Solved C:\WINNT\System32\x malware 2009

z4u · 2009/02/18

[Resolved] C:\WINNT\System32\x malware 2009

hi my clients system are infected with below type of virus and eset no32 antivirus keep qurantaine all the time ..
C:\WINNT\System32\x
it's very hard to remove i have tried many things to delete it but again it comes after few mints or after few hours
here i have put my eset log file and hijack log too please need expert look tq

2/19/2009 12:42:04 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 12:41:53 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 12:37:46 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 12:37:36 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 12:31:45 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 12:31:35 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 11:54:13 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 11:54:02 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\internet explorer\iexplore.exe.
2/19/2009 11:52:13 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 11:52:02 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 11:45:45 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 11:08:15 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 11:05:56 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 11:00:05 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
2/19/2009 10:59:19 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q359VMDZ\xjvsbeko[1].bmp a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 10:59:18 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 10:59:17 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81IFOX2F\xjvsbeko[1].jpg a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 10:59:16 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 10:59:15 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q359VMDZ\xjvsbeko[1].gif a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 3:13:50 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 3:10:03 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 3:06:04 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 2:30:16 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 2:26:29 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 2:23:17 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 1:46:51 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 1:43:13 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 1:40:27 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 1:35:40 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:40 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41D66ADK\scop[1].png a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:39 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:39 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q359VMDZ\scop[1].png a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:38 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:38 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41D66ADK\scop[1].png a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:37 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:37 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q359VMDZ\scop[1].bmp a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:36 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:36 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41D66ADK\scop[1].bmp a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:35 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:35 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q359VMDZ\scop[1].png a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:34 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:35:34 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41D66ADK\scop[1].bmp a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 1:03:26 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 12:57:35 AM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/19/2009 12:57:06 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:56 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\M06WCV25\xjlb[1].gif a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:56 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:45 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41D66ADK\xjlb[1].bmp a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:44 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:34 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\M06WCV25\xjlb[1].bmp a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:33 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:23 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41D66ADK\xjlb[1].png a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:22 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:12 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\M06WCV25\xjlb[1].jpg a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:12 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:01 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41D66ADK\xjlb[1].gif a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:56:01 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/19/2009 12:55:57 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\M06WCV25\xjlb[1].png a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/18/2009 11:11:52 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 10:51:30 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 10:51:30 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 10:31:59 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe.
2/18/2009 10:31:59 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 10:26:36 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 10:26:36 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 10:06:50 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 9:42:30 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\cafeagent.exe.
2/18/2009 9:41:02 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\internet explorer\iexplore.exe.
2/18/2009 9:29:40 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
2/18/2009 9:29:40 PM Real-time file system protection file C:\WINNT\System32\olkfzwf.due a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\Program Files\Mozilla Firefox\firefox.exe.
2/18/2009 9:18:35 PM Real-time file system protection file C:\WINNT\system32\olkfzwf.dll a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\services.exe.
2/18/2009 9:18:34 PM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.
2/18/2009 9:18:34 PM Real-time file system protection file C:\WINNT\system32\olkfzwf.dll a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINNT\system32\services.exe.
2/18/2009 9:18:32 PM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\81IFOX2F\gcisrt[1].bmp a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.

[FONT= "Arial Black"]hijack log[/FONT]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:06 PM, on 2/19/2009
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cafeagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\RunServices: [Canon NetSpot Suite Service] ;©w
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Policies\Explorer\Run: [iv] "C:\Documents and Settings\ZR81\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe "
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm493YYMY
O15 - Trusted Zone: http://www.friendster.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE2F733-FFEE-4669-B439-E265937B567A}: NameServer = 192.168.0.1
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\system32\cafeagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ZR81/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 3183 bytes

Admin. · 2009/02/19

Hi,

Read this post as indicated at the top of this forum & follow the instructions.

z4u · 2009/02/19

okey i here is my DDS log report and as i m using this windows 2000 machine and same this kind of virus also have been infected my windows xp machine..
hopefully by cleaning this system i will ask help for other windows xp machine..

