 |  |  |  |  |  |  |  |
Unknown virus
Thread Solved |
Hi - I am unable to find the cause but there is something on my PC that is trying to send emails and is trying to disable various items in Windows XP. I have run all of ths AV and anti-malware software and I haven't been able to remove it. Malwarebytes' Anti-Malware didn't find anything so there is no log posted but I can provide it if needed.
Any help that can be provided is greatly appreciated!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:38 AM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\system32\wuauclt.exe
F:\HiJackThis.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
--
End of file - 5286 bytes
Any help that can be provided is greatly appreciated!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:38 AM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\system32\wuauclt.exe
F:\HiJackThis.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
--
End of file - 5286 bytes
•
•
Join Date: Jul 2008
Posts: 3,048
Reputation: 
Solved Threads: 173
First of all, you are running two antivirus programs, AVG8 and Norton. This is an absolute no-no. You need to totally UNINSTALL one of them using Add/Remove, following any prompts given by the uninstall. Then you need to do a manual file search on the computer using Start, Search, Files and Folders and looking in hidden files also, for any remaining files from the removed application. This is one reason fixes may not have been completed or one reason this infection is not found.
Once you have removed the program then also turn off SuperAntispyware and the PrevxCSI programs you don't want them running in the background right now as they could possibly interfere with the scans also.
You are showing an infection by Troj/FakeAle-DQ which is a trojan which will then drop other malware on the computer, so there could be more.
Uninstall the extra antivirus program and Update the remaining one. Update Malwarebytes, update the Superantispyware and then of course TURN it off.
Run a scan with the ESET Online Scanner
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Once you have done the above then shut down the computer. Disconnect from the internet, if you are using broadband or something that is "always on" then unplug the cable from the computer.
Reboot the computer.
Run your antivirus program and allow it to fix/quarantine or delete anything found.
Run Superantispyware and allow it to fix anything found.
Run the Malwarebytes Anti-Malware program and also allow it to fix everything found.
Save the logs for ALL of the above.
Then run HJT again and save the new log for posting here along with the others.
Shut down the computer. Plug internet cable back in. Reboot and come back here with those logs.
Judy
Once you have removed the program then also turn off SuperAntispyware and the PrevxCSI programs you don't want them running in the background right now as they could possibly interfere with the scans also.
You are showing an infection by Troj/FakeAle-DQ which is a trojan which will then drop other malware on the computer, so there could be more.
Uninstall the extra antivirus program and Update the remaining one. Update Malwarebytes, update the Superantispyware and then of course TURN it off.
Run a scan with the ESET Online Scanner
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
Once you have done the above then shut down the computer. Disconnect from the internet, if you are using broadband or something that is "always on" then unplug the cable from the computer.
Reboot the computer.
Run your antivirus program and allow it to fix/quarantine or delete anything found.
Run Superantispyware and allow it to fix anything found.
Run the Malwarebytes Anti-Malware program and also allow it to fix everything found.
Save the logs for ALL of the above.
Then run HJT again and save the new log for posting here along with the others.
Shut down the computer. Plug internet cable back in. Reboot and come back here with those logs.
Judy
Thank you for your assistance...
The Norton AV was a trial version that was never activated so I didn't think it was doing anything. I have removed it and I ran the AVG 8.0 again. Here are the logs:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3325 (20080804)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=222e2146fc2788438cac2b3a84866fca
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-08-04 08:11:51
# local_time=2008-08-04 01:11:51 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=179188
# found=9
# scan_time=1192
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13223 probably a variant of Win32/TrojanDownloader.PurityScan trojan B95A4D9E742CBD432B9622A22FB5157E
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48558 Win32/Adware.CommAd application 3E2C234DDE711C6754F2DF994FB3CC94
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.52914 Win32/TrojanDownloader.Small.CYF trojan 5BC6C9CD1768A008EA4E73B09D96D76A
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.62612 Win32/Adware.CommAd application 0F8DEB5A57D8310B2D7EF90B84480F13
C:\Program Files\Common Files\mkok\mkokd\vocabulary Win32/TrojanDownloader.TSUpdate.J trojan 7901AE90CA5D7979D4FCA52D83D420FB
C:\Program Files\Mozilla Firefox\components\zxjkewvi.dll Win32/TrojanClicker.Agent.BCI trojan 38F4E612E1581773F94EE1EB1067CBBC
C:\SDFix\backups\backups.zip Win32/Adware.Virtumonde application D4AFB48A33FE718D3816BA43689DF73C
C:\SDFix\backups\backups.zip »ZIP »backups/removalfile.bat Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\WINNT\system32\karina.dat Win32/TrojanDownloader.Agent.OBD trojan 6544840373E3A5A4810EE6FEA25A59E5
Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3
2:59:56 PM 8/4/2008
mbam-log-8-4-2008 (14-59-56).txt
Scan type: Full Scan (C:\|)
Objects scanned: 67581
Time elapsed: 19 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINNT\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msliksurserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\winnt\system32\karina.dat -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Skra (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Infected (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Suspicious (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Mozilla Firefox\components\zxjkewvi.dll (Trojan.Peed) -> Quarantined and deleted successfully.
