT and post back with THAT log and also the MBA-M log, and please only run MBA-M once as instructed.

Yes, I did reboot after that scan. I have scanned with updated MBA-M and it found nothing. Logs posted below. Thanks.


Malwarebytes' Anti-Malware 1.30
Database version: 1401
Windows 5.1.2600 Service Pack 3

11/16/2008 3:13:49 AM
mbam-log-2008-11-16 (03-13-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 151992
Time elapsed: 52 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:16 AM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\All Users\Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1225388563154&h=ea5581ffb58b5e56d1742eb26a73b4a6/&filename=jinstall-6u10-windows-i586-jc.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\extmgr32.dll
O20 - Winlogon Notify: 10f6fd16502 - C:\WINDOWS\System32\extmgr32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7197 bytes

Well I see that the two extmgr32.dll entries are still in the log.
So do the following. Please read this instructions carefully and follow them exactly.


Download ComboFix Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop
Do NOT open any unnecessary programs at this time. If you have IM programs which open automatically when booting, please close them completely. Make sure all browsers are closed completely.

Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When you double click this combofix icon you may receive a warning note asking if you are sure you want to run the program. This is because combofix doesn't have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
Combofix will then show a screen stating it is preparing to run, ending with a disclaimer screen. You must accept this disclaimer by pressing "1". Then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically. Save this log to the desktop so that you can find it easily.
Post back here with a copy/paste of that log.

Ran combo fix as you said it wanted me to download some system restore manager or something like that, so I let it do that. Also when it was done there was a new internet explorer icon on my desktop. Should I use the new one or the old one? Here is the ComboFix Log.

ComboFix 08-11-14.01 - Richard Fedie 2008-11-16 13:12:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2843 [GMT -6:00]
Running from: c:\documents and settings\Richard Fedie\My Documents\antivirus\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Diana\Application Data\FunWebProducts
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\3.tmp
c:\windows\system32\6.tmp