DDS (Ver_09-02-01.01) - FAT32x86
Run by PC8 at 20:16:22.64 on Thu 02/19/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.5 [GMT -8:00]

============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ZR81\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.my/
mStart Page = hxxp://www.microsoft.com
uWinlogon: shell=Explorer.exe, c:\program files\microsoft office\WINWORD.EXE
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\ypager.exe" -quiet
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [CafeAgent] c:\winnt\system32\cafeagent.exe /normal
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRunServices: [Canon NetSpot Suite Service] ;©w
mRunServices: [CafeAgent] c:\winnt\system32\cafeagent.exe /normal
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
uExplorerRun: [iv] "c:\documents and settings\zr81\local settings\application data\microsoft\internet explorer\iv.exe "
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: DisableLocalMachineRun = 0 (0x0)
uPolicies-explorer: DisableLocalMachineRunOnce = 0 (0x0)
uPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
uPolicies-explorer: NoCommonGroups = 0 (0x0)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 0 (0x0)
uPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
uPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: DisableCurrentUserRun = 0 (0x0)
uPolicies-explorer: DisableCurrentUserRunOnce = 0 (0x0)
uPolicies-system: NoSecCPL = 0 (0x0)
uPolicies-system: NoConfigPage = 0 (0x0)
uPolicies-system: NoFileSysPage = 0 (0x0)
uPolicies-system: NoDevMgrPage = 0 (0x0)
uPolicies-system: NoVirtMemPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: DisableCurrentUserRun = 0 (0x0)
mPolicies-explorer: DisableCurrentUserRunOnce = 0 (0x0)
mPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
mPolicies-explorer: NoCommonGroups = 0 (0x0)
mPolicies-explorer: NoFavoritesMenu = 1 (0x1)
mPolicies-explorer: NoSMMyPictures = 0 (0x0)
mPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
mPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: DisableLocalMachineRun = 0 (0x0)
mPolicies-explorer: DisableLocalMachineRunOnce = 0 (0x0)
mPolicies-system: NoSecCPL = 0 (0x0)
mPolicies-system: NoConfigPage = 0 (0x0)
mPolicies-system: NoFileSysPage = 0 (0x0)
mPolicies-system: NoDevMgrPage = 0 (0x0)
mPolicies-system: NoVirtMemPage = 0 (0x0)
mPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
dPolicies-explorer: NoRecentDocsNetHood = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: DisableLocalMachineRun = 0 (0x0)
dPolicies-explorer: DisableLocalMachineRunOnce = 0 (0x0)
dPolicies-explorer: DisableCurrentUserRun = 0 (0x0)
dPolicies-explorer: DisableCurrentUserRunOnce = 0 (0x0)
dPolicies-explorer: NoStartMenuSubFolders = 0 (0x0)
dPolicies-explorer: NoCommonGroups = 0 (0x0)
dPolicies-explorer: NoFavoritesMenu = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 0 (0x0)
dPolicies-explorer: NoStartMenuMyMusic = 0 (0x0)
dPolicies-explorer: NoActiveDesktop = 1 (0x1)
dPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-system: NoSecCPL = 0 (0x0)
dPolicies-system: NoConfigPage = 0 (0x0)
dPolicies-system: NoFileSysPage = 0 (0x0)
dPolicies-system: NoDevMgrPage = 0 (0x0)
dPolicies-system: NoVirtMemPage = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm493YYMY
Trusted Zone: friendster.com.\www
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5529/mcfscan.cab
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\zr81\applic~1\mozilla\firefox\profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=

============= SERVICES / DRIVERS ===============

R?2 exyvjdkh;Manager Installer;c:\winnt\system32\svchost.exe -k netsvcs [1980-1-1 7952]
R?2 ndzrck;Server Boot;c:\winnt\system32\svchost.exe -k netsvcs [1980-1-1 7952]
R?2 qomjlbuhp;Config Update;c:\winnt\system32\svchost.exe -k netsvcs [1980-1-1 7952]
R?2 tzjynjd;Monitor Server;c:\winnt\system32\svchost.exe -k netsvcs [1980-1-1 7952]
R?2 xpngsg;Center Boot;c:\winnt\system32\svchost.exe -k netsvcs [1980-1-1 7952]
R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-6 39456]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-6-10 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-6-2 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-1-1 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-3-5 267136]
S1 vdmzmzi2;AVZ-BC Kernel Driver;\??\c:\winnt\system32\drivers\vdmzmzi2.sys --> c:\winnt\system32\drivers\vdmzmzi2.sys [?]
S2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-7-1 524800]

