 |  |  |  |  |  |  |  |
Unknown virus
Thread Solved |
New logs:
Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3
2:10:30 PM 8/5/2008
mbam-log-8-5-2008 (14-10-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 66600
Time elapsed: 27 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP0\A0000017.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:54 PM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\WINNT\explorer.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4680 bytes
Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3
2:10:30 PM 8/5/2008
mbam-log-8-5-2008 (14-10-30).txt
Scan type: Full Scan (C:\|)
Objects scanned: 66600
Time elapsed: 27 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP0\A0000017.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:54 PM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\WINNT\explorer.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4680 bytes
•
•
Join Date: Jul 2008
Posts: 3,014
Reputation: 
Solved Threads: 171
Looking good Barry,
Just a couple more cleanup steps;
Open Notepad and copy/paste the text in the below quote box into it:
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
Next run HiJackThis again and place checkmarks next to the following entries if they still exist;
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
Once you have the checkmarks placed then click the Fix Checked button.
Exit HJT.
Reboot the system.
Run HJT once more and post the log here.
Now, you do not appear to be running a Firewall or you are running the built in Windows Firewall, which is fine, but you do need a firewall.
Also, your Java is out of date and should be updated. Current version is 6 update 7.
Just a couple more cleanup steps;
Open Notepad and copy/paste the text in the below quote box into it:
•
•
•
•
KILLALL::
Folder::
C:\WINNT\system32\ywmivq.dll
C:\WINNT\system32\csibuesi.dll
C:\WINNT\system32\tagyoogx.dll
C:\WINNT\system32\yhcyuj.dll
C:\WINNT\system32\ewqndptq.dll
C:\WINNT\system32\cfchunpg.dll
C:\WINNT\system32\psfbkt.dll
C:\WINNT\system32\jnbfmson.dll
C:\WINNT\system32\ekfjmlug.dll
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
Note:
Do not mouseclick combofix's window while it is running. That may cause it to stall.
Next run HiJackThis again and place checkmarks next to the following entries if they still exist;
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
Once you have the checkmarks placed then click the Fix Checked button.
Exit HJT.
Reboot the system.
Run HJT once more and post the log here.
Now, you do not appear to be running a Firewall or you are running the built in Windows Firewall, which is fine, but you do need a firewall.
Also, your Java is out of date and should be updated. Current version is 6 update 7.
Followed the steps above, here is the Combofix log and HJT log after reboot:
ComboFix 08-08-04.07 - Owner 2008-08-06 5:54:42.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\system32\cfchunpg.dll\
C:\WINNT\system32\csibuesi.dll\
C:\WINNT\system32\ekfjmlug.dll\
C:\WINNT\system32\ewqndptq.dll\
C:\WINNT\system32\jnbfmson.dll\
C:\WINNT\system32\psfbkt.dll\
C:\WINNT\system32\tagyoogx.dll\
C:\WINNT\system32\yhcyuj.dll\
C:\WINNT\system32\ywmivq.dll\
.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-04 14:34 . 2008-08-05 14:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 13:38 . 2008-08-04 13:38 10,520 --a------ C:\WINNT\system32\avgrsstx.dll
2008-08-04 13:36 . 2008-08-04 13:47 <DIR> d-------- C:\WINNT\system32\drivers\Avg
2008-08-04 13:36 . 2008-08-04 13:36 <DIR> d-------- C:\Program Files\AVG
2008-08-04 13:36 . 2008-08-04 13:38 97,928 --a------ C:\WINNT\system32\drivers\avgldx86.sys
2008-08-04 13:36 . 2008-08-04 13:38 76,040 --a------ C:\WINNT\system32\drivers\avgtdix.sys
2008-08-04 12:46 . 2008-08-04 13:11 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-04 12:42 . 2008-07-30 20:07 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-04 12:32 . 2008-08-04 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-04 12:07 . 2008-08-04 12:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 08:33 . 2008-08-04 08:33 2 --a------ C:\WINNT\msoffice.ini
2008-08-04 08:02 . 2008-08-04 08:02 <DIR> d-------- C:\WINNT\ERUNT
2008-08-04 07:57 . 2008-08-04 08:25 <DIR> d-------- C:\SDFix
2008-08-01 15:40 . 2008-08-01 15:41 316,640 --a------ C:\WINNT\WMSysPr9.prx
