Solved C:\WINNT\System32\x malware 2009

it seems whenever computer restart its get infected
i run malwarebytes noting found then i run same cfscript with combofix same file deleted and also sucessfully uploaded for analysis here is log file

ComboFix 09-03-03.01 - PC8 03/05/2009 10:13:54.16 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.81 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ZR81\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\olkfzwf.due

.
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 00:15 410,984 ----a-w c:\winnt\system32\deploytk.dll
2009-03-04 20:51 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-23 23:22 26,624 ----a-w c:\winnt\system32\drivers\fsbts.sys
2009-02-19 21:55 --------- d-----w c:\program files\Trend Micro
2009-02-19 01:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-19 01:38 --------- d-----w c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-19 01:38 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 17:18 --------- d-----w c:\program files\XP Codec Pack
2009-02-11 18:19 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [08/19/05 07:34p 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [03/09/06 03:29p 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [03/22/05 01:39a 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [03/09/06 03:29p 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [06/10/08 06:52p 1447168]
"Synchronization Manager "= "mobsync.exe" [06/19/03 12:05p 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [03/09/06 03:29p 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [03/22/05 01:39a 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - MBAMSwissArmy
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 03/05/2009 10:17:56
ComboFix-quarantined-files.txt 2009-03-05 18:17:54

Pre-Run: 12,384,018,432 bytes free
Post-Run: 12,377,350,144 bytes free

162

after that i restarted system and after loading windows eset again qurantaine
files here is log file
c:\winnt\system32\olkfzwf.due

c:\qoobox\quarantine\c:\winnt\system32\olkfzwf.due.vir

 

Thats because ComboFix has not been uninstalled yet.

If you could please
Run another Kaspersky scan and that will show us if it is really located in two areas.

 

now i am having same problem that i can't browser kaspersky online virus
can't find server even any online virus scan can't browse.

 

Locate Combofix on desktop
Right click and select delete.

Now download a newer copy

Download Combofix from any of the links below.

Save it to your desktop.

Link 1
Link 2
Link 3




Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply post:
ComboFix.txt

 

here is log file as u requested
ComboFix 09-03-04.01 - PC8 03/05/2009 15:29:53.17 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.82 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ZR81\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\olkfzwf.due

.
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-03-05 15:34 . 09-03-05 15:34 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_214.dat
2009-03-04 16:16 . 09-03-04 16:15 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-03-04 12:51 . 09-03-04 12:51 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-26 14:12 . 09-03-05 12:41 250 --a------ c:\winnt\gmer.ini
2009-02-24 15:31 . 09-02-24 15:31 <DIR> d---s---- c:\documents and settings\ZR81\UserData
2009-02-23 15:22 . 09-02-23 15:22 26,624 --a------ c:\winnt\system32\drivers\fsbts.sys
2009-02-19 16:10 . 09-02-19 16:10 <DIR> d-------- c:\winnt\McAfee.com
2009-02-19 13:55 . 09-02-19 13:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-18 17:38 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-02-16 09:20 . 08-07-09 01:05 421,888 --a------ c:\winnt\system32\ac3filter.acm
2009-02-16 09:18 . 09-02-16 09:18 <DIR> d-------- c:\program files\XP Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2003-06-19 20:05 170,956 --sh--r c:\winnt\system32\olkfzwf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [05-08-19 19:34 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [06-03-09 15:29 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [06-03-09 15:29 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [08-06-10 18:52 1447168]
"Synchronization Manager "= "mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [06-03-09 15:29 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"DisableChangePassword "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R?2 xzsgomjvv;Task Helper;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
xzsgomjvv
gcnrgk
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 15:37:07
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gcnrgk]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xzsgomjvv]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-03-05 15:39:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 23:39:24
ComboFix2.txt 2009-03-05 18:18:00

Pre-Run: 12,488,990,720 bytes free
Post-Run: 12,483,436,544 bytes free

179

 

Yes, it's very stubborn.


Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

http://www.windowsbbs.com/newreply.php?do=newreply&noquote=1&p=447724
Collect::
c:\winnt\system32\olkfzwf.dll
RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gcnrgk]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xzsgomjvv]
File:: 
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OH8CY2UO\eyglct[1].gif 
Folder:: 
C:\WINNT\System32\x
Driver::
xzsgomjvv
gcnrgk
NetSvc::
xzsgomjvv
gcnrgk

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


NOTE**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed.
With the above script, ComboFix will capture a file to submit for analysis it will prompt you to submit some files for analyzing.
Simply follow the instructions to copy/paste/send the requested file. Please let me know when the file is successfully submitted.