=============== Created Last 30 ================

2009-02-19 20:16 16,384 a------- c:\winnt\system32\Perflib_Perfdata_258.dat
2009-02-19 19:52 84,515 a------- c:\winnt\system32\x
2009-02-19 16:10 <DIR> --d----- c:\winnt\McAfee.com
2009-02-19 13:55 <DIR> --d----- c:\program files\Trend Micro
2009-02-18 17:38 <DIR> --d----- c:\docume~1\zr81\applic~1\Malwarebytes
2009-02-18 17:38 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-02-18 17:38 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-18 17:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-18 17:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 15:16 16,384 a------- c:\winnt\system32\Perflib_Perfdata_25c.dat
2009-02-16 09:20 421,888 a------- c:\winnt\system32\ac3filter.acm
2009-02-16 09:18 <DIR> --d----- c:\program files\XP Codec Pack

==================== Find3M ====================

2008-08-06 21:53 37,088 a------- c:\docume~1\zr81\applic~1\GDIPFONTCACHEV1.DAT
2008-01-30 13:06 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-11-17 23:09 21,952 ----h--- c:\program files\folder.htt
2006-11-17 23:09 271 ----h--- c:\program files\desktop.ini
1999-12-07 04:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 20:16:42.82 ===============

z4u · 2009/02/20

any one is here waiting for your responses ...

Admin: patience...

z4u · 2009/02/22

still in patience...

and my windows xp system also infected with this type of virus waiting for ur responses to further clean another infected machine tq

Juliet · 2009/02/23

Hi and welcome

Download Combofix from any of the links below.
Save it to your desktop.

Link 1
Link 2
Link 3

--------------------------------------------------------------------
Please Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on Combo-Fix.exe & follow the prompts.

** Please Note:
At times ComboFix may appear to stall, please be patient.

When finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

You may need several replies to post the requested logs, otherwise they might get cut off.

z4u · 2009/02/24

okey here is combofix log and then hijackthis log

ComboFix 09-02-21.01 - PC8 02/24/2009 14:17:41.11 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.45 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-23 23:22 26,624 ----a-w c:\winnt\system32\drivers\fsbts.sys
2009-02-19 21:55 --------- d-----w c:\program files\Trend Micro
2009-02-19 01:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-19 01:38 --------- d-----w c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-19 01:38 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 17:18 --------- d-----w c:\program files\XP Codec Pack
2009-02-11 18:19 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys
2008-12-26 18:03 --------- d-----w c:\program files\RealArcade
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
.

((((((((((((((((((((((((((((( SnapShot@Mon 02-23-2009_18.31.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-24 22:16:52 16,384 ----a-w c:\winnt\system32\Perflib_Perfdata_268.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 524,800 2005-03-22 09:39:04 c:\winnt\system32\bak\CafeAgent.exe
----a-w 524,800 2005-03-22 09:39:04 c:\winnt\system32\CafeAgent.exe

----a-w 33,237 2005-02-06 19:07:12 c:\winnt\system32\bak\CafeAgent.tra
----a-w 33,237 2005-02-07 05:07:10 c:\winnt\system32\CafeAgent.tra

----a-w 7,598 2007-03-07 04:02:14 c:\winnt\system32\bak\CafeAgent.ini
----a-w 7,598 2006-10-18 08:06:42 c:\winnt\system32\CafeAgent.ini

----a-w 4,662,776 2006-12-01 05:49:04 c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [08/19/05 07:34p 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [03/09/06 03:29p 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [03/22/05 01:39a 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [03/09/06 03:29p 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [06/10/08 06:52p 1447168]
"Synchronization Manager "= "mobsync.exe" [06/19/03 12:05p 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [03/09/06 03:29p 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [03/22/05 01:39a 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R?2 ajfbqrkq;Support Center;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 ddifolrkt;Config Network;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 exyvjdkh;Manager Installer;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 ndzrck;Server Boot;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 qomjlbuhp;Config Update;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 teoraml;Server Config;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 tzjynjd;Monitor Server;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 xpngsg;Center Boot;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S1 vdmzmzi2;AVZ-BC Kernel Driver;\??\c:\winnt\system32\Drivers\vdmzmzi2.sys --> c:\winnt\system32\Drivers\vdmzmzi2.sys [?]
S2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ndzrck
qomjlbuhp
tzjynjd
exyvjdkh
xpngsg
ajfbqrkq
teoraml
ddifolrkt
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
Trusted Zone: friendster.com.\www
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.
.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 14:19:55
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