.
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-16 02:18 . 2008-11-16 02:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-16 02:17 . 2008-11-16 02:17 <DIR> d-------- c:\documents and settings\Administrator
2008-11-15 19:00 . 2008-11-16 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-15 16:17 . 2008-11-15 16:40 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-14 21:16 . 2008-11-14 21:16 <DIR> d-------- c:\documents and settings\Diana\Application Data\Malwarebytes
2008-11-14 20:38 . 2008-11-14 20:38 <DIR> d-------- c:\documents and settings\Scott\Application Data\Malwarebytes
2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Malwarebytes
2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-14 19:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-14 19:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 23:29 . 2008-11-13 23:29 <DIR> d-------- c:\program files\Windows Defender
2008-11-13 21:59 . 2008-11-13 22:07 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-13 21:59 . 2008-11-13 22:07 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-13 21:50 . 2008-04-14 06:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-13 19:50 . 2008-11-13 19:50 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\ErrorSmart
2008-11-13 18:46 . 2008-11-15 20:52 8,269 --a------ c:\windows\GnuHashes.ini
2008-11-13 18:36 . 2008-11-15 20:44 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest
2008-11-13 18:36 . 2008-11-15 20:28 135,168 --a------ c:\windows\system32\extmgr32.dll
2008-11-13 18:36 . 2008-11-15 20:44 1,848 --ahs---- c:\windows\system32\GroupPolicy000.dat
2008-11-11 18:12 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-08 11:36 . 2008-11-08 11:36 <DIR> d-------- c:\program files\Common Files\SWF Studio
2008-11-04 18:27 . 2008-11-04 18:27 0 --a------ c:\windows\PowerReg.dat
2008-11-04 18:21 . 2008-11-04 18:21 <DIR> d-------- c:\program files\Infogrames Interactive
2008-11-02 16:58 . 2008-11-02 16:58 <DIR> d-------- c:\documents and settings\Diana\Application Data\HP
2008-11-02 02:11 . 2008-11-05 21:41 <DIR> d-------- C:\CreatePhotoCalendars
2008-11-01 22:51 . 2008-11-01 22:51 <DIR> d-------- c:\program files\Nova Development
2008-11-01 22:51 . 2008-11-01 22:51 <DIR> d-------- c:\program files\Common Files\Nova Development
2008-10-30 11:42 . 2008-10-30 11:42 <DIR> d-------- c:\windows\Sun
2008-10-30 11:41 . 2008-10-30 11:41 <DIR> d-------- c:\program files\Java
2008-10-30 11:41 . 2008-11-03 23:23 <DIR> d-------- c:\program files\Google
2008-10-30 11:41 . 2008-10-30 11:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-30 11:41 . 2008-10-30 11:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-28 17:09 . 2008-10-28 17:09 0 --a------ c:\windows\system32\sam.ini
2008-10-28 14:25 . 2008-10-28 19:12 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-10-28 12:19 . 2008-10-28 12:19 <DIR> d-------- c:\documents and settings\Scott\Application Data\Atari
2008-10-28 12:08 . 2008-10-28 12:08 <DIR> d-------- c:\documents and settings\Scott\Application Data\DivX
2008-10-26 20:48 . 2008-10-26 20:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SimCity Societies
2008-10-26 19:30 . 2008-10-26 19:30 <DIR> d-------- c:\documents and settings\Scott\Application Data\Yahoo!
2008-10-26 18:59 . 2008-10-26 18:59 <DIR> d-------- c:\documents and settings\Diana\Application Data\Yahoo!
2008-10-26 18:19 . 2008-10-26 18:19 <DIR> d-------- c:\program files\Electronic Arts
2008-10-26 18:08 . 2008-10-26 18:08 <DIR> d-------- c:\program files\Rockstar Games
2008-10-26 18:05 . 2008-10-26 18:05 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Yahoo!
2008-10-26 17:59 . 2008-11-04 07:44 <DIR> d-------- c:\program files\Yahoo!
2008-10-26 17:59 . 2008-10-27 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-26 17:56 . 2008-10-26 17:56 <DIR> d-------- c:\program files\Yahoo! Games
2008-10-26 17:42 . 2008-10-26 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2008-10-26 17:32 . 2008-10-26 17:32 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\HP
2008-10-26 17:31 . 2008-10-26 17:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-26 17:31 . 2007-11-08 08:59 271,704 -ra------ c:\windows\system32\hpzids01.dll
2008-10-26 17:31 . 2007-10-20 17:25 117,760 --a------ c:\windows\system32\hpzll5mu.dll
2008-10-26 17:29 . 2008-10-26 17:29 <DIR> d-------- c:\program files\Common Files\HP
2008-10-26 17:29 . 2008-11-03 23:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-26 17:28 . 2008-11-03 23:18 <DIR> d-------- c:\program files\HP
2008-10-26 17:28 . 2008-04-13 23:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-26 17:28 . 2008-04-13 23:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-10-26 17:28 . 2008-04-13 23:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-10-26 17:27 . 2008-04-13 23:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-26 17:27 . 2008-04-13 23:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-10-26 17:25 . 2008-10-26 17:32 157,388 --a------ c:\windows\hphins26.dat
2008-10-26 17:25 . 2007-12-12 18:01 787 --------- c:\windows\hphmdl26.dat
2008-10-25 22:43 . 2008-10-25 22:43 <DIR> d-------- c:\documents and settings\Scott\Application Data\mioObjects
2008-10-25 16:49 . 2008-10-25 16:49 <DIR> d-------- c:\program files\3D Sports Car Screensaver
2008-10-25 16:49 . 2008-02-14 16:56 10,006,528 --a------ c:\windows\system32\3D Sports Car Screensaver.scr
2008-10-25 16:49 . 2008-02-14 13:16 3,141 --a------ c:\windows\system32\3D Sports Car Screensaver.html
2008-10-25 16:44 . 2008-10-25 16:44 <DIR> d-------- c:\program files\3D Asteroids
2008-10-25 16:41 . 2008-10-28 17:20 882 --a------ c:\windows\eReg.dat
2008-10-25 16:39 . 2008-10-27 18:52 <DIR> d-------- c:\program files\Maxis
2008-10-25 16:37 . 1999-11-24 20:29 196,608 --a------ c:\windows\system32\anfysave.scr
2008-10-25 16:31 . 2008-10-25 16:31 <DIR> d-------- c:\program files\Running Clock 3D Screensaver
2008-10-25 16:31 . 2008-10-25 16:31 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\TERMINAL Studio
2008-10-25 16:31 . 2008-02-14 19:36 3,661,824 --a------ c:\windows\system32\Running Clock 3D Screensaver.scr
