0

Hi - I am unable to find the cause but there is something on my PC that is trying to send emails and is trying to disable various items in Windows XP. I have run all of ths AV and anti-malware software and I haven't been able to remove it. Malwarebytes' Anti-Malware didn't find anything so there is no log posted but I can provide it if needed.

Any help that can be provided is greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:38 AM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\system32\wuauclt.exe
F:\HiJackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CSIScanner (csiscanner) - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

--
End of file - 5286 bytes

2
Contributors
17
Replies
18
Views
9 Years
Discussion Span
Last Post by jholland1964
0

First of all, you are running two antivirus programs, AVG8 and Norton. This is an absolute no-no. You need to totally UNINSTALL one of them using Add/Remove, following any prompts given by the uninstall. Then you need to do a manual file search on the computer using Start, Search, Files and Folders and looking in hidden files also, for any remaining files from the removed application. This is one reason fixes may not have been completed or one reason this infection is not found.

Once you have removed the program then also turn off SuperAntispyware and the PrevxCSI programs you don't want them running in the background right now as they could possibly interfere with the scans also.
You are showing an infection by Troj/FakeAle-DQ which is a trojan which will then drop other malware on the computer, so there could be more.

Uninstall the extra antivirus program and Update the remaining one. Update Malwarebytes, update the Superantispyware and then of course TURN it off.
Run a scan with the ESET Online Scanner
* You will need to use Internet Explorer to to complete this scan.
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

Once you have done the above then shut down the computer. Disconnect from the internet, if you are using broadband or something that is "always on" then unplug the cable from the computer.
Reboot the computer.
Run your antivirus program and allow it to fix/quarantine or delete anything found.
Run Superantispyware and allow it to fix anything found.
Run the Malwarebytes Anti-Malware program and also allow it to fix everything found.
Save the logs for ALL of the above.
Then run HJT again and save the new log for posting here along with the others.
Shut down the computer. Plug internet cable back in. Reboot and come back here with those logs.
Judy

0

Thank you for your assistance...

The Norton AV was a trial version that was never activated so I didn't think it was doing anything. I have removed it and I ran the AVG 8.0 again. Here are the logs:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3325 (20080804)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=222e2146fc2788438cac2b3a84866fca
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-08-04 08:11:51
# local_time=2008-08-04 01:11:51 (-0800, Pacific Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=179188
# found=9
# scan_time=1192
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.13223 probably a variant of Win32/TrojanDownloader.PurityScan trojan B95A4D9E742CBD432B9622A22FB5157E
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.48558 Win32/Adware.CommAd application 3E2C234DDE711C6754F2DF994FB3CC94
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.52914 Win32/TrojanDownloader.Small.CYF trojan 5BC6C9CD1768A008EA4E73B09D96D76A
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.62612 Win32/Adware.CommAd application 0F8DEB5A57D8310B2D7EF90B84480F13
C:\Program Files\Common Files\mkok\mkokd\vocabulary Win32/TrojanDownloader.TSUpdate.J trojan 7901AE90CA5D7979D4FCA52D83D420FB
C:\Program Files\Mozilla Firefox\components\zxjkewvi.dll Win32/TrojanClicker.Agent.BCI trojan 38F4E612E1581773F94EE1EB1067CBBC
C:\SDFix\backups\backups.zip Win32/Adware.Virtumonde application D4AFB48A33FE718D3816BA43689DF73C
C:\SDFix\backups\backups.zip ┬╗ZIP ┬╗backups/removalfile.bat Win32/Adware.Virtumonde application 00000000000000000000000000000000
C:\WINNT\system32\karina.dat Win32/TrojanDownloader.Agent.OBD trojan 6544840373E3A5A4810EE6FEA25A59E5


Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3

2:59:56 PM 8/4/2008
mbam-log-8-4-2008 (14-59-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 67581
Time elapsed: 19 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINNT\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msliksurserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\winnt\system32\karina.dat -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Skra (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Infected (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\Suspicious (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antispyware 2008 (Rogue.Antispyware) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Mozilla Firefox\components\zxjkewvi.dll (Trojan.Peed) -> Quarantined and deleted successfully.
C:\Program Files\Skra\Skra.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\karina.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> Delete on reboot.
C:\Program Files\Antispyware 2008\vscan.tsi (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Program Files\Antispyware 2008\zlib.dll (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antispyware 2008\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\WINNT\system32\msliksurcredo.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINNT\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMf7d35bbc.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINNT\BMf7d35bbc.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antispyware-2008.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
C:\WINNT\system32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:01 PM, on 8/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

--
End of file - 4707 bytes

0

I want you to try this with HJT.
Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'.
In the field, copy and paste C:\WINNT\system32\karina.dat
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes..