\WINNT\Explorer.EXE [908] 0x8123CBC0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ajfbqrkq]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ddifolrkt]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exyvjdkh]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ndzrck]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qomjlbuhp]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\teoraml]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tzjynjd]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xpngsg]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk "=hex(0):3c,c8,96,a1,8d,bf,3b,4a,18,6a,1a,83,29,af,51,a0,05,17,a5,a5,05,
19,16,4c,1d,a6,58,51,8c,4b,40,22,cc,4d,d6,2a,c2,8d,60,bf,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{cfb4828e-8aa0-4e17-b6c5-834dc5e1f3f4}]
@Denied: (Full) (Everyone)
"Model "=dword:0000003b
"Therad "=dword:00000024
"MData "=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,46,8f,3c,f2,5c,68,ee,21,8b,5f,d4,38,b0,56,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 02/24/2009 14:22:27
ComboFix-quarantined-files.txt 2009-02-24 22:22:24
ComboFix2.txt 2009-02-24 02:34:28

Pre-Run: 12,682,305,536 bytes free
Post-Run: 12,714,803,200 bytes free

230

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:24:52 PM, on 2/24/2009
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O15 - Trusted Zone: http://www.friendster.com.
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE2F733-FFEE-4669-B439-E265937B567A}: NameServer = 192.168.0.1
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\system32\cafeagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ZR81/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 2720 bytes

Juliet · 2009/02/24

Welcome back

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

C:\qoobox\ComboFix-quarantined-files.txt
Try to locate the above file and post it in your next reply.

Please locate the ComboFix icon on your desktop
Right click and select delete.....I want you to have an updated version.

Download Combofix from any of the links below.

Save it to your desktop.

Link 1
Link 2
Link 3

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ZR81/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Code:
AWF::
c:\winnt\system32\bak\CafeAgent.exe
c:\program files\Yahoo!\Messenger\bak\YahooMessenger.exe

Folders::
c:\winnt\system32\bak
c:\program files\Yahoo!\Messenger\bak

Rootkit::
c:\winnt\system32\olkfzwf.dll

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{cfb4828e-8aa0-4e17-b6c5-834dc5e1f3f4}]

Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

NetSvc::
ndzrck
qomjlbuhp
tzjynjd
exyvjdkh
xpngsg
ajfbqrkq
teoraml
ddifolrkt
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.

After the files have been downloaded on the left side of the page in the Scan section select My Computer.

This will start the program and scan your system.

The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
C:\qoobox\ComboFix-quarantined-files.txt
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.

z4u · 2009/02/24

okey i follow your instruction and below are log files sorry i can't run kasperskyonline virus scan it's show can' found page and even i tried other i tried other online virus scan but same problem happen but i can browser other website

C:\qoobox\ComboFix-quarantined-files.txt

2009-02-23 18:27:24 A------- 116 C:\Qoobox\Quarantine\catchme.log
2009-02-23 18:30:21 A------- 4,850 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

ComboFix 09-02-24.02 - PC8 02/25/2009 0:41:26.12 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.49 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ZR81\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 15:31 . 09-02-24 15:31 <DIR> d---s---- c:\documents and settings\ZR81\UserData
2009-02-23 15:22 . 09-02-23 15:22 26,624 --a------ c:\winnt\system32\drivers\fsbts.sys
2009-02-19 16:10 . 09-02-19 16:10 <DIR> d-------- c:\winnt\McAfee.com
2009-02-19 13:55 . 09-02-19 13:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-18 17:38 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-02-16 09:20 . 08-07-09 01:05 421,888 --a------ c:\winnt\system32\ac3filter.acm
2009-02-16 09:18 . 09-02-16 09:18 <DIR> d-------- c:\program files\XP Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 18:03 --------- d-----w c:\program files\RealArcade
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2003-06-19 20:05 170,956 --sh--r c:\winnt\system32\olkfzwf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [05-08-19 19:34 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [06-03-09 15:29 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [06-03-09 15:29 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [08-06-10 18:52 1447168]
"Synchronization Manager "= "mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [06-03-09 15:29 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"DisableChangePassword "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R?2 ajfbqrkq;Support Center;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 ddifolrkt;Config Network;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 epzmliwut;Security Helper;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 exyvjdkh;Manager Installer;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 ndzrck;Server Boot;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 qomjlbuhp;Config Update;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 teoraml;Server Config;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 tzjynjd;Monitor Server;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 xpngsg;Center Boot;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S1 vdmzmzi2;AVZ-BC Kernel Driver;\??\c:\winnt\system32\Drivers\vdmzmzi2.sys --> c:\winnt\system32\Drivers\vdmzmzi2.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EPZMLIWUT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
epzmliwut
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 08:32:18
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ajfbqrkq]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ddifolrkt]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epzmliwut]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exyvjdkh]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ndzrck]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qomjlbuhp]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\teoraml]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tzjynjd]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xpngsg]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-02-25 8:34:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-25 16:34:18
ComboFix3.txt 2009-02-24 02:34:28
ComboFix2.txt 2009-02-24 22:22:30