2008-10-25 16:31 . 2005-09-21 15:08 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-10-25 16:31 . 2005-09-21 15:08 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-10-25 16:31 . 2006-02-15 17:26 92,216 --a------ c:\windows\system32\bass.dll
2008-10-25 16:31 . 2008-02-14 19:55 3,177 --a------ c:\windows\system32\Running Clock 3D Screensaver.html
2008-10-25 16:29 . 2008-10-25 16:36 <DIR> d-------- c:\program files\Cities of Earth
2008-10-25 16:29 . 2007-09-24 00:08 2,789,376 --a------ c:\windows\system32\Cities.scr
2008-10-25 16:26 . 2008-10-25 16:26 <DIR> d-------- c:\program files\Free Matrix Reality Screensaver
2008-10-25 16:26 . 2008-07-28 12:20 3,403,776 --a------ c:\windows\system32\Free Matrix Reality Screensaver.scr
2008-10-25 16:26 . 2005-09-05 07:01 1,056,768 --a------ c:\windows\system32\FreeImage.dll
2008-10-25 16:26 . 2005-12-21 18:05 245,760 --a------ c:\windows\system32\ImxEx.dll
2008-10-25 16:22 . 2008-10-25 16:22 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\mioObjects
2008-10-25 16:22 . 2008-10-25 16:22 359,431 --a------ c:\windows\system32\mioengine.exe
2008-10-25 16:20 . 2008-10-25 16:20 <DIR> d-------- c:\program files\Proactive Information Corporation
2008-10-25 16:20 . 2004-06-21 16:47 474,431 --a------ c:\windows\system32\Realtime Weather Screen Saver 4.02.scr
2008-10-25 16:20 . 2004-08-28 02:06 61,440 --a------ c:\windows\UnDeploy.exe
2008-10-25 15:32 . 2008-10-25 15:32 <DIR> d-------- c:\documents and settings\Scott\Application Data\Symantec
2008-10-25 15:32 . 2008-10-25 15:32 <DIR> d-------- c:\documents and settings\Scott\Application Data\Shareaza
2008-10-25 15:32 . 2008-11-15 20:33 <DIR> d-------- c:\documents and settings\Scott
2008-10-25 15:25 . 2008-10-25 15:25 <DIR> d-------- c:\documents and settings\Diana\Application Data\Symantec
2008-10-25 15:25 . 2008-10-25 15:25 <DIR> d-------- c:\documents and settings\Diana\Application Data\Shareaza
2008-10-25 15:24 . 2008-11-15 23:04 <DIR> d-------- c:\documents and settings\Diana
2008-10-25 15:18 . 2008-10-25 15:18 <DIR> d-------- c:\program files\Abassis Finance Manager
2008-10-25 15:14 . 2008-10-25 15:14 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Atari
2008-10-25 15:11 . 2008-10-25 15:11 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Leadertech
2008-10-25 15:08 . 2008-10-25 15:08 <DIR> d-------- c:\program files\Atari
2008-10-25 15:01 . 2008-10-25 15:01 74,582 --a------ c:\windows\Uninstal.exe
2008-10-25 14:59 . 2008-10-25 14:59 <DIR> d-------- c:\program files\Free 3D Valley Screensaver
2008-10-25 14:59 . 2008-10-25 14:59 <DIR> d-------- c:\program files\Active Volcano 3D Screensaver
2008-10-25 14:59 . 2008-07-28 10:10 8,073,216 --a------ c:\windows\system32\Free 3D Valley Screensaver.scr
2008-10-25 14:59 . 2008-02-14 17:02 6,008,832 --a------ c:\windows\system32\Active Volcano 3D Screensaver.scr
2008-10-25 14:59 . 2008-02-14 13:38 3,186 --a------ c:\windows\system32\Active Volcano 3D Screensaver.html
2008-10-25 14:58 . 2008-10-25 15:04 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\MechCAD
2008-10-25 14:58 . 2007-02-13 14:53 13,619,200 --a------ c:\windows\system32\Solar System 3D Screensaver.scr
2008-10-25 14:58 . 2007-02-09 13:05 3,226 --a------ c:\windows\system32\SolarSystem3DScreensaver.html
2008-10-25 14:56 . 2008-10-25 14:58 <DIR> d-------- c:\program files\Astro Gemini Software
2008-10-25 14:56 . 2008-10-25 14:56 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Astro Gemini Software
2008-10-25 14:56 . 2008-08-28 10:25 7,938,048 --a------ c:\windows\system32\Planet Earth 3D Screensaver.scr
2008-10-25 14:56 . 2007-11-06 16:46 106,496 --a------ c:\windows\system32\Astro Gemini Screensaver Manager.scr
2008-10-25 14:54 . 2004-10-06 18:38 3,446,272 --a------ c:\windows\Light Driver 2.stg
2008-10-25 14:54 . 2004-10-06 18:22 794,624 --a------ c:\windows\Light Driver 2.scr
2008-10-25 14:54 . 1999-06-25 10:55 149,504 --a------ c:\windows\UNWISE.EXE
2008-10-25 14:52 . 2007-11-23 13:18 9,005,490 --a------ c:\windows\kaleidoscopia.exe
2008-10-25 14:52 . 2008-10-25 14:52 639,995 --a------ c:\windows\unins000.exe
2008-10-25 14:52 . 2007-12-03 09:32 280,064 --a------ c:\windows\kaleidoscopia.scr
2008-10-25 14:52 . 2008-10-25 14:52 894 --a------ c:\windows\unins000.dat
2008-10-24 18:59 . 2008-11-08 11:40 <DIR> d-------- c:\program files\AdvancedDVDPlayer
2008-10-24 17:53 . 2008-10-24 18:01 <DIR> d-------- c:\program files\Shareaza
2008-10-24 17:53 . 2008-10-24 17:53 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Shareaza
2008-10-24 17:44 . 2008-04-14 01:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-10-24 17:44 . 2008-04-14 01:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-10-24 17:44 . 2001-08-17 14:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-10-24 17:44 . 2001-08-17 14:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-10-24 17:43 . 2008-10-24 17:43 <DIR> d-------- c:\program files\PHILIPS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 20:18 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 19:37 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 09:00 315,392 ----a-w c:\windows\HideWin.exe
2008-10-23 08:59 --------- d-----w c:\program files\Intel
2008-10-23 08:55 --------- d-----w c:\documents and settings\Richard Fedie\Application Data\InterTrust
2008-10-23 08:54 --------- d-----w c:\program files\MSXML 4.0
2008-10-23 08:44 --------- d-----w c:\program files\microsoft frontpage
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2007-10-15 16:30 148,242 ----a-w c:\program files\Common Files\ReportPreview.app
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 196709]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-24 86016]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-30 136600]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-02 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-03-24 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\10f6fd16502]
2008-11-15 20:28 135168 c:\windows\system32\extmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\extmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2008-10-24 7548]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-16 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-11-16 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []

2008-11-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Richard Fedie.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 13:12:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\System32\extmgr32.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\System32\extmgr32.dll
.
Completion time: 2008-11-16 13:13:19
ComboFix-quarantined-files.txt 2008-11-16 19:13:17

Pre-Run: 474,280,161,280 bytes free
Post-Run: 474,458,370,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

262 --- E O F --- 2008-11-15 21:09:14

Just out of sheer desperation I ran ESET again and it found like 26 things. Log posted below.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3615 (20081115)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=7a07914fc4e7e54e917e47c9f1ba585b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-16 08:01:44
# local_time=2008-11-16 02:01:44 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=224580
# found=26
# scan_time=1372
C:\WINDOWS\system32\extmgr32.dll Win32/Agent.OAF trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\1.crack.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\1.crack.zip »ZIP »crack.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\10.serial.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\10.serial.zip »ZIP »serial.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\11.setup.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\11.setup.zip »ZIP »setup.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\12.unpack.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\12.unpack.zip »ZIP »unpack.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\13.music.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) AB4352EC7CBEA96323E6530025CEB4DA
C:\WINDOWS\system32\GroupPolicyManifest\2.free_access_to_150_adult_sites.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\2.free_access_to_150_adult_sites.zip »ZIP »free access to 150 adult sites.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\3.free_adult_videos.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\3.free_adult_videos.zip »ZIP »free adult videos.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\4.free_porn_passwords.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\4.free_porn_passwords.zip »ZIP »free porn passwords.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\5.installer.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\5.installer.zip »ZIP »installer.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\6.keygen.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\6.keygen.zip »ZIP »keygen.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\7.nocd.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\7.nocd.zip »ZIP »nocd.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\8.nodvd.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\8.nodvd.zip »ZIP »nodvd.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\9.patch.zip a variant of Win32/TrojanDropper.Delf.NFH trojan (deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\GroupPolicyManifest\9.patch.zip »ZIP »patch.exe a variant of Win32/TrojanDropper.Delf.NFH trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000

I hope you followed the instructions with ESET scanner and Rebooted your computer, because final cleaning would not take place until a reboot. I say this because you didn't follow the directions for combofix. The instructions clearly state this;

...make sure you save it directly to your Windows Desktop

but you ran combofix from here;

Running from: c:\documents and settings\Richard Fedie\My Documents\antivirus\ComboFix.exe

There were some additional fixes which needed to be done with combofix but because it was not downloaded to the desktop as directed this cannot be done plus if incorrect removal had taken place (which thankfully I don't believe happened) there would be no backups saved where you had the program placed. They will only be saved properly and then able to be used if the program is downloaded and run from the Desktop.
You will need to go into c:\documents and settings\Richard Fedie\My Documents\antivirus\ and delete that combofix. ESET scanner may have removed some of the items we needed to remove so maybe combofix will not be needed, we will see.
Run me a new HJT scan please.
Judy

Here is the new HJT log. Sorry that I didn't put it on my desktop. I read something on here in the forums about putting stuff on the desktop and said it was for ease of accessing the files. I downloaded another copy of combofix to my desktop and deleted the other, would you want me to run it again? After I ran the ESET scan I did reboot. Thanks for all the help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:55 PM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Richard Fedie\My Documents\antivirus\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-03.sun.com/s/ESD5/JSCDL/jdk/6u10/jinstall-6u10-windows-i586-jc.cab?e=1225388563154&h=ea5581ffb58b5e56d1742eb26a73b4a6/&filename=jinstall-6u10-windows-i586-jc.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\extmgr32.dll
O20 - Winlogon Notify: 10f6fd16502 - C:\WINDOWS\System32\extmgr32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6587 bytes

One thing I will say without question, each and every one of the infected .zip files, infected with Win32/TrojanDropper.Delf.NFH trojan listed in the ESET log are the result of P2P file sharing. I checked every one of them so that is how the computer has become infected, P2P file sharing.
This is why I asked you in post #3 to fix that one Shareaza entry. Looking at your combofix log I see that program was installed on 10-24-2008.
After that date I see multiple games and other paid programs installed, how many of these were acquired using P2P file sharing? Frankly I would find any program downloaded via P2P as suspect, expecially any installed after that date.
The ones we know for sure are infected files were installed on 11-15-2008, that honestly at this point doesn't mean there aren't others that haven't been found yet.

Yes, I want you to run combofix again. Follow THESE instructions EXACTLY:
At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
Windows may issue a prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix is now preparing to run and when it has finished you will see the Disclaimer screen you should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically
You should now post this log here when all is complete.