C:\Program Files\Skra\Skra.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\Antispyware 2008\vscan.tsi (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\zlib.dll (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antispyware 2008\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\WINNT\system32\msliksurcredo.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINNT\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMf7d35bbc.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMf7d35bbc.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:01 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4707 bytes
The Norton AV was a trial version that was never activated so I didn't think it was doing anything. I have removed it and I ran the AVG 8.0 again. Here are the logs:
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3325 (20080804)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=222e2146fc2788438cac2b3a84866fca
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-08-04 08:11:51
# local_time=2008-08-04 01:11:51 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=179188
# found=9
# scan_time=1192
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13223 probably a variant of Win32/TrojanDownloader.PurityScan trojan B95A4D9E742CBD432B9622A22FB5157E
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48558 Win32/Adware.CommAd application 3E2C234DDE711C6754F2DF994FB3CC94
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.52914 Win32/TrojanDownloader.Small.CYF trojan 5BC6C9CD1768A008EA4E73B09D96D76A
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.62612 Win32/Adware.CommAd application 0F8DEB5A57D8310B2D7EF90B84480F13
C:\Program Files\Common Files\mkok\mkokd\vocabulary Win32/TrojanDownloader.TSUpdate.J trojan 7901AE90CA5D7979D4FCA52D83D420FB
C:\Program Files\Mozilla Firefox\components\zxjkewvi.dll Win32/TrojanClicker.Agent.BCI trojan 38F4E612E1581773F94EE1EB1067CBBC
C:\SDFix\backups\backups.zip Win32/Adware.Virtumonde application D4AFB48A33FE718D3816BA43689DF73C
C:\SDFix\backups\backups.zip »ZIP »backups/removalfile.bat Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\WINNT\system32\karina.dat Win32/TrojanDownloader.Agent.OBD trojan 6544840373E3A5A4810EE6FEA25A59E5
Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3
2:59:56 PM 8/4/2008
mbam-log-8-4-2008 (14-59-56).txt
Scan type: Full Scan (C:\|)
Objects scanned: 67581
Time elapsed: 19 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINNT\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msliksurserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\winnt\system32\karina.dat -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Skra (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Infected (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Suspicious (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\Mozilla Firefox\components\zxjkewvi.dll (Trojan.Peed) -> Quarantined and deleted successfully.
C:\Program Files\Skra\Skra.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\Antispyware 2008\vscan.tsi (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\zlib.dll (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antispyware 2008\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\WINNT\system32\msliksurcredo.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINNT\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMf7d35bbc.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMf7d35bbc.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:01 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4707 bytes
•
•
Join Date: Jul 2008
Posts: 3,048
Reputation:
Solved Threads: 173
I want you to try this with HJT.
Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'.
In the field, copy and paste C:\WINNT\system32\karina.dat
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes..
Allow the PC to reboot, if it doesn't do it automatically, reboot manually.
Once you have done that, empty ALL those Quarantine files....AVG and MBAM both.
Reboot again.
Then run both programs again...MBAM first and then your AVG. Save the logs for posting here, even if you believe they are empty. I want to see them.
Once you have run both of those then run a new HJT scan and save the log.
Post back with the new logs requested.
Judy
Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'.
In the field, copy and paste C:\WINNT\system32\karina.dat
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes..
Allow the PC to reboot, if it doesn't do it automatically, reboot manually.
Once you have done that, empty ALL those Quarantine files....AVG and MBAM both.
Reboot again.
Then run both programs again...MBAM first and then your AVG. Save the logs for posting here, even if you believe they are empty. I want to see them.
Once you have run both of those then run a new HJT scan and save the log.
Post back with the new logs requested.
Judy
Thanks again for your assistance! Here are the logs:
Scan "Scan whole computer" was finished.