Pre-Run: 12,626,993,152 bytes free
Post-Run: 12,712,730,624 bytes free

204

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:07 AM, on 2/25/2009
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cafeagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE2F733-FFEE-4669-B439-E265937B567A}: NameServer = 192.168.0.1
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\system32\cafeagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 2593 bytes

and problem acessing online virus scan so therefore no log file

Juliet · 2009/02/24

Download GMER Rootkit Scanner from here.

Extract the contents of the zipped file to desktop.

Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .

If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

In the right panel, you will see several boxes that have been checked. Uncheck the following ...

Sections

IAT/EAT

Drives/Partition other than Systemdrive (typically C:\)

Show All (don't miss this one)

Then click the Scan button & wait for it to finish.

Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

z4u · 2009/02/26

thanx juliet if you can settle my problem today or tmrw because from friday to monday i will on the leave..
when i run the gmer.exe i recieve follownig error
c:\winnt\system32\config\system: the proces cannot acesss the file because it is being used by another process.
then press okey so i click on it.
then i do uncheck option u mentioned to me.
sections
IAt/EATS
files except c drive.
show all
when i run the scan i receive same above error that files in used..
after finish scan here is log file
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-26 14:23:42
Windows 5.0.2195

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys
AttachedDevice \FileSystem\Fastfat \Fat AFPAnsi.sys (Windows NT File System Protector Network Edition/Alfa Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.14 ----

Juliet · 2009/02/26

Welcome back

Locate the ComboFix icon on desktop >>Right click and select delete.

We'll get a fresh copy.

Download Combofix from any of the links below.

Save it to your desktop.

Link 1
Link 2
Link 3

NEXT**
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Code:
RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ajfbqrkq]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ddifolrkt]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epzmliwut]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\exyvjdkh]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ndzrck]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qomjlbuhp]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\teoraml]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\tzjynjd]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xpngsg]

Rootkit::
c:\winnt\system32\olkfzwf.dll

Driver::
ajfbqrkq
ddifolrkt
epzmliwut
exyvjdkh
ndzrck
qomjlbuhp
teoraml
tzjynjd
xpngsg
Registry::

NetSvc::
epzmliwut
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine

NEXT**
A couple of things we can try to get GMER to run.

