Task Manager opens for a couple seconds then closes.

[jtracker]

Hello,
Having trouble with the task manager staying open. It wont even come up using ctrl+alt+delete. It opens after a couple times of hitting shift+ctrl+esc. Then it stays up for a couple seconds then just goes away. I don't know even know where to start. The reason I even tried to pull up the task manager is because the internet is running really slow and I have dsl. On my laptop it is way faster. I am trying to fix my aunts laptop cuz hers is the one that is alot slower. Also I can hear the fan kick on about every 20 seconds.When I do get the task manager to pop up the computer usage is always working and is at 100%. Let me know what I need to do. Thanks,
Justin

[jtracker]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:18 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\AEIWLSVC.EXE
C:\WINNT\System32\Winkfm.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\S3tray2.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\system32\AEIWLRAD.EXE
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04. exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\Program Files\Microsoft ActiveSync\wcescommbub.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeanine\Desktop\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=2839
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04. exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescommbub.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192369178635
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192370888187
O23 - Service: Aeiwsvc - Unknown owner - C:\WINNT\system32\AEIWLSVC.EXE
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Winkfm - Unknown owner - C:\WINNT\System32\Winkfm.exe

--
End of file - 5174 bytes

[Jintan]

Welcome to CTH jtracker,

The log so far shows an unknown and suspect service running, and of course the issue with Task Manager is common with malware tricks lately. Let's correct that, get that unknown checked and get in an additional look before deciding on repairs here.


Open Notepad (Start, Run type notepad and select Enter) and copy/paste the following text.

Code:

[Version]
Signature="$CHICAGO$"

[DefaultInstall]
DelReg=Del.Settings

[Del.Settings]
HKCU,"Software\Microsoft\Windows\CurrentVersion\
Policies\System","DisableRegistryTools"
HKCU,"Software\Microsoft\Windows\CurrentVersion\
Policies\System","DisableTaskMgr"
HKCU,"Software\Microsoft\Windows\CurrentVersion\
Policies\System","NoFolderOptions"

Save this as correct.inf

Where it says "Files of Type", select All Files and click on Save and save it to your desktop. Exit Notepad, Then right-click on correct.inf and select Install.

-----------------------

Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click each of the following if it is present, and Kill Process. Close HijackThis.

C:\WINNT\System32\Winkfm.exe

-----------------------

Then again run Notepad and copy the following text in bold into a new file:

Code:

@ECHO OFF
cd %windir%
sc config Winkfm start= disabled
sc stop Winkfm

Save the file as "servstop.bat"

Make sure to save it with the quotes. Please double-click on servstop.bat. A window should open and close very quickly --- this is normal.

------------------------

Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.

C:\WINNT\System32\Winkfm.exe

You DO NOT need to be a member to upload, anybody can upload the files.


Also Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your protective software queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here please.

[jtracker]

Thanks for the help. Well I did everthing right up to here.

Open HijackThis, and choose None of the above, just start the program. Click Config – Misc Tools – Open process manager. From the list, click each of the following if it is present, and Kill Process. Close HijackThis.

C:\WINNT\System32\Winkfm.exe

Tried doing that but now when i open hijack this it just closes on me evertime.
Also when I do get hijack this to stay open long enough to kill that process it pops up and says "The selected process could not be killed. It may have already closed, or it may be protected by Windows. This process might be might be a service,which you can stop from the Services applet in Admin Tools. (To load this window click start,run and enter services.msc)" Took me forever to get the above cuz it just kept closing on me. Let me know.
Thanks

[Jintan]

Do the steps over, but this time skip the HijackThis step.

Then Download SDFix.exe and save it to your desktop.

================================================== =


Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.

Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.

When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.

Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.

=========================

After the reboot Download ComboFix.exe from here to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

(ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

Post back the C:\ComboFix.txt log as well as the SDFix report.txt and a HijackThis log if available then please.

[jtracker]

Ok heres this,
"Copy the log from the Startup Programs file back here please."


"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"CARPService" = "carpserv.exe" ["Conexant Systems Systems"]
"S3TRAY2" = "S3tray2.exe" ["S3 Graphics, Inc."]
"Multi-function Keyboard" = "GWHotKey.exe" ["BillP Studios"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"1AEIWLRAD.EXE" = "AEIWLRAD.EXE" [empty string]
"HPDJ Taskbar Utility" = "C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04 .exe" ["HP"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"CapFax" = "C:\Program Files\PhoneTools\CapFax.EXE" ["BVRP Software"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online Included"
-> {HKLM...CLSID} = "America Online Included"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.d ll" ["America Online, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Wcesview.dll" [MS]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Jeanine\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\ssmarque.scr" [MS]


Startup items in "Jeanine" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Jeanine\Start Menu\Programs\Startup
"Greetings Workshop Reminders" -> shortcut to: "C:\Program Files\Greetings Workshop\GWREMIND.EXE" [MS]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Photo Loader supervisory" -> shortcut to: "C:\Program Files\CASIO\Photo Loader\Plauto.exe" ["CASIO COMPUTER CO.,LTD."]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 1" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:1" [MS]
"ISP signup reminder 2" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:2" [MS]
"ISP signup reminder 3" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:3" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]


================================================== =======

Heres this,
"Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here."