Shareaza was reinstalled on 10-24-08. This is a new computer that I built several months ago but I just recently got internet on 10-21, and I had shareaza installed with no virus protection at all. Tried downloading a program to convert mpg to dvd, and it was a virus. I had to reformat my computer that time. First and the last time I'd try to get a program off of P2P. I just use P2P sharing for old movies and old music that I just can't seem to find anywhere else. Now I have Norton Internet Security. Everything you see installed I or my roommate payed for. Here is the new ComboFix log. Thanks again.

ComboFix 08-11-16.05 - Richard Fedie 2008-11-17 12:34:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2915 [GMT -6:00]
Running from: c:\documents and settings\Richard Fedie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-16 02:18 . 2008-11-16 02:18 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2008-11-16 02:17 . 2008-11-16 02:17 <DIR> d-------- c:\documents and settings\Administrator
2008-11-15 19:00 . 2008-11-16 01:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2008-11-15 16:17 . 2008-11-15 16:40 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-11-14 21:16 . 2008-11-14 21:16 <DIR> d-------- c:\documents and settings\Diana\Application Data\Malwarebytes
2008-11-14 20:38 . 2008-11-14 20:38 <DIR> d-------- c:\documents and settings\Scott\Application Data\Malwarebytes
2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Malwarebytes
2008-11-14 19:02 . 2008-11-14 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-14 19:02 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-14 19:02 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-13 23:29 . 2008-11-13 23:29 <DIR> d-------- c:\program files\Windows Defender
2008-11-13 21:59 . 2008-11-13 22:07 23,392 --a------ c:\windows\system32\nscompat.tlb
2008-11-13 21:59 . 2008-11-13 22:07 16,832 --a------ c:\windows\system32\amcompat.tlb
2008-11-13 21:50 . 2008-04-14 06:00 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-13 19:50 . 2008-11-13 19:50 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\ErrorSmart
2008-11-13 18:46 . 2008-11-15 20:52 8,269 --a------ c:\windows\GnuHashes.ini
2008-11-13 18:36 . 2008-11-16 14:00 <DIR> d--hs---- c:\windows\system32\GroupPolicyManifest
2008-11-13 18:36 . 2008-11-16 13:58 135,168 --a------ c:\windows\system32\extmgr32.dll
2008-11-13 18:36 . 2008-11-15 20:44 1,848 --ahs---- c:\windows\system32\GroupPolicy000.dat
2008-11-11 18:12 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-08 11:36 . 2008-11-08 11:36 <DIR> d-------- c:\program files\Common Files\SWF Studio
2008-11-04 18:27 . 2008-11-04 18:27 0 --a------ c:\windows\PowerReg.dat
2008-11-04 18:21 . 2008-11-04 18:21 <DIR> d-------- c:\program files\Infogrames Interactive
2008-11-02 16:58 . 2008-11-02 16:58 <DIR> d-------- c:\documents and settings\Diana\Application Data\HP
2008-11-02 02:11 . 2008-11-05 21:41 <DIR> d-------- C:\CreatePhotoCalendars
2008-11-01 22:51 . 2008-11-01 22:51 <DIR> d-------- c:\program files\Nova Development
2008-11-01 22:51 . 2008-11-01 22:51 <DIR> d-------- c:\program files\Common Files\Nova Development
2008-10-30 11:42 . 2008-10-30 11:42 <DIR> d-------- c:\windows\Sun
2008-10-30 11:41 . 2008-10-30 11:41 <DIR> d-------- c:\program files\Java
2008-10-30 11:41 . 2008-11-03 23:23 <DIR> d-------- c:\program files\Google
2008-10-30 11:41 . 2008-10-30 11:41 410,976 --a------ c:\windows\system32\deploytk.dll
2008-10-30 11:41 . 2008-10-30 11:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-10-28 17:09 . 2008-10-28 17:09 0 --a------ c:\windows\system32\sam.ini
2008-10-28 14:25 . 2008-10-28 19:12 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-10-28 12:19 . 2008-10-28 12:19 <DIR> d-------- c:\documents and settings\Scott\Application Data\Atari
2008-10-28 12:08 . 2008-10-28 12:08 <DIR> d-------- c:\documents and settings\Scott\Application Data\DivX
2008-10-26 20:48 . 2008-10-26 20:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SimCity Societies
2008-10-26 19:30 . 2008-10-26 19:30 <DIR> d-------- c:\documents and settings\Scott\Application Data\Yahoo!
2008-10-26 18:59 . 2008-10-26 18:59 <DIR> d-------- c:\documents and settings\Diana\Application Data\Yahoo!
2008-10-26 18:19 . 2008-10-26 18:19 <DIR> d-------- c:\program files\Electronic Arts
2008-10-26 18:08 . 2008-10-26 18:08 <DIR> d-------- c:\program files\Rockstar Games
2008-10-26 18:05 . 2008-10-26 18:05 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Yahoo!
2008-10-26 17:59 . 2008-11-04 07:44 <DIR> d-------- c:\program files\Yahoo!