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
Code:
@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as File name: ark.cmd
Save as type: All Files
Once done, double click ark.cmd to run it.
This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.
~~~~~~~~~~~~~~
If the above does not work

Download SGmer.com and place it next to Gmer.exe
http://techsupportforum.com/sectools/sUBs/sGmer.com

Double SGmer.com clicking it shall help start Gmer.

In your next reply post:
ComboFix.txt
and I hope a Gmer log

How's the machine now?

z4u · 2009/03/03

okey juliet sorry i was on leaves for fews days and i am back and i think the virus still infected the machine because i just check qurantaine files in eset32 antivirus same virus files detected okey
okey here is combofix log by running with script

ComboFix 09-03-02.03 - PC8 03/03/2009 23:42:33.13 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.84 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ZR81\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AJFBQRKQ
-------\Legacy_DDIFOLRKT
-------\Legacy_EPZMLIWUT
-------\Legacy_EXYVJDKH
-------\Legacy_NDZRCK
-------\Legacy_QOMJLBUHP
-------\Legacy_TEORAML
-------\Legacy_TZJYNJD
-------\Legacy_XPNGSG

((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-02-26 14:12 . 09-02-26 14:32 250 --a------ c:\winnt\gmer.ini
2009-02-24 15:31 . 09-02-24 15:31 <DIR> d---s---- c:\documents and settings\ZR81\UserData
2009-02-23 15:22 . 09-02-23 15:22 26,624 --a------ c:\winnt\system32\drivers\fsbts.sys
2009-02-19 16:10 . 09-02-19 16:10 <DIR> d-------- c:\winnt\McAfee.com
2009-02-19 13:55 . 09-02-19 13:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-18 17:38 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-02-16 09:20 . 08-07-09 01:05 421,888 --a------ c:\winnt\system32\ac3filter.acm
2009-02-16 09:18 . 09-02-16 09:18 <DIR> d-------- c:\program files\XP Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2003-06-19 20:05 170,956 --sh--r c:\winnt\system32\olkfzwf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [05-08-19 19:34 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [06-03-09 15:29 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [06-03-09 15:29 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [08-06-10 18:52 1447168]
"Synchronization Manager "= "mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [06-03-09 15:29 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"DisableChangePassword "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R?2 gmzdzg;Update Server;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 iujszryli;Network Helper;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 jmdvopq;Windows Task;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R?2 nzercqy;Installer Helper;c:\winnt\system32\svchost.exe -k netsvcs [1980-01-01 7952]
R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S1 vdmzmzi2;AVZ-BC Kernel Driver;\??\c:\winnt\system32\Drivers\vdmzmzi2.sys --> c:\winnt\system32\Drivers\vdmzmzi2.sys [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GMZDZG

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jmdvopq
nzercqy
iujszryli
gmzdzg
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 23:48:23
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gmzdzg]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iujszryli]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jmdvopq]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nzercqy]
"ServiceDll "= "c:\winnt\system32\olkfzwf.dll "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-03-03 23:51:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-04 07:50:24

Pre-Run: 12,675,276,800 bytes free
Post-Run: 12,671,885,312 bytes free

197

by creating file ark.cmd into gmer folder and doesn't work and same error msg is appearing even i download the new Download SGmer.com and place it next to Gmer.exe
http://techsupportforum.com/sectools/sUBs/sGmer.com
but same problems remaining tq

Juliet · 2009/03/03

Welcome back

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Code:
Rootkit::
c:\winnt\system32\olkfzwf.dll

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gmzdzg]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\iujszryli]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\jmdvopq]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nzercqy]

File:: 
c:\winnt\system32\Drivers\vdmzmzi2.sys

Driver::
gmzdzg
iujszryli
jmdvopq
nzercqy
vdmzmzi2

NetSvc::
gmzdzg
iujszryli
jmdvopq
nzercqy
vdmzmzi2
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Let's see if we can get a MBAM log

Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply post:
ComboFix.txt
Malwarebytes' Anti-Malware log
New HJT log

You may need several replies to post the requested logs, otherwise they might get cut off.

How's the computer now?

z4u · 2009/03/03

here is following requested logs
ComboFix 09-03-02.03 - PC8 03/04/2009 1:51:34.14 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.83 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ZR81\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\winnt\system32\Drivers\vdmzmzi2.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GMZDZG
-------\Legacy_IUJSZRYLI
-------\Legacy_JMDVOPQ
-------\Legacy_NZERCQY
-------\Service_gmzdzg
-------\Service_vdmzmzi2

((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-02-26 14:12 . 09-03-03 23:54 250 --a------ c:\winnt\gmer.ini
2009-02-24 15:31 . 09-02-24 15:31 <DIR> d---s---- c:\documents and settings\ZR81\UserData
2009-02-23 15:22 . 09-02-23 15:22 26,624 --a------ c:\winnt\system32\drivers\fsbts.sys
2009-02-19 16:10 . 09-02-19 16:10 <DIR> d-------- c:\winnt\McAfee.com
2009-02-19 13:55 . 09-02-19 13:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-18 17:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-18 17:38 . 09-02-11 10:19 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-18 17:38 . 09-02-11 10:19 15,504 --a------ c:\winnt\system32\drivers\mbam.sys