SDFix: Version 1.124

Run by Jeanine on Mon 01/07/2008 at 12:55 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found





Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 13:04:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files:
---------------


Files with Hidden Attributes:

Wed 3 Oct 2001 102,466 A..H. --- "C:\Program Files\America Online 7.0\aolphx.exe"
Wed 3 Oct 2001 32,838 A..H. --- "C:\Program Files\America Online 7.0\aoltray.exe"
Wed 3 Oct 2001 40,960 A..H. --- "C:\Program Files\America Online 7.0\RBM.exe"
Wed 3 Oct 2001 180,286 A..H. --- "C:\Program Files\America Online 7.0\waol.exe"
Thu 1 Nov 2001 38,048,840 A..H. --- "C:\Program Files\Online Services\AOL70US.EXE"
Mon 15 Jan 2007 86,794 A.SHR --- "C:\WINNT\system32\Winkfm.exe"
Tue 5 Jun 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 5 Jun 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Wed 29 Jan 2003 22,528 ...H. --- "C:\Documents and Settings\Jeanine\My Documents\~WRL0005.tmp"
Wed 3 Oct 2001 49,220 A..H. --- "C:\Program Files\America Online 7.0\COMIT\cswitch.exe"
Wed 3 Oct 2001 102,466 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467216.exe"
Wed 3 Oct 2001 32,838 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467217.exe"
Wed 3 Oct 2001 49,220 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467218.exe"
Wed 3 Oct 2001 40,960 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467222.exe"
Wed 3 Oct 2001 180,286 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467224.exe"
Thu 1 Nov 2001 38,048,840 A..H. --- "C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0470124.EXE"
Sun 21 Aug 2005 41,472 ...H. --- "C:\Documents and Settings\Jeanine\My Documents\Kindergarten\~WRL2830.tmp"
Fri 28 Jul 2006 337,320 A..H. --- "C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll"
Wed 2 Jan 2008 25,755,448 A..H. --- "C:\WINNT\SoftwareDistribution\Download\5de8a2d223 4f0d548a5c0d05d076e6d9\BIT14.tmp"
Sat 13 Sep 2003 39,936 ...H. --- "C:\Documents and Settings\Jeanine\Application Data\Microsoft\Word\~WRL0672.tmp"
Wed 12 Feb 2003 34,304 ...H. --- "C:\Documents and Settings\Jeanine\Application Data\Microsoft\Word\~WRL1222.tmp"
Tue 25 Dec 2007 47,104 ...H. --- "C:\Documents and Settings\Jeanine\Application Data\Microsoft\Word\~WRL4006.tmp"
Tue 2 Oct 2001 106,496 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"

Finished!

[jtracker]

"When completed a text window will appear - please copy/paste the contents back here."