Allow the PC to reboot, if it doesn't do it automatically, reboot manually.
Once you have done that, empty ALL those Quarantine files....AVG and MBAM both.
Reboot again.
Then run both programs again...MBAM first and then your AVG. Save the logs for posting here, even if you believe they are empty. I want to see them.
Once you have run both of those then run a new HJT scan and save the log.
Post back with the new logs requested.
Judy

0

Thanks again for your assistance! Here are the logs:

Scan "Scan whole computer" was finished.
Infections found:;"0"
Infected objects removed or healed:;"0"
Not removed or healed:;"0"
Spyware found:;"0"
Spyware removed:;"0"
Not removed:;"0"
Warnings count:;"0"
Information count:;"0"
Scan started:;"Tuesday, August 05, 2008, 5:33:21 AM"
Scan finished:;"Tuesday, August 05, 2008, 6:15:13 AM (41 minute(s) 52 second(s))"
Total object scanned:;"386907"
User who launched the scan:;"Owner"


Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3

7:05:10 AM 8/5/2008
mbam-log-8-5-2008 (07-04-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 67636
Time elapsed: 29 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> No action taken.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/05/2008 at 07:33 AM

Application Version : 4.15.1000

Core Rules Database Version : 3469
Trace Rules Database Version: 1460

Scan type : Complete Scan
Total Scan Time : 00:23:17

Memory items scanned : 292
Memory threats detected : 0
Registry items scanned : 5119
Registry threats detected : 0
File items scanned : 12193
File threats detected : 0


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:30 AM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINNT\system32\karina.dat
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

--
End of file - 4707 bytes

0

Did do this?

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'.
In the field, copy and paste C:\WINNT\system32\karina.dat
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes..

Why didn't you tell mbam to fix the following?

Files Infected: 1
Files Infected:
C:\WINNT\system32\drivers\27d8974d.sys (Rootkit.Agent) -> No action taken.

0

Yes, I did the first part and I also did clean the file on the second part, I must have grabbed the log before cleaning. Is it still there?

0

Yep, still there.
Let's try this;
Download ComboFix to the desktop.
You may get a prompt asking if you want to Run or Save. Choose Save and be absolutely certain you save it to the desktop.
At this point you should do the following:

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.
When you click that Combofix Icon you may get a warning prompt because ComboFix doesn't have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.
ComboFix will prepare to run and then you may see a Disclaimer Screen. You should press the number 1 key and then press the enter key to continue.
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry.
Once the Windows Registry has finished being backed up, ComboFix will disconnect your computer from the Internet. Therefore, do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet as your connection will be completely restored at a later stage in the program.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to what they were previously. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan.
When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
Please then come back here and post that combofix log and we can better judge where things stand.
Judy

0

I disabled everything before I started, hopefully nothing interfered with the process.

Here's the log:

ComboFix 08-08-04.07 - Owner 2008-08-05 11:11:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.84 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\CURITY~1
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\84UKRT88\interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\84UKRT88\interclick.com\ud.sol
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Owner\My Documents\SSTEM3~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\F?nts\
C:\Program Files\Common Files\fnts~2
C:\WINNT\IA
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\pjerxowa.ini
C:\WINNT\system32\txusdorj.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-04 14:34 . 2008-08-05 07:35 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 13:38 . 2008-08-04 13:38 10,520 --a------ C:\WINNT\system32\avgrsstx.dll
2008-08-04 13:36 . 2008-08-04 13:47 <DIR> d-------- C:\WINNT\system32\drivers\Avg
2008-08-04 13:36 . 2008-08-04 13:36 <DIR> d-------- C:\Program Files\AVG
2008-08-04 13:36 . 2008-08-04 13:38 97,928 --a------ C:\WINNT\system32\drivers\avgldx86.sys
2008-08-04 13:36 . 2008-08-04 13:38 76,040 --a------ C:\WINNT\system32\drivers\avgtdix.sys
2008-08-04 12:46 . 2008-08-04 13:11 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-04 12:42 . 2008-07-30 20:07 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-04 12:32 . 2008-08-04 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-04 12:07 . 2008-08-04 12:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 08:33 . 2008-08-04 08:33 2 --a------ C:\WINNT\msoffice.ini
2008-08-04 08:02 . 2008-08-04 08:02 <DIR> d-------- C:\WINNT\ERUNT
2008-08-04 07:57 . 2008-08-04 08:25 <DIR> d-------- C:\SDFix
2008-08-01 15:40 . 2008-08-01 15:41 316,640 --a------ C:\WINNT\WMSysPr9.prx
2008-08-01 15:40 . 2008-04-14 05:42 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-08-01 15:05 . 2008-04-13 22:58 2,940,928 --------- C:\WINNT\system32\dllcache\wmploc.dll
2008-08-01 15:03 . 2006-12-29 00:31 19,569 --a------ C:\WINNT\002470_.tmp
2008-08-01 15:02 . 2007-08-10 20:46 26,488 --a------ C:\WINNT\system32\spupdsvc.exe
2008-08-01 14:45 . 2008-04-14 02:30 103,424 --a------ C:\WINNT\system32\dpcdll.dll
2008-08-01 14:44 . 2008-08-01 15:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-08-01 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINNT\000001_.tmp
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 11:55 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\ywmivq.dll
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\csibuesi.dll
2008-07-31 10:04 . 2008-08-01 12:21 91,648 --------- C:\WINNT\system32\tagyoogx.dll
2008-07-31 10:01 . 2008-08-05 11:20 105,408 --a------ C:\WINNT\system32\drivers\4593f830.sys
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\yhcyuj.dll
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\ewqndptq.dll
2008-07-30 10:00 . 2008-07-30 10:00 91,648 --a------ C:\WINNT\system32\cfchunpg.dll
2008-07-29 23:07 . 2008-07-29 23:05 4,286 --a------ C:\WINNT\system32\Jamster.ico
2008-07-29 12:20 . 2008-07-31 10:14 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-07-29 12:14 . 2008-07-29 12:14 <DIR> d-------- C:\WINNT\mkok
2008-07-29 12:14 . 2008-07-29 13:20 <DIR> d-------- C:\Program Files\Common Files\mkok
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\psfbkt.dll
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\jnbfmson.dll
2008-07-28 17:34 . 2008-07-28 17:34 91,648 --a------ C:\WINNT\system32\ekfjmlug.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:31 --------- d-----w C:\Program Files\Symantec
2008-08-04 20:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-03-23 22:49 55,832 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-03-07 04:17 2,765 ----a-w C:\Program Files\Common Files\AutoUpdate.rtf
2003-01-27 18:50 1,000,448 ----a-w C:\Program Files\Common Files\AutoUpdate.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 13:38 1235736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-08-26 09:04:52 83360]
ScreenArt.lnk - C:\Program Files\ScreenArt\WillowRd.exe [2008-01-24 14:04:18 339968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 avgldx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-08-04 13:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 13:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 13:38]
R2 avgtdix;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-04 13:38]
S1 27d8974d;27d8974d;C:\WINNT\system32\drivers\27d8974d.sys []
S3 AL101;Airlink101 802.11g PCI Driver;C:\WINNT\system32\DRIVERS\AL101.sys [2006-07-04 16:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINNT\system32\Drivers\ALABULK2.sys [2002-07-09 18:20]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder

2008-07-30 C:\WINNT\Tasks\HP Usg Daily.job
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe [2004-03-31 21:35]

2002-06-05 C:\WINNT\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 09:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - C:\Program Files\Microsoft Works\WkDetect.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8tkkxoj7.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - WWW.MYEMBARQ.COM


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 11:17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
OOBEDDDemise = cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe????X?w???????tP??????????????????????????????v????????????????????????????????????s???????????????????P/??????????|??? ???????????|???????????????|???????????????????????P???P????????????????@??????????????????F??t????????????????????????????C

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-08-05 11:22:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 18:22:37

Pre-Run: 32,972,603,392 bytes free
Post-Run: 32,951,373,824 bytes free

152

0

Ok, give me some time to go through all this and I will get back with you. In the meantime, empty the Malwarebytes Anti-malware quarantine and then update that program and run it again. Also run HJT again too. Post back with those logs, even if I have not come back with the combofix info.
Judy

0

New logs:

Malwarebytes' Anti-Malware 1.24
Database version: 1025
Windows 5.1.2600 Service Pack 3

2:10:30 PM 8/5/2008
mbam-log-8-5-2008 (14-10-30).txt

Scan type: Full Scan (C:\|)
Objects scanned: 66600
Time elapsed: 27 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP0\A0000017.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:54 PM, on 8/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\WINNT\explorer.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

--
End of file - 4680 bytes

0

Looking good Barry,
Just a couple more cleanup steps;
Open Notepad and copy/paste the text in the below quote box into it:

KILLALL::

Folder::

C:\WINNT\system32\ywmivq.dll
C:\WINNT\system32\csibuesi.dll
C:\WINNT\system32\tagyoogx.dll
C:\WINNT\system32\yhcyuj.dll
C:\WINNT\system32\ewqndptq.dll
C:\WINNT\system32\cfchunpg.dll
C:\WINNT\system32\psfbkt.dll
C:\WINNT\system32\jnbfmson.dll
C:\WINNT\system32\ekfjmlug.dll


Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OOBEDDDemise"="erase" [X]

* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Next run HiJackThis again and place checkmarks next to the following entries if they still exist;

O4 - HKLM\..\RunOnce: [OOBEDDDemise] cmd /x /c erase C:\WINNT\System32\oobe\msoobe.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
Once you have the checkmarks placed then click the Fix Checked button.
Exit HJT.
Reboot the system.
Run HJT once more and post the log here.
Now, you do not appear to be running a Firewall or you are running the built in Windows Firewall, which is fine, but you do need a firewall.
Also, your Java is out of date and should be updated. Current version is 6 update 7.

0

Followed the steps above, here is the Combofix log and HJT log after reboot:

ComboFix 08-08-04.07 - Owner 2008-08-06 5:54:42.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\cfchunpg.dll\
C:\WINNT\system32\csibuesi.dll\
C:\WINNT\system32\ekfjmlug.dll\
C:\WINNT\system32\ewqndptq.dll\
C:\WINNT\system32\jnbfmson.dll\
C:\WINNT\system32\psfbkt.dll\
C:\WINNT\system32\tagyoogx.dll\
C:\WINNT\system32\yhcyuj.dll\
C:\WINNT\system32\ywmivq.dll\

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-04 14:34 . 2008-08-05 14:10 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 13:38 . 2008-08-04 13:38 10,520 --a------ C:\WINNT\system32\avgrsstx.dll
2008-08-04 13:36 . 2008-08-04 13:47 <DIR> d-------- C:\WINNT\system32\drivers\Avg
2008-08-04 13:36 . 2008-08-04 13:36 <DIR> d-------- C:\Program Files\AVG
2008-08-04 13:36 . 2008-08-04 13:38 97,928 --a------ C:\WINNT\system32\drivers\avgldx86.sys
2008-08-04 13:36 . 2008-08-04 13:38 76,040 --a------ C:\WINNT\system32\drivers\avgtdix.sys
2008-08-04 12:46 . 2008-08-04 13:11 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-08-04 12:42 . 2008-07-30 20:07 38,472 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-08-04 12:32 . 2008-08-04 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-04 12:07 . 2008-08-04 12:07 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-08-04 08:33 . 2008-08-04 08:33 2 --a------ C:\WINNT\msoffice.ini
2008-08-04 08:02 . 2008-08-04 08:02 <DIR> d-------- C:\WINNT\ERUNT
2008-08-04 07:57 . 2008-08-04 08:25 <DIR> d-------- C:\SDFix
2008-08-01 15:40 . 2008-08-01 15:41 316,640 --a------ C:\WINNT\WMSysPr9.prx
2008-08-01 15:40 . 2008-04-14 05:42 221,184 --a------ C:\WINNT\system32\wmpns.dll
2008-08-01 15:05 . 2008-04-13 22:58 2,940,928 --------- C:\WINNT\system32\dllcache\wmploc.dll
2008-08-01 15:03 . 2006-12-29 00:31 19,569 --a------ C:\WINNT\002470_.tmp
2008-08-01 15:02 . 2007-08-10 20:46 26,488 --a------ C:\WINNT\system32\spupdsvc.exe
2008-08-01 14:45 . 2008-04-14 02:30 103,424 --a------ C:\WINNT\system32\dpcdll.dll
2008-08-01 14:44 . 2008-08-01 15:07 <DIR> d-------- C:\WINNT\ServicePackFiles
2008-08-01 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINNT\000001_.tmp
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-08-01 12:44 . 2008-08-01 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-01 11:55 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-08-01 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 11:55 . 2008-07-30 20:07 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\ywmivq.dll
2008-07-31 10:05 . 2008-07-31 10:05 105,472 --a------ C:\WINNT\system32\csibuesi.dll
2008-07-31 10:04 . 2008-08-01 12:21 91,648 --------- C:\WINNT\system32\tagyoogx.dll
2008-07-31 10:01 . 2008-08-06 06:03 105,408 --a------ C:\WINNT\system32\drivers\4593f830.sys
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\yhcyuj.dll
2008-07-30 10:02 . 2008-07-30 10:02 105,472 --a------ C:\WINNT\system32\ewqndptq.dll
2008-07-30 10:00 . 2008-07-30 10:00 91,648 --a------ C:\WINNT\system32\cfchunpg.dll
2008-07-29 23:07 . 2008-07-29 23:05 4,286 --a------ C:\WINNT\system32\Jamster.ico
2008-07-29 12:20 . 2008-07-31 10:14 9,662 --a------ C:\WINNT\system32\ZoneAlarmIconUS.ico
2008-07-29 12:14 . 2008-07-29 12:14 <DIR> d-------- C:\WINNT\mkok
2008-07-29 12:14 . 2008-07-29 13:20 <DIR> d-------- C:\Program Files\Common Files\mkok
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\psfbkt.dll
2008-07-28 17:37 . 2008-07-28 17:37 105,472 --a------ C:\WINNT\system32\jnbfmson.dll
2008-07-28 17:34 . 2008-07-28 17:34 91,648 --a------ C:\WINNT\system32\ekfjmlug.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-04 20:31 --------- d-----w C:\Program Files\Symantec
2008-08-04 20:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2004-03-23 22:49 55,832 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-03-07 04:17 2,765 ----a-w C:\Program Files\Common Files\AutoUpdate.rtf
2003-01-27 18:50 1,000,448 ----a-w C:\Program Files\Common Files\AutoUpdate.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 13:38 1235736]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2002-01-09 22:53:14 200704]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2002-08-26 09:04:52 83360]
ScreenArt.lnk - C:\Program Files\ScreenArt\WillowRd.exe [2008-01-24 14:04:18 339968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 avgldx86;AVG AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-08-04 13:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 13:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 13:38]
R2 avgtdix;AVG8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-04 13:38]
S1 27d8974d;27d8974d;C:\WINNT\system32\drivers\27d8974d.sys []
S3 AL101;Airlink101 802.11g PCI Driver;C:\WINNT\system32\DRIVERS\AL101.sys [2006-07-04 16:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINNT\system32\Drivers\ALABULK2.sys [2002-07-09 18:20]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SYMTDI
.
Contents of the 'Scheduled Tasks' folder