2008-08-01 15:40 . 2008-04-14 05:42 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-08-01 15:05 . 2008-04-13 22:58 2,940,928 --------- C:\WINNT\system32\dllcache\wmploc.dll
2008-08-01 15:03 . 2006-12-29 00:31 19,569 --a------ C:\WINNT\002470_.tmp
2008-08-01 15:02 . 2007-08-10 20:46 26,488 --a------ C:\WINNT\system32\spupdsvc.exe
2008-08-01 14:45 . 2008-04-14 02:30 103,424 --a------ C:\WINNT\system32\dpcdll.dll
2008-08-01 14:44 . 2008-08-01 15:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-08-01 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINNT\000001_.tmp
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 11:55 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\ywmivq.dll
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\csibuesi.dll
2008-07-31 10:04 . 2008-08-01 12:21 91,648 --------- C:\WINNT\system32\tagyoogx.dll
2008-07-31 10:01 . 2008-08-06 06:03 105,408 --a------ C:\WINNT\system32\drivers\4593f830.sys
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\yhcyuj.dll
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\ewqndptq.dll
2008-07-30 10:00 . 2008-07-30 10:00 91,648 --a------ C:\WINNT\system32\cfchunpg.dll
2008-07-29 23:07 . 2008-07-29 23:05 4,286 --a------ C:\WINNT\system32\Jamster.ico
2008-07-29 12:20 . 2008-07-31 10:14 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-07-29 12:14 . 2008-07-29 12:14 <DIR> d-------- C:\WINNT\mkok
2008-07-29 12:14 . 2008-07-29 13:20 <DIR> d-------- C:\Program Files\Common Files\mkok
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\psfbkt.dll
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\jnbfmson.dll
2008-07-28 17:34 . 2008-07-28 17:34 91,648 --a------ C:\WINNT\system32\ekfjmlug.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:31 --------- d-----w C:\Program Files\Symantec
2008-08-04 20:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-03-23 22:49 55,832 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-03-07 04:17 2,765 ----a-w C:\Program Files\Common Files\AutoUpdate.rtf
2003-01-27 18:50 1,000,448 ----a-w C:\Program Files\Common Files\AutoUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 13:38 1235736]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-08-26 09:04:52 83360]
ScreenArt.lnk - C:\Program Files\ScreenArt\WillowRd.exe [2008-01-24 14:04:18 339968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 avgldx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-08-04 13:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 13:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 13:38]
R2 avgtdix;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-04 13:38]
S1 27d8974d;27d8974d;C:\WINNT\system32\drivers\27d8974d.sys []
S3 AL101;Airlink101 802.11g PCI Driver;C:\WINNT\system32\DRIVERS\AL101.sys [2006-07-04 16:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINNT\system32\Drivers\ALABULK2.sys [2002-07-09 18:20]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
2002-06-05 C:\WINNT\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 09:20]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 06:00:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-06 6:06:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 13:05:43
ComboFix2.txt 2008-08-05 18:22:59
Pre-Run: 32,962,154,496 bytes free
Post-Run: 32,950,054,912 bytes free
134
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:31 AM, on 8/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4506 bytes
ComboFix 08-08-04.07 - Owner 2008-08-06 5:54:42.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\system32\cfchunpg.dll\
C:\WINNT\system32\csibuesi.dll\
C:\WINNT\system32\ekfjmlug.dll\
C:\WINNT\system32\ewqndptq.dll\
C:\WINNT\system32\jnbfmson.dll\
C:\WINNT\system32\psfbkt.dll\
C:\WINNT\system32\tagyoogx.dll\
C:\WINNT\system32\yhcyuj.dll\
C:\WINNT\system32\ywmivq.dll\
.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-04 14:34 . 2008-08-05 14:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 13:38 . 2008-08-04 13:38 10,520 --a------ C:\WINNT\system32\avgrsstx.dll
2008-08-04 13:36 . 2008-08-04 13:47 <DIR> d-------- C:\WINNT\system32\drivers\Avg
2008-08-04 13:36 . 2008-08-04 13:36 <DIR> d-------- C:\Program Files\AVG
2008-08-04 13:36 . 2008-08-04 13:38 97,928 --a------ C:\WINNT\system32\drivers\avgldx86.sys
2008-08-04 13:36 . 2008-08-04 13:38 76,040 --a------ C:\WINNT\system32\drivers\avgtdix.sys