ComboFix 08-01-07.5 - Jeanine 2008-01-07 13:19:12.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.78 [GMT -5:00]
Running from: C:\Documents and Settings\Jeanine\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 13:17 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-07 12:53 . 2008-01-07 12:53 <DIR> d-------- C:\WINNT\ERUNT
2008-01-07 12:27 . 2008-01-07 12:27 72 --a------ C:\Documents and Settings\Jeanine\servstop.bat
2008-01-02 11:14 . 2008-01-02 11:50 <DIR> d-------- C:\Documents and Settings\Jeanine\Contacts
2008-01-02 11:14 . 2008-01-02 11:14 268 --ah----- C:\sqmdata00.sqm
2008-01-02 11:14 . 2008-01-02 11:14 244 --ah----- C:\sqmnoopt00.sqm
2008-01-02 09:52 . 2008-01-02 10:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-02 09:50 . 2008-01-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-30 22:23 . 2004-05-14 16:53 462,848 --a------ C:\WINNT\system32\ltkrn13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 450,560 --a------ C:\WINNT\system32\ltimg13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 401,408 --a------ C:\WINNT\system32\lfcmp13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 299,008 --a------ C:\WINNT\system32\ltdis13n.dll
2007-12-30 22:23 . 2004-01-12 02:09 206,336 --a------ C:\WINNT\system32\ltefx13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 163,840 --a------ C:\WINNT\system32\ltfil13n.dll
2007-12-30 22:23 . 2003-11-04 15:11 159,744 --a------ C:\WINNT\system32\lfpng13n.dll
2007-12-30 22:23 . 2003-11-04 15:10 69,632 --a------ C:\WINNT\system32\lfgif13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 57,344 --a------ C:\WINNT\system32\lfbmp13n.dll
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Jeanine\Application Data\Snapfish
2007-12-28 14:01 . 2007-12-28 14:01 <DIR> d-------- C:\Documents and Settings\Jeanine\Application Data\Ulead Systems
2007-12-28 13:15 . 2007-12-28 13:15 <DIR> d-------- C:\Program Files\Nova Development
2007-12-28 13:13 . 2007-12-28 13:39 <DIR> d-------- C:\Program Files\Web Publish
2007-12-25 14:35 . 2007-12-25 14:49 <DIR> d-------- C:\Program Files\Photo Viewer
2007-12-24 20:09 . 2007-10-10 18:55 6,065,664 --------- C:\WINNT\system32\dllcache\ieframe.dll
2007-12-24 20:09 . 2007-06-30 22:31 2,455,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dat
2007-12-24 20:09 . 2007-06-30 22:36 991,232 --------- C:\WINNT\system32\dllcache\ieframe.dll.mui
2007-12-24 20:09 . 2007-10-10 18:55 459,264 --------- C:\WINNT\system32\dllcache\msfeeds.dll
2007-12-24 20:09 . 2007-10-10 18:55 383,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dll
2007-12-24 20:09 . 2007-10-10 18:55 267,776 --------- C:\WINNT\system32\dllcache\iertutil.dll
2007-12-24 20:09 . 2007-10-10 18:55 63,488 --------- C:\WINNT\system32\dllcache\icardie.dll
2007-12-24 20:09 . 2007-10-10 18:55 52,224 --------- C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-12-24 20:09 . 2007-10-10 05:59 13,824 --------- C:\WINNT\system32\dllcache\ieudinit.exe
2007-12-24 19:56 . 2007-08-13 18:54 33,792 --a------ C:\WINNT\system32\dllcache\custsat.dll
2007-12-24 11:42 . 2006-08-21 04:14 128,896 --------- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-24 11:42 . 2006-08-21 04:14 23,040 --------- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-24 11:42 . 2006-08-21 07:21 16,896 --------- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-23 14:48 . 2007-07-09 08:09 584,192 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-23 13:10 . 2007-12-25 08:46 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-22 16:38 . 2006-10-19 04:42 303,616 -ra------ C:\WINNT\system32\drivers\BLKWGNv7.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-07 18:09 --------- d-----w C:\Program Files\Greetings Workshop
2008-01-06 20:54 --------- d-----w C:\Program Files\Microsoft Picture It! 9
2007-12-28 18:40 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-19 00:15 --------- d-----w C:\Documents and Settings\Jeanine\Application Data\Wal-Mart Digital Photo Viewer
2007-11-13 10:25 20,480 ----a-w C:\WINNT\system32\drivers\secdrv.sys
2007-10-31 10:12 3,590,656 ------w C:\WINNT\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINNT\system32\dllcache\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-27 22:39 230,912 ------w C:\WINNT\system32\dllcache\wmasf.dll
2007-10-27 22:37 2,109,440 ------w C:\WINNT\system32\dllcache\wmvcore.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-11 06:13 474,112 ------w C:\WINNT\system32\dllcache\shlwapi.dll
2007-10-11 06:13 151,040 ------w C:\WINNT\system32\dllcache\cdfview.dll
2007-10-11 06:13 1,494,528 ------w C:\WINNT\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINNT\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINNT\system32\dllcache\browseui.dll
2007-10-10 23:56 824,832 ------w C:\WINNT\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINNT\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ------w C:\WINNT\system32\dllcache\mstime.dll
2007-10-10 23:55 478,208 ------w C:\WINNT\system32\dllcache\mshtmled.dll
2007-10-10 23:55 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 27,648 ------w C:\WINNT\system32\dllcache\jsproxy.dll
2007-10-10 23:55 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINNT\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINNT\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINNT\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINNT\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINNT\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-10-10 05:46 161,792 ------w C:\WINNT\system32\dllcache\ieakui.dll
2007-06-05 09:52 10,240 ----a-w C:\Program Files\Lgr1.exe
2007-06-05 09:49 10,240 ----a-w C:\Program Files\Ciy1.exe
2006-09-12 00:30 10,240 ----a-w C:\Program Files\Xre1.exe
2005-04-14 11:11 10,240 ----a-w C:\Program Files\Jxw1.exe
2004-08-20 12:09 10,240 ----a-w C:\Program Files\Ed1.exe
2004-08-19 14:28 10,240 ----a-w C:\Program Files\Tln1.exe
2004-08-10 11:27 10,240 ----a-w C:\Program Files\Qjo1.exe
2003-07-04 23:12 10,240 ----a-w C:\Program Files\Lrx1.exe
2002-07-22 20:04 10,240 ----a-w C:\Program Files\Ted31.exe
2007-01-15 11:27 86,794 --sha-r C:\WINNT\system32\Winkfm.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CARPService"="carpserv.exe" [2001-09-30 19:50 4608 C:\WINNT\system32\carpserv.exe]
"S3TRAY2"="S3tray2.exe" [2001-10-12 13:32 69632 C:\WINNT\system32\S3tray2.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 12:13 98361 C:\WINNT\GWHotKey.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-08-09 18:21 118784]
"1AEIWLRAD.EXE"="AEIWLRAD.EXE" [2001-12-06 17:03 24576 C:\WINNT\system32\AEIWLRAD.EXE]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3 \hpztsb04.exe" [2001-11-08 14:59 196608]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"CapFax"="C:\Program Files\PhoneTools\CapFax.EXE" [2001-11-07 13:25 20480]