2008-10-26 17:59 . 2008-10-27 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-26 17:56 . 2008-10-26 17:56 <DIR> d-------- c:\program files\Yahoo! Games
2008-10-26 17:42 . 2008-10-26 17:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\WEBREG
2008-10-26 17:32 . 2008-10-26 17:32 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\HP
2008-10-26 17:31 . 2008-10-26 17:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-10-26 17:31 . 2007-11-08 08:59 271,704 -ra------ c:\windows\system32\hpzids01.dll
2008-10-26 17:31 . 2007-10-20 17:25 117,760 --a------ c:\windows\system32\hpzll5mu.dll
2008-10-26 17:29 . 2008-10-26 17:29 <DIR> d-------- c:\program files\Common Files\HP
2008-10-26 17:29 . 2008-11-03 23:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP
2008-10-26 17:28 . 2008-11-03 23:18 <DIR> d-------- c:\program files\HP
2008-10-26 17:28 . 2008-04-13 23:15 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-10-26 17:28 . 2008-04-13 23:15 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2008-10-26 17:28 . 2008-04-13 23:15 26,368 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2008-10-26 17:27 . 2008-04-13 23:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-26 17:27 . 2008-04-13 23:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-10-26 17:25 . 2008-10-26 17:32 157,388 --a------ c:\windows\hphins26.dat
2008-10-26 17:25 . 2007-12-12 18:01 787 --------- c:\windows\hphmdl26.dat
2008-10-25 22:43 . 2008-10-25 22:43 <DIR> d-------- c:\documents and settings\Scott\Application Data\mioObjects
2008-10-25 16:49 . 2008-10-25 16:49 <DIR> d-------- c:\program files\3D Sports Car Screensaver
2008-10-25 16:49 . 2008-02-14 16:56 10,006,528 --a------ c:\windows\system32\3D Sports Car Screensaver.scr
2008-10-25 16:49 . 2008-02-14 13:16 3,141 --a------ c:\windows\system32\3D Sports Car Screensaver.html
2008-10-25 16:44 . 2008-10-25 16:44 <DIR> d-------- c:\program files\3D Asteroids
2008-10-25 16:41 . 2008-10-28 17:20 882 --a------ c:\windows\eReg.dat
2008-10-25 16:39 . 2008-10-27 18:52 <DIR> d-------- c:\program files\Maxis
2008-10-25 16:37 . 1999-11-24 20:29 196,608 --a------ c:\windows\system32\anfysave.scr
2008-10-25 16:31 . 2008-10-25 16:31 <DIR> d-------- c:\program files\Running Clock 3D Screensaver
2008-10-25 16:31 . 2008-10-25 16:31 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\TERMINAL Studio
2008-10-25 16:31 . 2008-02-14 19:36 3,661,824 --a------ c:\windows\system32\Running Clock 3D Screensaver.scr
2008-10-25 16:31 . 2005-09-21 15:08 499,712 --a------ c:\windows\system32\msvcp71.dll
2008-10-25 16:31 . 2005-09-21 15:08 348,160 --a------ c:\windows\system32\msvcr71.dll
2008-10-25 16:31 . 2006-02-15 17:26 92,216 --a------ c:\windows\system32\bass.dll
2008-10-25 16:31 . 2008-02-14 19:55 3,177 --a------ c:\windows\system32\Running Clock 3D Screensaver.html
2008-10-25 16:29 . 2008-10-25 16:36 <DIR> d-------- c:\program files\Cities of Earth
2008-10-25 16:29 . 2007-09-24 00:08 2,789,376 --a------ c:\windows\system32\Cities.scr
2008-10-25 16:26 . 2008-10-25 16:26 <DIR> d-------- c:\program files\Free Matrix Reality Screensaver
2008-10-25 16:26 . 2008-07-28 12:20 3,403,776 --a------ c:\windows\system32\Free Matrix Reality Screensaver.scr
2008-10-25 16:26 . 2005-09-05 07:01 1,056,768 --a------ c:\windows\system32\FreeImage.dll
2008-10-25 16:26 . 2005-12-21 18:05 245,760 --a------ c:\windows\system32\ImxEx.dll
2008-10-25 16:22 . 2008-10-25 16:22 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\mioObjects
2008-10-25 16:22 . 2008-10-25 16:22 359,431 --a------ c:\windows\system32\mioengine.exe
2008-10-25 16:20 . 2008-10-25 16:20 <DIR> d-------- c:\program files\Proactive Information Corporation
2008-10-25 16:20 . 2004-06-21 16:47 474,431 --a------ c:\windows\system32\Realtime Weather Screen Saver 4.02.scr
2008-10-25 16:20 . 2004-08-28 02:06 61,440 --a------ c:\windows\UnDeploy.exe
2008-10-25 15:32 . 2008-10-25 15:32 <DIR> d-------- c:\documents and settings\Scott\Application Data\Symantec
2008-10-25 15:32 . 2008-10-25 15:32 <DIR> d-------- c:\documents and settings\Scott\Application Data\Shareaza
2008-10-25 15:32 . 2008-11-15 20:33 <DIR> d-------- c:\documents and settings\Scott
2008-10-25 15:25 . 2008-10-25 15:25 <DIR> d-------- c:\documents and settings\Diana\Application Data\Symantec
2008-10-25 15:25 . 2008-10-25 15:25 <DIR> d-------- c:\documents and settings\Diana\Application Data\Shareaza
2008-10-25 15:24 . 2008-11-15 23:04 <DIR> d-------- c:\documents and settings\Diana
2008-10-25 15:18 . 2008-10-25 15:18 <DIR> d-------- c:\program files\Abassis Finance Manager