2002-06-05 C:\WINNT\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-19 09:20]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 06:00:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\NMSSvc.Exe
C:\WINNT\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-06 6:06:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-06 13:05:43
ComboFix2.txt 2008-08-05 18:22:59

Pre-Run: 32,962,154,496 bytes free
Post-Run: 32,950,054,912 bytes free

134

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:41:31 AM, on 8/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\ScreenArt\WillowRd.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {fb5f1910-f110-11d2-bb9e-00c04f795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {56762dec-6b0d-4ab4-a8ad-989993b5d08b} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217621481436
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{D559E48D-45D9-4C4F-8F4A-487FE4899D9F}: NameServer = 192.168.2.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe

--
End of file - 4506 bytes

0

Looks pretty good, just a few files I am not sure about so I would like you to go Jotti's malware scan
There you can upload files and they will be analyzed by apporx. 20 different scanners to maybe tell us exactly what they are.
At the top of the Jotti page there is a window, there you will copy/paste the names and location of these files and then click the submit button. The file will be scanned and the results given to you. Please post those results here. There is a browse button but you will only need to click the submit button since the combofix log gave us the locations. You will have to do these one at a time.
Here are the files you need analyzed one at a time;

C:\WINNT\system32\Jamster.ico

C:\WINNT\system32\ZoneAlarmIconUS.ico

C:\WINNT\mkok

C:\Program Files\Common Files\mkok

Post back here with the results.

0

Here are the results. The third entry no longer exists and the fourth entry was a folder with a few files in it, i selected one to scan:


File: jamster.ico
Status: OK
MD5: ca86f00d7c4538b71a22967616e28c54
Packers detected: -

Scanner results
Scan taken on 07 Aug 2008 12:50:36 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: ZoneAlarmIconUS.ico
Status: OK
MD5: af7ec60387915a9c4c1fdd1b10fcb6af
Packers detected: -

Scanner results
Scan taken on 07 Aug 2008 12:54:38 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


File: mkokh
Status: OK
MD5: 926cffd62e6c0b115844b86151e84fb4
Packers detected: -

Scanner results
Scan taken on 07 Aug 2008 12:58:09 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

0

It's running much better. Thank you so much for your help!!!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.