C:\Documents and Settings\Jeanine\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-03 23:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-04-21 06:07:09]

R2 Aeiwsvc;Aeiwsvc;C:\WINNT\system32\AEIWLSVC.EXE [2001-11-06 12:00]
R3 AEIWLBRG;AEIWLBRG;C:\WINNT\System32\aeiwlbrg.sys [2001-11-06 11:59]
R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;C:\WINNT\system32\DRIVERS\BLKWGNv7.sys [2006-10-19 04:42]
R3 ViaModem;ViaModem;C:\WINNT\system32\DRIVERS\ViaMod em.sys [2001-11-13 19:14]
S3 AEIWL;Actiontec PRISM Wireless LAN USB Driver;C:\WINNT\system32\DRIVERS\AEIWLUSB.sys [2001-12-14 10:24]
S3 ati2mpaa;ati2mpaa;C:\WINNT\system32\DRIVERS\ati2mp aa.sys [2001-08-17 13:48]
S3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mt aa.sys [2004-08-04 00:29]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]
S4 Winkfm;Winkfm;C:\WINNT\System32\Winkfm.exe [2007-01-15 06:27]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2002-05-13 09:48:02 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2002-05-13 09:48:03 C:\WINNT\Tasks\ISP signup reminder 2.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2002-05-13 09:48:03 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 13:21:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-07 13:23:08
.
2007-12-25 14:12:38 --- E O F ---



================================================== =======


and heres the hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:59 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\AEIWLSVC.EXE
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\S3tray2.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\system32\AEIWLRAD.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04. exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jeanine\Desktop\hijack\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=2839
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04. exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192369178635
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192370888187
O23 - Service: Aeiwsvc - Unknown owner - C:\WINNT\system32\AEIWLSVC.EXE
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

--
End of file - 4857 bytes

[jtracker]

Well task manager stays up now. Internet seems to be going faster as well. Thanks for all your help Tom! Let me know if theres anything else I need to do. Also my aunt doesn't have any virus software on her laptop so should I download the avg virus protector for her? let me know and thank you again! Justin

[Jintan]

The only outright change so far was disabling that unknown service, so still need some way to confirm it's use before removing it. And ID'ing what it brought with it as well.

Go to Start - Run, type cmd (and Enter). At the prompt type or copy /paste each of the following (Enter after each):

cd C:\WINNT\system32
attrib -s -a -h Winkfm.exe
exit

Then follow the previous steps to upload that file to check it out.

Also Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.

To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

Post back that log please.

[jtracker]

Heres the Kaspersky log.


Kaspersky Online ScannerWelcome to the Kaspersky Online Scanner! Use it to
scan your PC for viruses and other malware for free
Warning: if you have installed Kaspersky Online Scanner Pro, please
manually uninstall it using "Add/Remove Programs" before installing this
version! Otherwise this version will not function correctly.

Benefits:


Kaspersky Anti-Virus exceptional detection rates and thorough scanning
Hourly AV database updates available each time the Online Scanner is
launched
Heuristic analysis to detect unknown viruses
Simple installation (just click on a link)

Requirements and limitations:


When using this service for the first time, you have to run with
Administrator privileges in order to install the product. Also, you will
need to download and install files about 400 KB in size followed by 9 MB
of virus definitions.
However, if you use the Online Scanner again, you will only need to
download the files that have been updated since your last scan.
The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX
technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner
work only with MS Internet Explorer 6.0 or higher.
We cannot guarantee that the Online Scanner will function correctly if you
are using any other browser or any Internet Explorer extensions (such as
AvantBrowser). If you use a different browser, you can use the Kaspersky
File Scanner to scan individual files.
The free Kaspersky Online Scanner does not scan boot sectors and MBRs, so
it cannot detect malicious code located in these areas.
Please note: The free Kaspersky Online Scanner does not protect against
malicious code, and cannot prevent future infections. It only detects
malware that has already penetrated your computer. We strongly recommend
that you install a full antivirus solution to protect your system.