Infections found:;"0"
Infected objects removed or healed:;"0"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"Tuesday, August 05, 2008, 5:33:21 AM"
Scan finished:;"Tuesday, August 05, 2008, 6:15:13 AM (41 minute(s) 52 second(s))"
Total object scanned:;"386907"
User who launched the scan:;"Owner"
Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3
7:05:10 AM 8/5/2008
mbam-log-8-5-2008 (07-04-56).txt
Scan type: Full Scan (C:\|)
Objects scanned: 67636
Time elapsed: 29 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> No action taken.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/05/2008 at 07:33 AM
Application Version : 4.15.1000
Core Rules Database Version : 3469
Trace Rules Database Version: 1460
Scan type : Complete Scan
Total Scan Time : 00:23:17
Memory items scanned : 292
Memory threats detected : 0
Registry items scanned : 5119
Registry threats detected : 0
File items scanned : 12193
File threats detected : 0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:30 AM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4707 bytes
Scan "Scan whole computer" was finished.
Infections found:;"0"
Infected objects removed or healed:;"0"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"Tuesday, August 05, 2008, 5:33:21 AM"
Scan finished:;"Tuesday, August 05, 2008, 6:15:13 AM (41 minute(s) 52 second(s))"
Total object scanned:;"386907"
User who launched the scan:;"Owner"
Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3
7:05:10 AM 8/5/2008
mbam-log-8-5-2008 (07-04-56).txt
Scan type: Full Scan (C:\|)
Objects scanned: 67636
Time elapsed: 29 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> No action taken.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/05/2008 at 07:33 AM
Application Version : 4.15.1000
Core Rules Database Version : 3469
Trace Rules Database Version: 1460
Scan type : Complete Scan
Total Scan Time : 00:23:17
Memory items scanned : 292
Memory threats detected : 0
Registry items scanned : 5119
Registry threats detected : 0
File items scanned : 12193
File threats detected : 0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:30 AM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4707 bytes
•
•
Join Date: Jul 2008
Posts: 3,048
Reputation:
Solved Threads: 173
Did do this?
Why didn't you tell mbam to fix the following?
•
•
•
•
Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'.
In the field, copy and paste C:\WINNT\system32\karina.dat
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes..
•
•
•
•
Files Infected: 1
Files Infected:
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> No action taken.
Yes, I did the first part and I also did clean the file on the second part, I must have grabbed the log before cleaning. Is it still there?
•
•
Join Date: Jul 2008
Posts: 3,048
Reputation:
Solved Threads: 173
Yep, still there.
Let's try this;
Download ComboFix to the desktop.
You may get a prompt asking if you want to Run or Save. Choose Save and be absolutely certain you save it to the desktop.
At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When you click that Combofix Icon you may get a warning prompt because ComboFix doesn't have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix will prepare to run and then you may see a Disclaimer Screen. You should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
Please then come back here and post that combofix log and we can better judge where things stand.
Judy
Let's try this;
Download ComboFix to the desktop.
You may get a prompt asking if you want to Run or Save. Choose Save and be absolutely certain you save it to the desktop.
At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When you click that Combofix Icon you may get a warning prompt because ComboFix doesn't have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix will prepare to run and then you may see a Disclaimer Screen. You should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
Please then come back here and post that combofix log and we can better judge where things stand.
Judy
I disabled everything before I started, hopefully nothing interfered with the process.
Here's the log:
ComboFix 08-08-04.07 - Owner 2008-08-05 11:11:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.84 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Application Data\CURITY~1
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\84UKRT88\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\84UKRT88\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Owner\My Documents\SSTEM3~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\Common Files\fnts~2
C:\WINNT\IA
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\pjerxowa.ini
C:\WINNT\system32\txusdorj.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-04 14:34 . 2008-08-05 07:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 13:38 . 2008-08-04 13:38 10,520 --a------ C:\WINNT\system32\avgrsstx.dll
2008-08-04 13:36 . 2008-08-04 13:47 <DIR> d-------- C:\WINNT\system32\drivers\Avg
2008-08-04 13:36 . 2008-08-04 13:36 <DIR> d-------- C:\Program Files\AVG
2008-08-04 13:36 . 2008-08-04 13:38 97,928 --a------ C:\WINNT\system32\drivers\avgldx86.sys
2008-08-04 13:36 . 2008-08-04 13:38 76,040 --a------ C:\WINNT\system32\drivers\avgtdix.sys