2008-08-04 12:46 . 2008-08-04 13:11 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-04 12:42 . 2008-07-30 20:07 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-04 12:32 . 2008-08-04 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-04 12:07 . 2008-08-04 12:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 08:33 . 2008-08-04 08:33 2 --a------ C:\WINNT\msoffice.ini
2008-08-04 08:02 . 2008-08-04 08:02 <DIR> d-------- C:\WINNT\ERUNT
2008-08-04 07:57 . 2008-08-04 08:25 <DIR> d-------- C:\SDFix
2008-08-01 15:40 . 2008-08-01 15:41 316,640 --a------ C:\WINNT\WMSysPr9.prx
2008-08-01 15:40 . 2008-04-14 05:42 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-08-01 15:05 . 2008-04-13 22:58 2,940,928 --------- C:\WINNT\system32\dllcache\wmploc.dll
2008-08-01 15:03 . 2006-12-29 00:31 19,569 --a------ C:\WINNT\002470_.tmp
2008-08-01 15:02 . 2007-08-10 20:46 26,488 --a------ C:\WINNT\system32\spupdsvc.exe
2008-08-01 14:45 . 2008-04-14 02:30 103,424 --a------ C:\WINNT\system32\dpcdll.dll
2008-08-01 14:44 . 2008-08-01 15:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-08-01 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINNT\000001_.tmp
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 11:55 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\ywmivq.dll
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\csibuesi.dll
2008-07-31 10:04 . 2008-08-01 12:21 91,648 --------- C:\WINNT\system32\tagyoogx.dll
2008-07-31 10:01 . 2008-08-06 06:03 105,408 --a------ C:\WINNT\system32\drivers\4593f830.sys
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\yhcyuj.dll
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\ewqndptq.dll
2008-07-30 10:00 . 2008-07-30 10:00 91,648 --a------ C:\WINNT\system32\cfchunpg.dll
2008-07-29 23:07 . 2008-07-29 23:05 4,286 --a------ C:\WINNT\system32\Jamster.ico
2008-07-29 12:20 . 2008-07-31 10:14 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-07-29 12:14 . 2008-07-29 12:14 <DIR> d-------- C:\WINNT\mkok
2008-07-29 12:14 . 2008-07-29 13:20 <DIR> d-------- C:\Program Files\Common Files\mkok
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\psfbkt.dll
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\jnbfmson.dll
2008-07-28 17:34 . 2008-07-28 17:34 91,648 --a------ C:\WINNT\system32\ekfjmlug.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:31 --------- d-----w C:\Program Files\Symantec
2008-08-04 20:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-03-23 22:49 55,832 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-03-07 04:17 2,765 ----a-w C:\Program Files\Common Files\AutoUpdate.rtf
2003-01-27 18:50 1,000,448 ----a-w C:\Program Files\Common Files\AutoUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 13:38 1235736]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-08-26 09:04:52 83360]
ScreenArt.lnk - C:\Program Files\ScreenArt\WillowRd.exe [2008-01-24 14:04:18 339968]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
R1 avgldx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-08-04 13:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 13:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 13:38]
R2 avgtdix;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-04 13:38]
S1 27d8974d;27d8974d;C:\WINNT\system32\drivers\27d8974d.sys []
S3 AL101;Airlink101 802.11g PCI Driver;C:\WINNT\system32\DRIVERS\AL101.sys [2006-07-04 16:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINNT\system32\Drivers\ALABULK2.sys [2002-07-09 18:20]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder
2002-06-05 C:\WINNT\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 09:20]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 06:00:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-06 6:06:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 13:05:43
ComboFix2.txt 2008-08-05 18:22:59
Pre-Run: 32,962,154,496 bytes free
Post-Run: 32,950,054,912 bytes free
134
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:31 AM, on 8/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4506 bytes
•
•
Join Date: Jul 2008
Posts: 3,014
Reputation:
Solved Threads: 171
Looks pretty good, just a few files I am not sure about so I would like you to go Jotti's malware scan
There you can upload files and they will be analyzed by apporx. 20 different scanners to maybe tell us exactly what they are.