Privacy statement:

The Kaspersky Online Scanner will collect information about the malicious
programs found on your computer during the scanning process. The
information will be sent to the Kaspersky Virus Lab for statistical
purposes. No personal information about you or specific information about
your system will be collected or transmitted to Kaspersky Lab.





Clean infected files. Protect your PC from future infection.
BUY KASPERSKY ANTI-VIRUS NOW





Select: All, None, Suspicious Selected objects: 0




Scan settings:
Here you can configure the scanning process.

Scan using the following antivirus database:
standard - detect viruses, worms, Trojans,
rootkits
extended - protect your computer from Spyware,
adware, dialers and potentially dangerous
software such as remote access utilities, prank
programs and jokes. We do not recommend this
option to beginners or inexperienced users.

Scan options:
Scan Archives - scan files inside archives
Note: affects all targets except 'A
File...' scan target.
Scan Mail Bases - scan e-mails/attachments
inside mail base files
Note: affects all targets except 'My
Email' and 'A File...' scan targets.







Initialize Kaspersky Online Scanner
(downloading and installing Kaspersky Online
Scanner ActiveX from the server into your
computer)





Update Kaspersky Anti-Virus Databases [100%]:
(downloading and installing the latest Kaspersky
Anti-Virus Databases)





Please wait to update the virus definitions...
Downloading from url:
http://dnl-us5.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: kavset.xml
Downloading remote file: fa001.avc
Downloading from url:
http://dnl-eu9.kaspersky-labs.com
Downloading remote file: master.xml
Downloading remote file: fa001.avc
Downloading remote file: dailyc.avc
Downloading remote file: daily-ec.avc
Downloading remote file: daily.avc
Downloading remote file: daily-ex.avc
Downloading remote file: avp.klb
Update finished. Ready to scan.
Next
Please select a target to scan:
You can configure the scanning process by
pressing "Scan Settings" button.



Critical Areas
scan critical areas of your hard disks
specified in %windir% and %tmp% system variables
Memory
scan disk modules of running processes
My Computer
scan all your hard and mapped disks
My Email
scan all your hard and mapped disks only for the
following extensions: *.PST; *.MSG; *.OST;
*.MDB; *.DBX; *.EML; *.MBS
Folders...
scan selected folders
A File...
scan a one file





Warning: The Kaspersky Online Scanner may not
run successfully while any other Anti-Virus
software is running. If you have Anti-Virus
software installed, please disable your AV
protection before running the Kaspersky Online
Scanner.
Scan complete.
Verdict: Your computer is infected
The following infected files/objects were
detected:


Report is empty.
Please note: The free Kaspersky Online Scanner
does not provide comprehensive protection and
cannot prevent future infections. It only
detects malware that has already penetrated your
storage devices. We strongly recommend that you
use a fully-functional antivirus solution to
protect your computer at all times.

Please wait, this process may take a long time
depending on the selected target. If you want to
continue browsing, open a new window.

Scan Progress [99%]:







Total number of scanned objects:41856
Number of viruses found:3
Number of infected objects:44
Number of suspicious objects:0
Duration of the scan process:01:31:45
New Scan








Get a Free Trial


Buy Kaspersky Anti-Virus


Help


Virus Encyclopedia


Kaspersky Lab






Product Info
You have Kaspersky Online Scanner version 5.0.98.0
installed. The current anti-virus database was
released on Tuesday, January 08, 2008 and contains
504310 records.

System Info
Operating System: Microsoft Windows XP Home
Edition, Service Pack 2 (Build 2600)Please wait
while the Kaspersky Online Scanner is initializing
and updating...








Copyright (C) Kaspersky Lab 1997 - 2007
Portions Copyright (C) Lan Crypto

[jtracker]

Crap! I tried to "Then follow the previous steps to upload that file to check it out." So I went to my computer clicked on c: then found the winkfm.exe file and double clicked on it and it dissapeared and now when I bring up task manager it closes after a couple seconds again I guess I don't understand what you meant about "Then follow the previous steps to upload that file to check it out." Also the fan is coming on every 20 seconds again. In task manager, performance also shows 100% all the time like before.