2008-10-25 15:14 . 2008-10-25 15:14 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Atari
2008-10-25 15:11 . 2008-10-25 15:11 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Leadertech
2008-10-25 15:08 . 2008-10-25 15:08 <DIR> d-------- c:\program files\Atari
2008-10-25 15:01 . 2008-10-25 15:01 74,582 --a------ c:\windows\Uninstal.exe
2008-10-25 14:59 . 2008-10-25 14:59 <DIR> d-------- c:\program files\Free 3D Valley Screensaver
2008-10-25 14:59 . 2008-10-25 14:59 <DIR> d-------- c:\program files\Active Volcano 3D Screensaver
2008-10-25 14:59 . 2008-07-28 10:10 8,073,216 --a------ c:\windows\system32\Free 3D Valley Screensaver.scr
2008-10-25 14:59 . 2008-02-14 17:02 6,008,832 --a------ c:\windows\system32\Active Volcano 3D Screensaver.scr
2008-10-25 14:59 . 2008-02-14 13:38 3,186 --a------ c:\windows\system32\Active Volcano 3D Screensaver.html
2008-10-25 14:58 . 2008-10-25 15:04 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\MechCAD
2008-10-25 14:58 . 2007-02-13 14:53 13,619,200 --a------ c:\windows\system32\Solar System 3D Screensaver.scr
2008-10-25 14:58 . 2007-02-09 13:05 3,226 --a------ c:\windows\system32\SolarSystem3DScreensaver.html
2008-10-25 14:56 . 2008-10-25 14:58 <DIR> d-------- c:\program files\Astro Gemini Software
2008-10-25 14:56 . 2008-10-25 14:56 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Astro Gemini Software
2008-10-25 14:56 . 2008-08-28 10:25 7,938,048 --a------ c:\windows\system32\Planet Earth 3D Screensaver.scr
2008-10-25 14:56 . 2007-11-06 16:46 106,496 --a------ c:\windows\system32\Astro Gemini Screensaver Manager.scr
2008-10-25 14:54 . 2004-10-06 18:38 3,446,272 --a------ c:\windows\Light Driver 2.stg
2008-10-25 14:54 . 2004-10-06 18:22 794,624 --a------ c:\windows\Light Driver 2.scr
2008-10-25 14:54 . 1999-06-25 10:55 149,504 --a------ c:\windows\UNWISE.EXE
2008-10-25 14:52 . 2007-11-23 13:18 9,005,490 --a------ c:\windows\kaleidoscopia.exe
2008-10-25 14:52 . 2008-10-25 14:52 639,995 --a------ c:\windows\unins000.exe
2008-10-25 14:52 . 2007-12-03 09:32 280,064 --a------ c:\windows\kaleidoscopia.scr
2008-10-25 14:52 . 2008-10-25 14:52 894 --a------ c:\windows\unins000.dat
2008-10-24 18:59 . 2008-11-08 11:40 <DIR> d-------- c:\program files\AdvancedDVDPlayer
2008-10-24 17:53 . 2008-10-24 18:01 <DIR> d-------- c:\program files\Shareaza
2008-10-24 17:53 . 2008-10-24 17:53 <DIR> d-------- c:\documents and settings\Richard Fedie\Application Data\Shareaza
2008-10-24 17:44 . 2008-04-14 01:09 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2008-10-24 17:44 . 2008-04-14 01:09 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2008-10-24 17:44 . 2001-08-17 14:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-10-24 17:44 . 2001-08-17 14:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-10-24 17:43 . 2008-10-24 17:43 <DIR> d-------- c:\program files\PHILIPS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-26 20:18 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 19:37 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 09:00 315,392 ----a-w c:\windows\HideWin.exe
2008-10-23 08:59 --------- d-----w c:\program files\Intel
2008-10-23 08:55 --------- d-----w c:\documents and settings\Richard Fedie\Application Data\InterTrust
2008-10-23 08:54 --------- d-----w c:\program files\MSXML 4.0
2008-10-23 08:44 --------- d-----w c:\program files\microsoft frontpage
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-16 00:14 524,288 ----a-w c:\windows\system32\DivXsm.exe
2008-09-16 00:14 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll
2008-09-16 00:12 81,920 ----a-w c:\windows\system32\dpl100.dll
2008-09-16 00:12 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-09-16 00:12 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-09-16 00:12 53,248 ----a-w c:\windows\system32\dpuGUI10.dll
2008-09-16 00:12 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-09-16 00:12 294,912 ----a-w c:\windows\system32\dpu10.dll
2008-09-16 00:12 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 196,608 ----a-w c:\windows\system32\dtu100.dll
2008-09-16 00:12 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2008-09-16 00:11 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2008-09-16 00:11 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2008-09-16 00:11 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2008-09-16 00:11 683,520 ----a-w c:\windows\system32\DivX.dll
2008-09-16 00:11 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe
2008-09-16 00:11 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2007-10-15 16:30 148,242 ----a-w c:\program files\Common Files\ReportPreview.app
.