Please post the log it produces, and if the file submission was completed.

 

okey here is log file

ComboFix 09-03-04.01 - PC8 03/06/2009 1:19:14.18 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.61 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ZR81\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OH8CY2UO\eyglct[1].gif
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GCNRGK
-------\Legacy_XZSGOMJVV
-------\Service_gcnrgk


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-06 01:23 . 09-03-06 01:23 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_214.dat
2009-03-04 16:16 . 09-03-04 16:15 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-03-04 12:51 . 09-03-04 12:51 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-26 14:12 . 09-03-05 12:41 250 --a------ c:\winnt\gmer.ini
2009-02-24 15:31 . 09-02-24 15:31 <DIR> d---s---- c:\documents and settings\ZR81\UserData
2009-02-23 15:22 . 09-02-23 15:22 26,624 --a------ c:\winnt\system32\drivers\fsbts.sys
2009-02-19 16:10 . 09-02-19 16:10 <DIR> d-------- c:\winnt\McAfee.com
2009-02-19 13:55 . 09-02-19 13:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-18 17:38 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-02-16 09:20 . 08-07-09 01:05 421,888 --a------ c:\winnt\system32\ac3filter.acm
2009-02-16 09:18 . 09-02-16 09:18 <DIR> d-------- c:\program files\XP Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [05-08-19 19:34 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [06-03-09 15:29 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [06-03-09 15:29 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [08-06-10 18:52 1447168]
"Synchronization Manager "= "mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [06-03-09 15:29 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"DisableChangePassword "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 01:25:02
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-03-06 1:29:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 09:27:56
ComboFix3.txt 2009-03-05 18:18:00
ComboFix2.txt 2009-03-05 23:39:30

Pre-Run: 12,373,245,952 bytes free
Post-Run: 12,442,861,568 bytes free

174

 

How's the computer now?



Download Gmer's mbr.exe to your desktop
click the downloaded file to run the scan (a window will open briefly, then close). The scan will create a mbr.log on your desktop - please copy/paste those contents in your next reply.

 

here is log
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

 

Good, that came back clean

How's the computer now?

 

system work okey but eset anti virus detect this virus c:\winnt\system32\olkfzwf.due and and quarantines

 

Does it mention found in:
C:\Qoobox or System restore?

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  
  Code:

  Comment:
  Begin copying here
  Files to delete:
  c:\winnt\system32\olkfzwf.due

• In the avenger window, click the Paste Script from Clipboard, button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply, along with a new HJT log.

 

Also I want you to read over this article


Conficker/Downadup Removal:
http://www.secureworks.com/research/threats/downadup-removal/

 

here is avenger log
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows 2000

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\winnt\system32\olkfzwf.due" not found!
Deletion of file "c:\winnt\system32\olkfzwf.due" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

it seems virus is very stubborn after restarting pc eset also quarantines same virus file i post image of quarantines files that is shown by eset here it's
ESET IMAGE

 

Also, it's kind of odd it comes back in IE5
Go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files ".
Put a check by "Delete Offline Content" and click OK. Click on the "Delete Cookies" button to clear all cookies.

 

okey already deleted all temporary files and cookies and plus i updated patch files of ms widnows and then run f-secure removal tool

 

Running out of opions here....

Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
• http://www.pchell.com/support/safemode.shtml
•
Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now ", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.

* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis "

* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.

* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.

* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable ".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.

* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
In your next reply post:
DrWeb.cvs report
New HJT log

 

dr web report

PSEXESVC.EXE;C:\WINNT;Program.PsExec.170;Incurable.Moved.;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\ZR81\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\ZR81\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\ZR81\Desktop;Container contains infected objects;Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\NVIDIA\Win2KXP\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\NVIDIA\Win2KXP;Archive contains infected objects;;
ComboFix.exe;C:\NVIDIA\Win2KXP;Container contains infected objects;Moved.;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;D:\repair\ComboFix.exe/data002;Program.PsExec.171;;
data002;D:\repair;Archive contains infected objects;;
ComboFix.exe;D:\repair;Container contains infected objects;Moved.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:49 PM, on 3/8/2009
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cafeagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE2F733-FFEE-4669-B439-E265937B567A}: NameServer = 192.168.0.1
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\system32\cafeagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 3176 bytes

and look the dr web quarantine folder
following files are there
ComboFi0.exe
ComboFi1.exe
ComboFix.exe
descript.ion (no icon)
mirc.exe
PSEXESVC.EXE

 

Appears all it found were ComboFix related.

Whats the computer doing now?

 

testing system now again same virus files are back and it's detected by eset