[jtracker]

I think I posted the log wrong let me know if this one is right.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 08, 2008 3:46:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/01/2008
Kaspersky Anti-Virus database records: 504310
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41856
Number of viruses found: 3
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 01:31:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jeanine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\History\History.IE5\MSHist012008010820080 109\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeanine\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\CASIO\Photo Loader\Ploader.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\CASIO\Photohands\PHands.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Ciy1.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\DVD\DVD Player\WinDVD.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Ed1.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\Greetings Workshop\GWORKSHP.EXE Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Jxw1.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\Lgr1.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\Lrx1.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\Messenger\msmsgs.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Microsoft ActiveSync\CEAPPMGR.EXE Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Microsoft ActiveSync\wcescomm.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Microsoft Picture It! 9\pi.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Microsoft Reference\Encarta Encyclopedia\enc98.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\MSN\MSNCoreFiles\msn6.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\MusicMatch\MusicMatch Jukebox\Plugins\Portables\Lyra_5\cfscsidll.dll Infected: Trojan.Win32.Zapchast.dq skipped
C:\Program Files\NetWolves Corp\ComputerCOP\ccop.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\PhoneTools\Phontool.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Program Files\Qjo1.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\Ted31.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\Tln1.exe Infected: Virus.Win32.Elkern.c skipped
C:\Program Files\Xre1.exe Infected: Virus.Win32.Elkern.c skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467241.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467243.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467248.exe Infected: Virus.Win32.Elkern.c skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467309.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP299\A0467313.exe Infected: Virus.Win32.Elkern.c skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0469869.EXE Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0469889.exe Infected: Virus.Win32.Elkern.c skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0469890.exe Infected: Virus.Win32.Elkern.c skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0469891.exe Infected: Virus.Win32.Elkern.c skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0469997.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0470051.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0470122.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP300\A0470479.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP305\A0470898.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP306\A0471286.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP309\A0471685.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP309\A0471711.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP312\A0472540.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP323\change.log Object is locked skipped
C:\WINNT\$NtServicePackUninstall$\msmsgs.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\WINNT\$NtUninstallKB887472$\msmsgs.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{49B48A76-0EF0-4A09-A8DC-C08B1C0410A8}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\Winkfm.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Jintan]

You can try running the servstop.bat file you created earlier to shut that service down again. The system is showing a large amount of file infector activity - infection embeds itself into executable files, then when they run, it runs. The names are from much older infection forms, but I sense some malware clown has brought them back as new variants. But we can try the older repairs first.


Go here and download both the following repair tools (click the download links to the right), then click to run each of them to effect repairs:

Win32.Elkern.A (.exe)
Win32.Klez.H@mm (.exe)

Try not to be tempted to download and run others listed, as you would not know what changes might be made by them.

When that is completed repeat the process of running ComboFix, then running Kaspersky again, and post those logs please.

[jtracker]

Combofix log.


ComboFix 08-01-07.5 - Jeanine 2008-01-09 8:56:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.78 [GMT -5:00]
Running from: C:\Documents and Settings\Jeanine\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-09 to 2008-01-09 )))))))))))))))))))))))))))))))
.