At the top of the Jotti page there is a window, there you will copy/paste the names and location of these files and then click the submit button. The file will be scanned and the results given to you. Please post those results here. There is a browse button but you will only need to click the submit button since the combofix log gave us the locations. You will have to do these one at a time.
Here are the files you need analyzed one at a time;
C:\WINNT\system32\Jamster.ico
C:\WINNT\system32\ZoneAlarmIconUS.ico
C:\WINNT\mkok
C:\Program Files\Common Files\mkok
Post back here with the results.
There you can upload files and they will be analyzed by apporx. 20 different scanners to maybe tell us exactly what they are.
At the top of the Jotti page there is a window, there you will copy/paste the names and location of these files and then click the submit button. The file will be scanned and the results given to you. Please post those results here. There is a browse button but you will only need to click the submit button since the combofix log gave us the locations. You will have to do these one at a time.
Here are the files you need analyzed one at a time;
C:\WINNT\system32\Jamster.ico
C:\WINNT\system32\ZoneAlarmIconUS.ico
C:\WINNT\mkok
C:\Program Files\Common Files\mkok
Post back here with the results.
Here are the results. The third entry no longer exists and the fourth entry was a folder with a few files in it, i selected one to scan:
File: jamster.ico
Status: OK
MD5: ca86f00d7c4538b71a22967616e28c54
Packers detected: -
Scanner results
Scan taken on 07 Aug 2008 12:50:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: ZoneAlarmIconUS.ico
Status: OK
MD5: af7ec60387915a9c4c1fdd1b10fcb6af
Packers detected: -
Scanner results
Scan taken on 07 Aug 2008 12:54:38 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: mkokh
Status: OK
MD5: 926cffd62e6c0b115844b86151e84fb4
Packers detected: -
Scanner results
Scan taken on 07 Aug 2008 12:58:09 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: jamster.ico
Status: OK
MD5: ca86f00d7c4538b71a22967616e28c54
Packers detected: -
Scanner results
Scan taken on 07 Aug 2008 12:50:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: ZoneAlarmIconUS.ico
Status: OK
MD5: af7ec60387915a9c4c1fdd1b10fcb6af
Packers detected: -
Scanner results
Scan taken on 07 Aug 2008 12:54:38 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
File: mkokh
Status: OK
MD5: 926cffd62e6c0b115844b86151e84fb4
Packers detected: -
Scanner results
Scan taken on 07 Aug 2008 12:58:09 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
•
•
Join Date: Jul 2008
Posts: 3,014
Reputation:
Solved Threads: 171
Looks good to me Barry. How is the computer running?
 |
Similar Threads
- Infected by an unknown virus (Viruses, Spyware and other Nasties)
- Unknown virus (Viruses, Spyware and other Nasties)
- Spyfalcon and some other virus (Viruses, Spyware and other Nasties)
- Unknown Virus (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Hello, Please can you help my computer its poorly.
- Next Thread: Files Corrupted! SOS!
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