2009-02-16 09:20 . 08-07-09 01:05 421,888 --a------ c:\winnt\system32\ac3filter.acm
2009-02-16 09:18 . 09-02-16 09:18 <DIR> d-------- c:\program files\XP Codec Pack

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [05-08-19 19:34 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [06-03-09 15:29 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [06-03-09 15:29 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [08-06-10 18:52 1447168]
"Synchronization Manager "= "mobsync.exe" [03-06-19 12:05 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [06-03-09 15:29 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [05-03-22 01:39 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"DisableChangePassword "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - ekrn
*Deregistered* - EventSystem
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - NtmsSvc
*Deregistered* - NVSvc
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasAuto
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - Spooler
*Deregistered* - TapiSrv
*Deregistered* - TrkWks
*Deregistered* - WinMgmt
*Deregistered* - Wmi
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 01:57:41
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(176)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 2009-03-04 2:01:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-04 10:01:30

Pre-Run: 12,545,900,544 bytes free
Post-Run: 12,635,938,816 bytes free

197

Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.0.2195

3/4/2009 2:46:51 AM
mbam-log-2009-03-04 (02-46-51).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 86220
Time elapsed: 13 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 97
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\internet antivirus pro_is1 (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\ZR81\Application Data\Desktopicon\eBayShortcuts.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MSN Messenger\msimg32.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\ZR81\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:18 AM, on 3/4/2009
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cafeagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE2F733-FFEE-4669-B439-E265937B567A}: NameServer = 192.168.0.1
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\system32\cafeagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 2779 bytes

i have quarantines the files founded by malwarebytes

Juliet · 2009/03/03

Welcome back

How's the computer now?

I'd like to see the results of an online scan.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.

After the files have been downloaded on the left side of the page in the Scan section select My Computer.

This will start the program and scan your system.

The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.

z4u · 2009/03/04

finally kaspersky online scan finished it almost take 2 hours huhu
and it's detected 2 virus that you are trying to heal it.. here arethe reports.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 4, 2009
Operating System: Microsoft Windows 2000 Professional (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 04, 2009 10:24:12
Records in database: 1868104
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 35072
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:56:43

File name / Threat name / Threats count
C:\WINNT\system32\olkfzwf.due Infected: Net-Worm.Win32.Kido.ih 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:18 PM, on 3/4/2009
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cafeagent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mobsync.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE2F733-FFEE-4669-B439-E265937B567A}: NameServer = 192.168.0.1
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\system32\cafeagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 3003 bytes

Juliet · 2009/03/04

mIRC
mIRC is flagged because it is an IRC program and these programs are one of the biggest facilitators for infection transmission just due to their nature.
riskware not-a-virus
If you did not download and use Mirc.exe, please uninstall this Application.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.
Code:
http://www.windowsbbs.com/malware-virus-removal/81663-active-c-winnt-system32-x-malware-2009-a.html
Collect::
C:\WINNT\system32\olkfzwf.due
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When finished, it shall produce a log for you. Post that log in your next reply.

NOTE**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed.
With the above script, ComboFix will capture a file to submit for analysis it will prompt you to submit some files for analyzing.
Simply follow the instructions to copy/paste/send the requested file. Please let me know when the file is successfully submitted.

How's the computer now?

z4u · 2009/03/04

yea juliet file is sucessfully submited and here is log file
ComboFix 09-03-03.01 - PC8 03/05/2009 1:30:00.15 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.128.84 [GMT -8:00]
Running from: c:\documents and settings\ZR81\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ZR81\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\olkfzwf.due

.
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 00:15 410,984 ----a-w c:\winnt\system32\deploytk.dll
2009-03-04 20:51 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-23 23:22 26,624 ----a-w c:\winnt\system32\drivers\fsbts.sys
2009-02-19 21:55 --------- d-----w c:\program files\Trend Micro
2009-02-19 01:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-19 01:38 --------- d-----w c:\documents and settings\ZR81\Application Data\Malwarebytes
2009-02-19 01:38 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-16 17:18 --------- d-----w c:\program files\XP Codec Pack
2009-02-11 18:19 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2009-02-11 18:19 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys
2008-08-07 05:53 37,088 ----a-w c:\documents and settings\ZR81\Application Data\GDIPFONTCACHEV1.DAT
2008-01-30 21:06 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-11-18 07:09 271 ---h--w c:\program files\desktop.ini
2006-11-18 07:09 21,952 ---h--w c:\program files\folder.htt
1999-12-07 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
2009-01-08 21:25 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-01-08 21:25 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-08 21:25 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-08 21:25 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-08 21:25 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "c:\program files\Yahoo!\Messenger\ypager.exe" [08/19/05 07:34p 3084288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\winnt\system32\NvCpl.dll" [03/09/06 03:29p 7561216]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [03/22/05 01:39a 524800]
"NvMediaCenter "= "c:\winnt\system32\NvMcTray.dll" [03/09/06 03:29p 86016]
"egui "= "c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [06/10/08 06:52p 1447168]
"Synchronization Manager "= "mobsync.exe" [06/19/03 12:05p 111376 c:\winnt\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [03/09/06 03:29p 1519616 c:\winnt\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CafeAgent "= "c:\winnt\system32\cafeagent.exe" [03/22/05 01:39a 524800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"DisableChangePassword "= 1 (0x1)
"NoDispAppearancePage "= 0 (0x0)
"NoDispSettingsPage "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)
"NoDispAppearancePage "= 0 (0x0)
"NoDispSettingsPage "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "= 1 (0x1)
"NoSecCPL "= 0 (0x0)
"NoConfigPage "= 0 (0x0)
"NoFileSysPage "= 0 (0x0)
"NoDevMgrPage "= 0 (0x0)
"NoVirtMemPage "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoViewOnDrive "= 0 (0x0)
"NoActiveDesktop "= 1 (0x1)
"ForceActiveDesktopOn "= 0 (0x0)
"NoWindowsUpdate "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)
"NoActiveDesktop "= 1 (0x1)
"ForceActiveDesktopOn "= 0 (0x0)
"NoWindowsUpdate "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood "= 1 (0x1)
"NoViewOnDrive "= 0 (0x0)
"DisableLocalMachineRun "= 0 (0x0)
"DisableLocalMachineRunOnce "= 0 (0x0)
"DisableCurrentUserRun "= 0 (0x0)
"DisableCurrentUserRunOnce "= 0 (0x0)
"NoStartMenuSubFolders "= 0 (0x0)
"NoCommonGroups "= 0 (0x0)
"NoFavoritesMenu "= 1 (0x1)
"NoSMMyPictures "= 0 (0x0)
"NoStartMenuMyMusic "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420 "= c:\winnt\system32\i263_32.drv
"vidc.DIV3 "= DivXc32.dll
"vidc.DIV4 "= DivXc32f.dll
"msacm.divxa32 "= DivXa32.acm
"VIDC.HFYU "= huffyuv.dll
"vidc.ffds "= ffdshow.ax
"msacm.avis "= ff_acm.acm
"vidc.i263 "= c:\winnt\system32\i263_32.drv
"msacm.imc "= c:\winnt\system32\imc32.acm
"msacm.ac3filter "= ac3filter.acm

R0 AFPAnsi;CafeSuite File Protector;c:\winnt\system32\AFPAnsi.sys [2004-11-06 39456]
R0 fsbts;fsbts;c:\winnt\system32\drivers\fsbts.sys [2009-02-23 26624]
R1 epfwtdir;epfwtdir;c:\winnt\system32\drivers\epfwtdir.sys [2008-06-10 34312]
R2 CafeAgent;CafeAgent of CafeSuite;c:\winnt\system32\CafeAgent.exe [2008-07-01 524800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2007-12-21 468224]
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;c:\winnt\system32\drivers\DLKRTS.sys [2003-06-02 29820]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [1980-01-01 24784]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\winnt\system32\drivers\sis7012.sys [2008-03-05 267136]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys --> c:\documents and settings\ZR81\Local Settings\temp\{1176BE9F-1512-4B67-9C1C-C6ADE0CAE490}\fsgk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\winnt\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.microsoft.com
LSP: %SystemRoot%\system32\msafd.dll
TCP: {9CE2F733-FFEE-4669-B439-E265937B567A} = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\ZR81\Application Data\Mozilla\Firefox\Profiles\unje0asy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************
scanning hidden processes ...

\ComboFix\Catchme.tmp [1076] 0x80108D60

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
.
Completion time: 03/05/2009 1:36:32
ComboFix-quarantined-files.txt 2009-03-05 09:35:16

Pre-Run: 12,380,274,688 bytes free
Post-Run: 12,440,133,632 bytes free

175

one more that virus keeps comeback after few hours and nod32 antivirus it qurantaines it i send u the log file that quranataine by nod32 antivirus

3/5/2009 1:05:31 AM Real-time file system protection file C:\WINNT\System32\x a variant of Win32/Conficker.X worm cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.

3/5/2009 1:05:29 AM Real-time file system protection file C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\OH8CY2UO\eyglct[1].gif a variant of Win32/Conficker.X worm cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\WINNT\system32\services.exe.

Juliet · 2009/03/04

Welcome back

Not sure where it's finding this

Have you rebooted the machine since it said it had deleted the file?

I see you have Malwarebytes' Anti-Malware on the computer.
Let's run a scan and see if it can pick up on what NOD32 finds.

Double-click Malwarebytes' Anti-Malware icon to open the program.
Click on the Update button, * If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Log in or Sign up

Solved C:\WINNT\System32\x malware 2009

z4u Inactive Thread Starter

Admin. Administrator Administrator Staff

z4u Inactive Thread Starter

z4u Inactive Thread Starter

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Log in or Sign up

Solved C:\WINNT\System32\x malware 2009

z4u Inactive Thread Starter

Admin. Administrator Administrator Staff

z4u Inactive Thread Starter

z4u Inactive Thread Starter

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

z4u Inactive Thread Starter

Juliet Well-Known Member

Share This Page

Useful Searches