trojan.zlob.g - eric

Hey
My problem is that every now and then this windows firewall warning pops up sayig that they are blocking this trojan.zlob.g thing. Then when i go to use fire fox it a message saying that it is dangerous to use the internet because of this trojan thing and it lets me either choose to continue unprotected or i can download or buy this antivirus or computer-fixing-thing. Anyway, What worries me is that the first time this windows firewall trojan.zlob.g popped up my whole computer restarted and i'm worried the next time this happens, i won't be able to turn pn my computer again.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:55 p.m., on 8/12/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\System32\devldr32.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKLM"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5208 bytes

Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Age of Empires III
Age of Empires III - The Asian Dynasties
Athlon 64 Processor Driver
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESCX3900 User's Guide
GOM Player
Guitar Pro 5.0
HijackThis 2.0.2
Malwarebytes' Anti-Malware
Microsoft Halo
Microsoft Office Professional Edition 2003
Mozilla Firefox (3.0.4)
MSN Messenger 5.0
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
PIF DESIGNER
Power Tab Editor 1.7
RealPlayer
Realtek AC'97 Audio
Winamp
Winamp Remote
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinRAR archiver

I'm not going to even attempt cleaning anything yet, you are running XP WITHOUT any service pack. You'll be instantly infected without one.
Please download and install SP1a from here:
http://www.softwarepatch.com/windows/winxpsp1-security.html

Once that is done, then I will help.

ok thanks for the tip i'm so relieved that you answered this thread.

Once you have installed SP1a, please post a new Hijack This.

Hey Belahzur,
When i installed the sp1 how come i have to activate it again? Is there a way not to activate it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:58 p.m., on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\devldr32.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKLM"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5213 bytes

Ignore the activate warning, because we'll be doing more upgrading soon.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  regedit /e peek1.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
  type peek1.txt >> look.txt
  del peek1.txt
  start notepad look.txt
  
  

  
  
• Save this as look.bat, save it to your desktop.
  
• Double click look.bat to run it.
  
• Post the result back here.
  

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Orb"="\"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe\" /background"
"Smax4"="\"C:\\Documents and Settings\\Andrew\\Application Data\\Google\\kjzna1562565.exe\""

Hello.

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  C:\Documents and Settings\Andrew\Application Data\Google\kjzna1562565.exe
  
  :reg
  [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "Smax4"=-
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post a new Hijack This log + OTMoveIt log.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Documents and Settings\Andrew\Application Data\Google\kjzna1562565.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Smax4 deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_LFAhBVD7fCh66hNOTq2K scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12092008_122330

Files moved on Reboot...
File C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_LFAhBVD7fCh66hNOTq2K not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl moved successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:43 p.m., on 9/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\notepad.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX3900 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEP.EXE /FU "C:\WINDOWS\TEMP\E_S86.tmp" /EF "HKLM"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5146 bytes

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

do i save it to desktop?

only a blue screen pops up

Yeah, that's combofix.
Allow it to load and let it run.

ComboFix 08-12-07.04 - Andrew 2008-12-09 12:42:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.711 [GMT 13:00]
Running from: d:\documents and settings\Andrew\My Documents\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrew\Application Data\Google\spcffwl.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-08 to 2008-12-08 )))))))))))))))))))))))))))))))
.

2008-12-09 12:24 . 2008-12-09 12:24 d---s---- c:\windows\system32\Microsoft
2008-12-09 12:23 . 2008-12-09 12:23 d-------- C:\_OTMoveIt
2008-12-09 12:01 . 2002-08-29 02:20 115,200 --a------ c:\windows\system32\dpcdll.dll
2008-12-09 11:58 . 2002-08-29 03:39 1,998,848 --a------ c:\windows\system32\wmploc.dll
2008-12-09 11:57 . 2002-06-14 18:46 19,274 --a------ c:\windows\001225_.tmp
2008-12-08 22:27 . 2008-12-08 22:27 d-------- c:\documents and settings\Andrew\Application Data\Malwarebytes
2008-12-08 22:27 . 2008-12-08 22:27 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 22:27 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 22:27 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 22:26 . 2008-12-08 22:26 d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-12-08 19:22 . 2008-12-08 19:22 12 --a------ c:\windows\system32\pgvmc.dat
2008-12-08 19:22 . 2008-12-08 19:22 0 --a------ c:\windows\system32\sfgvmc.dat
2008-12-08 13:11 . 2008-12-08 13:11 d-------- c:\documents and settings\Andrew\Application Data\AdobeUM
2008-12-08 13:03 . 2008-12-08 13:04 d-------- c:\documents and settings\All Users\Application Data\UDL
2008-12-08 12:59 . 2008-12-08 13:03 d-------- c:\program files\epson
2008-12-08 12:59 . 2005-02-25 00:00 46,080 --a------ c:\windows\system32\escimgd.dll
2008-12-08 12:59 . 2005-02-25 00:00 29,696 --a------ c:\windows\system32\escwiad.dll
2008-12-08 12:59 . 2005-02-25 00:00 22,016 --a------ c:\windows\system32\esccmd.dll
2008-12-08 12:59 . 2008-12-08 12:59 25 --a------ c:\windows\CDE CX3900EC.ini
2008-12-07 23:54 . 2008-12-07 23:55 d-------- c:\documents and settings\Andrew\Application Data\Winamp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 23:02 90,240 ----a-w c:\windows\system32\drivers\sptd9053.sys
2008-12-08 00:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 00:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-07 12:00 --------- d-----w c:\program files\Microsoft ActiveSync
2008-12-07 11:34 --------- d-----w c:\program files\microsoft frontpage
2008-12-07 10:55 --------- d-----w c:\program files\Winamp Remote
2008-12-07 10:55 --------- d-----w c:\documents and settings\All Users\Application Data\OrbNetworks
2008-12-07 10:51 60,416 ----a-w c:\windows\ALCFDRTM.EXE
2008-12-07 10:48 --------- d-----w c:\program files\MSN Messenger
2008-12-07 10:48 --------- d-----w c:\documents and settings\All Users\Application Data\MSN Messenger 5.0.0544
2008-12-07 09:56 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-12-07 09:56 --------- d-----w c:\program files\Common Files\xing shared
2008-12-07 09:56 --------- d-----w c:\program files\Common Files\Real
2008-12-07 08:32 --------- d-----w c:\program files\MSXML 4.0
2008-12-07 07:42 --------- d-----w c:\program files\Realtek Sound Manager
2008-12-07 07:42 --------- d-----w c:\program files\AvRack
2008-12-07 07:14 223,128 ----a-w c:\windows\system32\drivers\dtscsi.sys
2008-12-07 06:07 --------- d-----w c:\program files\Common Files\Adobe
2008-12-07 03:31 664,064 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-07 02:45 --------- d-----w c:\documents and settings\Andrew\Application Data\fretsonfire
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2003-02-20 2185800]
"Orb"="c:\program files\Winamp Remote\bin\OrbTray.exe" [2008-04-01 507904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2002-08-28 208953]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 455168]
"WinampAgent"="d:\program files\Winamp\winampa.exe" [2008-08-04 36352]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-11-04 7307264]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-11-04 86016]
"DAEMON Tools"="d:\program files\DAEMON Tools\daemon.exe" [2005-11-09 128920]
"nTrayFw"="d:\progra~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe" [2005-04-29 266240]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-07 185872]
"nwiz"="nwiz.exe" [2005-11-04 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"msacm.divxa32"= msaud32_divx.acm