2008-01-08 08:40 . 2008-01-08 08:40 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-01-08 08:40 . 2008-01-08 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 13:17 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-07 12:53 . 2008-01-07 12:53 <DIR> d-------- C:\WINNT\ERUNT
2008-01-07 12:27 . 2008-01-07 12:27 72 --a------ C:\Documents and Settings\Jeanine\servstop.bat
2008-01-02 11:14 . 2008-01-02 11:50 <DIR> d-------- C:\Documents and Settings\Jeanine\Contacts
2008-01-02 11:14 . 2008-01-02 11:14 268 --ah----- C:\sqmdata00.sqm
2008-01-02 11:14 . 2008-01-02 11:14 244 --ah----- C:\sqmnoopt00.sqm
2008-01-02 09:52 . 2008-01-02 10:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-02 09:50 . 2008-01-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-30 22:23 . 2004-05-14 16:53 462,848 --a------ C:\WINNT\system32\ltkrn13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 450,560 --a------ C:\WINNT\system32\ltimg13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 401,408 --a------ C:\WINNT\system32\lfcmp13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 299,008 --a------ C:\WINNT\system32\ltdis13n.dll
2007-12-30 22:23 . 2004-01-12 02:09 206,336 --a------ C:\WINNT\system32\ltefx13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 163,840 --a------ C:\WINNT\system32\ltfil13n.dll
2007-12-30 22:23 . 2003-11-04 15:11 159,744 --a------ C:\WINNT\system32\lfpng13n.dll
2007-12-30 22:23 . 2003-11-04 15:10 69,632 --a------ C:\WINNT\system32\lfgif13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 57,344 --a------ C:\WINNT\system32\lfbmp13n.dll
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Jeanine\Application Data\Snapfish
2007-12-28 14:01 . 2007-12-28 14:01 <DIR> d-------- C:\Documents and Settings\Jeanine\Application Data\Ulead Systems
2007-12-28 13:15 . 2007-12-28 13:15 <DIR> d-------- C:\Program Files\Nova Development
2007-12-28 13:13 . 2007-12-28 13:39 <DIR> d-------- C:\Program Files\Web Publish
2007-12-25 14:35 . 2007-12-25 14:49 <DIR> d-------- C:\Program Files\Photo Viewer
2007-12-24 20:09 . 2007-10-10 18:55 6,065,664 --------- C:\WINNT\system32\dllcache\ieframe.dll
2007-12-24 20:09 . 2007-06-30 22:31 2,455,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dat
2007-12-24 20:09 . 2007-06-30 22:36 991,232 --------- C:\WINNT\system32\dllcache\ieframe.dll.mui
2007-12-24 20:09 . 2007-10-10 18:55 459,264 --------- C:\WINNT\system32\dllcache\msfeeds.dll
2007-12-24 20:09 . 2007-10-10 18:55 383,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dll
2007-12-24 20:09 . 2007-10-10 18:55 267,776 --------- C:\WINNT\system32\dllcache\iertutil.dll
2007-12-24 20:09 . 2007-10-10 18:55 63,488 --------- C:\WINNT\system32\dllcache\icardie.dll
2007-12-24 20:09 . 2007-10-10 18:55 52,224 --------- C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-12-24 20:09 . 2007-10-10 05:59 13,824 --------- C:\WINNT\system32\dllcache\ieudinit.exe
2007-12-24 19:56 . 2007-08-13 18:54 33,792 --a------ C:\WINNT\system32\dllcache\custsat.dll
2007-12-24 11:42 . 2006-08-21 04:14 128,896 --------- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-24 11:42 . 2006-08-21 04:14 23,040 --------- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-24 11:42 . 2006-08-21 07:21 16,896 --------- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-23 14:48 . 2007-07-09 08:09 584,192 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-23 13:10 . 2007-12-25 08:46 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-22 16:38 . 2006-10-19 04:42 303,616 -ra------ C:\WINNT\system32\drivers\BLKWGNv7.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-09 13:50 --------- d-----w C:\Program Files\Greetings Workshop
2008-01-09 13:37 10,240 ----a-w C:\Program Files\Xre1.exe
2008-01-09 13:37 10,240 ----a-w C:\Program Files\Tln1.exe
2008-01-09 13:37 10,240 ----a-w C:\Program Files\Ted31.exe
2008-01-09 13:37 10,240 ----a-w C:\Program Files\Qjo1.exe
2008-01-09 13:37 --------- d-----w C:\Program Files\PhoneTools
2008-01-09 13:36 --------- d-----w C:\Program Files\Microsoft Picture It! 9
2008-01-09 13:35 10,240 ----a-w C:\Program Files\Lrx1.exe
2008-01-09 13:35 10,240 ----a-w C:\Program Files\Lgr1.exe
2008-01-09 13:35 10,240 ----a-w C:\Program Files\Jxw1.exe
2008-01-09 13:35 10,240 ----a-w C:\Program Files\Ed1.exe
2008-01-09 13:35 10,240 ----a-w C:\Program Files\Ciy1.exe
2008-01-09 13:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-19 00:15 --------- d-----w C:\Documents and Settings\Jeanine\Application Data\Wal-Mart Digital Photo Viewer
2007-11-13 10:25 20,480 ----a-w C:\WINNT\system32\drivers\secdrv.sys
2007-10-31 10:12 3,590,656 ------w C:\WINNT\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINNT\system32\dllcache\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-27 22:39 230,912 ------w C:\WINNT\system32\dllcache\wmasf.dll
2007-10-27 22:37 2,109,440 ------w C:\WINNT\system32\dllcache\wmvcore.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-11 06:13 474,112 ------w C:\WINNT\system32\dllcache\shlwapi.dll
2007-10-11 06:13 151,040 ------w C:\WINNT\system32\dllcache\cdfview.dll
2007-10-11 06:13 1,494,528 ------w C:\WINNT\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINNT\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINNT\system32\dllcache\browseui.dll
2007-10-10 23:56 824,832 ------w C:\WINNT\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINNT\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ------w C:\WINNT\system32\dllcache\mstime.dll
2007-10-10 23:55 478,208 ------w C:\WINNT\system32\dllcache\mshtmled.dll
2007-10-10 23:55 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 27,648 ------w C:\WINNT\system32\dllcache\jsproxy.dll
2007-10-10 23:55 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINNT\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINNT\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINNT\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINNT\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINNT\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-10-10 05:46 161,792 ------w C:\WINNT\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_13.22.10.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-09 13:34:58 5,204 ----a-w C:\WINNT\SoftwareDistribution\EventCache\{FA27027F-9D64-4E53-8F11-1190F094DF11}.bin
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CARPService"="carpserv.exe" [2001-09-30 19:50 4608 C:\WINNT\system32\carpserv.exe]
"S3TRAY2"="S3tray2.exe" [2001-10-12 13:32 69632 C:\WINNT\system32\S3tray2.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 12:13 98361 C:\WINNT\GWHotKey.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-08-09 18:21 118784]
"1AEIWLRAD.EXE"="AEIWLRAD.EXE" [2001-12-06 17:03 24576 C:\WINNT\system32\AEIWLRAD.EXE]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3 \hpztsb04.exe" [2001-11-08 14:59 196608]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"CapFax"="C:\Program Files\PhoneTools\CapFax.EXE" [2001-11-07 13:25 20480]