((((((((((((((((((((((((((((( snapshot@2008-11-16_13.13.10.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-17 18:15:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_564.dat
+ 2008-11-17 18:15:22 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-10-16 4347120]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 196709]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-24 714608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-03-24 13524992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-03-24 86016]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-30 136600]
"ReminderApp"="c:\program files\Nova Development\Greeting Card Factory Photo Card Maker\ReminderApp.exe" [2006-11-02 156160]
"RTHDCPL"="RTHDCPL.EXE" [2008-03-02 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-03-24 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\10f6fd16502]
2008-11-16 13:58 135168 c:\windows\system32\extmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\extmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-24 149352]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2008-10-24 7548]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-11-16 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart\ErrorSmart.exe []

2008-11-16 c:\windows\Tasks\ErrorSmart Scheduled Scan.job
- c:\program files\ErrorSmart []

2008-11-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Richard Fedie.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 19:19]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 12:35:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\System32\extmgr32.dll

PROCESS: c:\windows\system32\lsass.exe
-> c:\windows\System32\extmgr32.dll
.
Completion time: 2008-11-17 12:35:57
ComboFix-quarantined-files.txt 2008-11-17 18:35:55
ComboFix2.txt 2008-11-16 19:13:20

Pre-Run: 474,449,739,776 bytes free
Post-Run: 474,459,586,560 bytes free

252 --- E O F --- 2008-11-15 21:09:14

Ok, just checking to be sure.
I "think" (which is dangerous in itesefl) now, after going through both this log and the original that the problem may lie with the program Error Smart. It was installed on 11-13-2008 along with our "friend"extmgr32.dll and 3 other entries which came on at pretty much the same time.
Can you see if you can Uninstall Error Smart? I am not familiar with the program but found several references when searching for information that it can be questionable.

Well error smart does not show up in the add or remove programs. But, I searched for files and folders named errorsmart and found a folder and a file. The folder was in the application data folder. The file was in C:\WINDOWS\Tasks\ and is called ErrorSmart Scheduled Scan.job.

I have deleted both and emptied my recycle bin.

Only thing on the 13th that I remember installing is Windows Defender after I had the virus or whatever. Do you know what the rest of the files are or should I go in and try to delete them too?

The Error Smart was installed BEFORE Windows Defender was, appears to be about 1 hour before.
The other files installed at the same time are the following;
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\extmgr32.dll
c:\windows\system32\GroupPolicy000.dat

I would recommend that you boot to Safe Mode and try to remove them.

I opened c:\windows\system32\GroupPolicy000.dat in notebood and it is a list of websites most of which seem to be GWebCache's.

The folder c:\windows\system32\GroupPolicyManifest contains

c:\windows\system32\GroupPolicyManifest\1.crack.zip.kwd
c:\windows\system32\GroupPolicyManifest\2.free_access_to_150_adult_sites.zip.kwd
c:\windows\system32\GroupPolicyManifest\3.free_adult_videos.zip.kwd
c:\windows\system32\GroupPolicyManifest\4.free_porn_passwords.zip.kwd
c:\windows\system32\GroupPolicyManifest\5.installer.zip.kwd
c:\windows\system32\GroupPolicyManifest\6.keygen.zip.kwd
c:\windows\system32\GroupPolicyManifest\7.nocd.zip.kwd
c:\windows\system32\GroupPolicyManifest\8.nodvd.zip.kwd
c:\windows\system32\GroupPolicyManifest\9.patch.zip.kwd
c:\windows\system32\GroupPolicyManifest\10.serial.zip.kwd
c:\windows\system32\GroupPolicyManifest\11.setup.zip.kwd
c:\windows\system32\GroupPolicyManifest\12.unpack.zip.kwd
c:\windows\system32\GroupPolicyManifest\13.music.mp3
c:\windows\system32\GroupPolicyManifest\13.music.mp3.kwd

c:\windows\GnuHashes.ini Looks like some kind of computer code that says how to use the above mentioned files.

Should I actually keep this stuff and give it to someone that programs antivirus programs? I figure this is pretty new or something pretty bad since nothing I have found will remove it.

I'll wait to hear back before I do anything.

Should I actually keep this stuff and give it to someone that programs antivirus programs? I figure this is pretty new or something pretty bad since nothing I have found will remove it.

I'll wait to hear back before I do anything.

VERY GOOD IDEA!!!!
Upload
c:\windows\GnuHashes.ini
c:\windows\system32\GroupPolicyManifest
c:\windows\system32\extmgr32.dll
c:\windows\system32\GroupPolicy000.dat

To http://virusscan.jotti.org/
Each one will be scanned by multiple scanners to see if they are bad and what they are.
Post back with the results of each.
GREAT SUGGESTION!
Judy

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.