2008-08-04 12:46 . 2008-08-04 13:11 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-04 12:42 . 2008-07-30 20:07 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-04 12:32 . 2008-08-04 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-04 12:07 . 2008-08-04 12:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 08:33 . 2008-08-04 08:33 2 --a------ C:\WINNT\msoffice.ini
2008-08-04 08:02 . 2008-08-04 08:02 <DIR> d-------- C:\WINNT\ERUNT
2008-08-04 07:57 . 2008-08-04 08:25 <DIR> d-------- C:\SDFix
2008-08-01 15:40 . 2008-08-01 15:41 316,640 --a------ C:\WINNT\WMSysPr9.prx
2008-08-01 15:40 . 2008-04-14 05:42 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-08-01 15:05 . 2008-04-13 22:58 2,940,928 --------- C:\WINNT\system32\dllcache\wmploc.dll
2008-08-01 15:03 . 2006-12-29 00:31 19,569 --a------ C:\WINNT\002470_.tmp
2008-08-01 15:02 . 2007-08-10 20:46 26,488 --a------ C:\WINNT\system32\spupdsvc.exe
2008-08-01 14:45 . 2008-04-14 02:30 103,424 --a------ C:\WINNT\system32\dpcdll.dll
2008-08-01 14:44 . 2008-08-01 15:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-08-01 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINNT\000001_.tmp
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 11:55 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\ywmivq.dll
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\csibuesi.dll
2008-07-31 10:04 . 2008-08-01 12:21 91,648 --------- C:\WINNT\system32\tagyoogx.dll
2008-07-31 10:01 . 2008-08-05 11:20 105,408 --a------ C:\WINNT\system32\drivers\4593f830.sys
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\yhcyuj.dll
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\ewqndptq.dll
2008-07-30 10:00 . 2008-07-30 10:00 91,648 --a------ C:\WINNT\system32\cfchunpg.dll
2008-07-29 23:07 . 2008-07-29 23:05 4,286 --a------ C:\WINNT\system32\Jamster.ico
2008-07-29 12:20 . 2008-07-31 10:14 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-07-29 12:14 . 2008-07-29 12:14 <DIR> d-------- C:\WINNT\mkok
2008-07-29 12:14 . 2008-07-29 13:20 <DIR> d-------- C:\Program Files\Common Files\mkok
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\psfbkt.dll
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\jnbfmson.dll
2008-07-28 17:34 . 2008-07-28 17:34 91,648 --a------ C:\WINNT\system32\ekfjmlug.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:31 --------- d-----w C:\Program Files\Symantec
2008-08-04 20:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-03-23 22:49 55,832 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-03-07 04:17 2,765 ----a-w C:\Program Files\Common Files\AutoUpdate.rtf
2003-01-27 18:50 1,000,448 ----a-w C:\Program Files\Common Files\AutoUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 13:38 1235736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-08-26 09:04:52 83360]
ScreenArt.lnk - C:\Program Files\ScreenArt\WillowRd.exe [2008-01-24 14:04:18 339968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 avgldx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-08-04 13:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 13:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 13:38]
R2 avgtdix;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-04 13:38]
S1 27d8974d;27d8974d;C:\WINNT\system32\drivers\27d8974d.sys []
S3 AL101;Airlink101 802.11g PCI Driver;C:\WINNT\system32\DRIVERS\AL101.sys [2006-07-04 16:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINNT\system32\Drivers\ALABULK2.sys [2002-07-09 18:20]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
2008-07-30 C:\WINNT\Tasks\HP Usg Daily.job
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-03-31 21:35]
2002-06-05 C:\WINNT\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 09:20]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8tkkxoj7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - WWW.MYEMBARQ.COM
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 11:17:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe????X?w???????tP??????????????????????????????v????????????????????????????????????s???????????????????P/??????????|??? ???????????|???????????????|???????????????????????P???P????????????????@??????????????????F??t????????????????????????????C
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-05 11:22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 18:22:37
Pre-Run: 32,972,603,392 bytes free
Post-Run: 32,951,373,824 bytes free
152
Here's the log:
ComboFix 08-08-04.07 - Owner 2008-08-05 11:11:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.84 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Application Data\CURITY~1
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\84UKRT88\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\84UKRT88\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Owner\My Documents\SSTEM3~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\Common Files\fnts~2
C:\WINNT\IA
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\pjerxowa.ini
C:\WINNT\system32\txusdorj.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-04 14:34 . 2008-08-05 07:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 13:38 . 2008-08-04 13:38 10,520 --a------ C:\WINNT\system32\avgrsstx.dll
2008-08-04 13:36 . 2008-08-04 13:47 <DIR> d-------- C:\WINNT\system32\drivers\Avg
2008-08-04 13:36 . 2008-08-04 13:36 <DIR> d-------- C:\Program Files\AVG
2008-08-04 13:36 . 2008-08-04 13:38 97,928 --a------ C:\WINNT\system32\drivers\avgldx86.sys