*Newly Created Service* - BITS
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
FireFox -: Profile - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\
FF -: plugin - d:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - d:\program files\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - d:\program files\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - d:\program files\RealPlayer\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 12:42:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\System32\ODBC32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\nvappfilter.dll
c:\windows\System32\dssenh.dll
.
Completion time: 2008-12-09 12:43:37
ComboFix-quarantined-files.txt 2008-12-08 23:43:12

Pre-Run: 5,291,040,768 bytes free
Post-Run: 5,282,275,328 bytes free

123

Okay, looks good.
What problems remain?

A trillion thanks!!

The major one for me would be the activation thing

Last edited by ericshin on 9th December 2008, 12:26 am; edited 1 time in total

Oh yeah i forgot to ask. Should I delte all those things you told me to download or should i keep them i a folder because that combo fix thing sounds quite dodgy for a person like me as i might click into it.

And also just as i thought i can't activate my windows because it just tells me that i've overused my product key so could you tell me how to get around this?

Thanks again Belahzur

Last edited by ericshin on 9th December 2008, 12:22 am; edited 1 time in total (Reason for editing : left somethig out)

Hello.
Please download XP SP3 from here:
http://www.microsoft.com/downloadS/details.aspx?familyid=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en

And install it, then we'll work on the activation.

hey Belahzur,

I downloaded and installed windows xp sp3 but now this "svchost - Microsoft Windows Operating system" gets detected by my nvidia firewall and it says its high risk. Then it gives me the options allow or deny. What should i do? And after that, all thats left is the activation thing.

Thanks - Eric

Hello.
Please allow it to. It's svchost accessing the internet to get the updates for sp3.

Once SP3 is installed, we'll kill the activation warnings.

ok thanks alot for this i just allowed svchost to access internet

does that mean i should turn on automaic updates?

Is SP3 installed now?

If yes, please post a new Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:43 a.m., on 11/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\DAEMON Tools\daemon.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\system32\devldr32.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Andrew\Desktop\Hijack(GP)This.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nTrayFw] D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - D:\PROGRA~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - D:\PROGRA~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 5312 bytes

Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :processes
  explorer.exe
  
  :files
  C:\WINDOWS\System32\wgalogon.exe
  C:\WINDOWS\System32\wgalogon.dll
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]
  
  
  
  
• Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\WINDOWS\System32\wgalogon.exe not found.
File/Folder C:\WINDOWS\System32\wgalogon.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_IK3qFX0q0Acz0a9j5T2v scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12112008_101749

Files moved on Reboot...
File C:\DOCUME~1\Andrew\LOCALS~1\Temp\etilqs_IK3qFX0q0Acz0a9j5T2v not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Andrew\Local Settings\Application Data\Mozilla\Firefox\Profiles\0d6ybm7f.default\XUL.mfl moved successfully.

Okay, the wga files aren't present on this machines.
You may just have to ignore the activation warnings.

so you mean the activation warnings are fake and i don't actually have to activate my windows?

Well no.
The alerts are real, it just means you won't be able to use the following:

Windows Media Player 11 and above
MSN Messenger 9 and above
Internet Explorer 7 and above

But there is alternatives to that.

Winamp or VLC Media Player
Trillian Messenger
Firefox Or Google Chrome

Ok that's cool because i don't use those first three things anyway. But i alwaysthought that if i don't activate my windows it means i can't use my computer?

Anyway thanks for all this Belahzur.

No.
My machine isn't activated, I can still use mine.

Ok Thanks alot. Is there anything i can do for you in return?

Spread the word about us.
Never come back to the malware removal section. ( )

Glad I could help.

Ok I will and thanks again

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.