C:\Documents and Settings\Jeanine\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-03 23:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-04-21 06:07:09]

R2 Aeiwsvc;Aeiwsvc;C:\WINNT\system32\AEIWLSVC.EXE [2001-11-06 12:00]
R3 AEIWLBRG;AEIWLBRG;C:\WINNT\System32\aeiwlbrg.sys [2001-11-06 11:59]
R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;C:\WINNT\system32\DRIVERS\BLKWGNv7.sys [2006-10-19 04:42]
R3 ViaModem;ViaModem;C:\WINNT\system32\DRIVERS\ViaMod em.sys [2001-11-13 19:14]
S3 AEIWL;Actiontec PRISM Wireless LAN USB Driver;C:\WINNT\system32\DRIVERS\AEIWLUSB.sys [2001-12-14 10:24]
S3 ati2mpaa;ati2mpaa;C:\WINNT\system32\DRIVERS\ati2mp aa.sys [2001-08-17 13:48]
S3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mt aa.sys [2004-08-04 00:29]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]

.
Contents of the 'Scheduled Tasks' folder
"2002-05-13 09:48:02 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2002-05-13 09:48:03 C:\WINNT\Tasks\ISP signup reminder 2.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2002-05-13 09:48:03 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 08:59:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-09 9:01:00
ComboFix2.txt 2008-01-07 18:23:09
.
2007-12-25 14:12:38 --- E O F ---



================================================== ========

Kaspersky log.



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 09, 2008 10:46:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/01/2008
Kaspersky Anti-Virus database records: 504750
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41877
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:30:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jeanine\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\History\History.IE5\MSHist012008010920080 110\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Jeanine\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jeanine\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jeanine\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MusicMatch\MusicMatch Jukebox\Plugins\Portables\Lyra_5\cfscsidll.dll Infected: Trojan.Win32.Zapchast.dq skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP323\A0475122.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\System Volume Information\_restore{717DED14-B9DD-4C52-8322-6043B9687C5A}\RP323\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{FA27027F-9D64-4E53-8F11-1190F094DF11}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\Internet.evt Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

[Jintan]

There are some new files created that although Kaspersky did not pick up this time are identified as Klez infection - perhaps results of those scan tools but we will delete them now anyway. Other than that Kaspersky only shows normally locked system functions, some infection for now held harmless in the System Restore and this file:

C:\Program Files\MusicMatch\MusicMatch Jukebox\Plugins\Portables\Lyra_5\cfscsidll.dll Infected: Trojan.Win32.Zapchast.dq skipped

Some perhaps download to related to Musicmatch and an RCA Lyra MP3 player. If you know the source of that and know it as a questionable decision getting the file be sure to remove anything from the system or your player related to it, but for now delete that file itself.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:

File::
C:\Program Files\Lrx1.exe
C:\Program Files\Lgr1.exe
C:\Program Files\Jxw1.exe
C:\Program Files\Ed1.exe
C:\Program Files\Ciy1.exe
C:\Program Files\Xre1.exe
C:\Program Files\Tln1.exe
C:\Program Files\Ted31.exe
C:\Program Files\Qjo1.exe

Save this as "CFScript"

(include the "quotation marks" with the name)




Referring to the picture above, drag CFScript.txt into ComboFix.exe

ComboFix will now run as it did before. When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

-----------------------------

Go Here and download ATF Cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.


Then Go here for an online AV scan (requires IE to run). If your AV alerts you while the scan installs ignore this - Panda's Active Scan method is often mistaken for infection activity.

Scan "Local Disks" and when finished save the scan log and then post the log here. To save the log first select the See Report button, then select the Save report button, and post that log back here along with the ComboFix.txt log and a new HijackThis log. Also an update on how things are doing there.