2008-08-04 13:36 . 2008-08-04 13:38 76,040 --a------ C:\WINNT\system32\drivers\avgtdix.sys
2008-08-04 12:46 . 2008-08-04 13:11 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-04 12:42 . 2008-07-30 20:07 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-04 12:32 . 2008-08-04 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-04 12:07 . 2008-08-04 12:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 08:33 . 2008-08-04 08:33 2 --a------ C:\WINNT\msoffice.ini
2008-08-04 08:02 . 2008-08-04 08:02 <DIR> d-------- C:\WINNT\ERUNT
2008-08-04 07:57 . 2008-08-04 08:25 <DIR> d-------- C:\SDFix
2008-08-01 15:40 . 2008-08-01 15:41 316,640 --a------ C:\WINNT\WMSysPr9.prx
2008-08-01 15:40 . 2008-04-14 05:42 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-08-01 15:05 . 2008-04-13 22:58 2,940,928 --------- C:\WINNT\system32\dllcache\wmploc.dll
2008-08-01 15:03 . 2006-12-29 00:31 19,569 --a------ C:\WINNT\002470_.tmp
2008-08-01 15:02 . 2007-08-10 20:46 26,488 --a------ C:\WINNT\system32\spupdsvc.exe
2008-08-01 14:45 . 2008-04-14 02:30 103,424 --a------ C:\WINNT\system32\dpcdll.dll
2008-08-01 14:44 . 2008-08-01 15:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-08-01 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINNT\000001_.tmp
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 11:55 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\ywmivq.dll
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\csibuesi.dll
2008-07-31 10:04 . 2008-08-01 12:21 91,648 --------- C:\WINNT\system32\tagyoogx.dll
2008-07-31 10:01 . 2008-08-05 11:20 105,408 --a------ C:\WINNT\system32\drivers\4593f830.sys
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\yhcyuj.dll
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\ewqndptq.dll
2008-07-30 10:00 . 2008-07-30 10:00 91,648 --a------ C:\WINNT\system32\cfchunpg.dll
2008-07-29 23:07 . 2008-07-29 23:05 4,286 --a------ C:\WINNT\system32\Jamster.ico
2008-07-29 12:20 . 2008-07-31 10:14 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-07-29 12:14 . 2008-07-29 12:14 <DIR> d-------- C:\WINNT\mkok
2008-07-29 12:14 . 2008-07-29 13:20 <DIR> d-------- C:\Program Files\Common Files\mkok
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\psfbkt.dll
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\jnbfmson.dll
2008-07-28 17:34 . 2008-07-28 17:34 91,648 --a------ C:\WINNT\system32\ekfjmlug.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:31 --------- d-----w C:\Program Files\Symantec
2008-08-04 20:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-03-23 22:49 55,832 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-03-07 04:17 2,765 ----a-w C:\Program Files\Common Files\AutoUpdate.rtf
2003-01-27 18:50 1,000,448 ----a-w C:\Program Files\Common Files\AutoUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 13:38 1235736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-08-26 09:04:52 83360]
ScreenArt.lnk - C:\Program Files\ScreenArt\WillowRd.exe [2008-01-24 14:04:18 339968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 avgldx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-08-04 13:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 13:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 13:38]
R2 avgtdix;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-04 13:38]
S1 27d8974d;27d8974d;C:\WINNT\system32\drivers\27d8974d.sys []
S3 AL101;Airlink101 802.11g PCI Driver;C:\WINNT\system32\DRIVERS\AL101.sys [2006-07-04 16:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINNT\system32\Drivers\ALABULK2.sys [2002-07-09 18:20]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
2008-07-30 C:\WINNT\Tasks\HP Usg Daily.job
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-03-31 21:35]
2002-06-05 C:\WINNT\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 09:20]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8tkkxoj7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - WWW.MYEMBARQ.COM
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 11:17:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe????X?w???????tP??????????????????????????????v????????????????????????????????????s???????????????????P/??????????|??? ???????????|???????????????|???????????????????????P???P????????????????@??????????????????F??t????????????????????????????C
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-05 11:22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 18:22:37
Pre-Run: 32,972,603,392 bytes free
Post-Run: 32,951,373,824 bytes free
152
•
•
Join Date: Jul 2008
Posts: 3,048
Reputation:
Solved Threads: 173
Ok, give me some time to go through all this and I will get back with you. In the meantime, empty the Malwarebytes Anti-malware quarantine and then update that program and run it again. Also run HJT again too. Post back with those logs, even if I have not come back with the combofix info.
Judy
Judy
 |
Similar Threads
- Infected by an unknown virus (Viruses, Spyware and other Nasties)
- Unknown virus (Viruses, Spyware and other Nasties)
- Spyfalcon and some other virus (Viruses, Spyware and other Nasties)
- Unknown Virus (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Hello, Please can you help my computer its poorly.
- Next Thread: Files Corrupted! SOS!
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
