duhast04
-
Content Count
20 -
Joined
-
Last visited
Content Type
Profiles
Forums
Calendar
Posts posted by duhast04
-
-
File/Folder C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP146\A0021381.exe not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10092008_200211
HijackThis
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080410
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: (no name) - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://72.167.249.153:8443/msrdp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-
Just received a threat message from AVG
File name: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP146\A0021381.exe
Threat name: Trojan horse Downloader.Zlob_r.CM
Detected on open.
I selected Move to Vault
Edit (7:15pm) - Another threat detected by AVG
File name: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP147\A0021383.exe
Threat name: Trojan horse Agent.ADFJ
Detected on open.
Again selected Move to Vault
-
Hello sarahw
I updated Java, ran ATF, and scanned with Kaspersky. Kaspersky didn't find anything and didn't give me a log file to copy/paste, even ran the scan twice to be sure and it didn't give a log either time.
-
One of those fake anti-spyware programs installed itself on a PC and I want to make sure I got it all. I ran Malwarebytes Anti-Malware and it picked up the following:
Malwarebytes' Anti-Malware 1.28
Database version: 1205
Windows 5.1.2600 Service Pack 3
9/25/2008 7:12:16 PM
mbam-log-2008-09-25 (19-12-16).txt
Scan type: Full Scan (C:\|)
Objects scanned: 175625
Time elapsed: 52 minute(s), 58 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\*********\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\*********\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\*********\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Online Spyware Test.url (Rogue.Link) -> Quarantined and deleted successfully.
And here is the HJT log from after running Malwarebytes:
Logfile of HijackThis v1.99.1
Scan saved at 7:21:09 PM, on 9/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080410
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: (no name) - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://72.167.249.153:8443/msrdp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-
Awesome! Thanks for all your help these last couple weeks, Monster!
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:55 AM, on 7/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local
O17 - HKLM\Software\..\Telephony: DomainName = klinge.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
--
End of file - 4847 bytes
-
I ran the Fix as requested for Hijackthis, but the scan I did after running Kaspersky still shows those (file missing) entries. All the hits that Kaspersky found are items we have locked up in quarantine.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 25, 2008 17:18:29
Records in database: 1008024
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 37677
Threat name: 18
Infected objects: 19
Suspicious objects: 0
Duration of the scan: 00:38:00
File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1
C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1
The selected area was scanned.
-------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:03 PM, on 7/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local
O17 - HKLM\Software\..\Telephony: DomainName = klinge.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)
--
End of file - 5359 bytes
-
I just ran OTMoveIt again, but this time I added perfs.exe to the move list. Below is a new OTMoveIt log and a new Hijackthis log
Explorer killed successfully
C:\WINDOWS\system32\afinding.exe moved successfully.
File/Folder C:\WINDOWS\system32\atpsck.exe not found.
File/Folder C:\WINDOWS\system32\axtpsck.exe not found.
File/Folder C:\WINDOWS\system32\cerwxfst.sys not found.
C:\WINDOWS\system32\cexwxfst.sys moved successfully.
File/Folder C:\WINDOWS\system32\mtsycod.sys not found.
File/Folder C:\WINDOWS\system32\nftscpd.sys not found.
File/Folder C:\WINDOWS\system32\Nobicyt.exe not found.
File/Folder C:\WINDOWS\system32\ntscpd.sys not found.
File/Folder C:\WINDOWS\system32\nxtscpd.sys not found.
C:\WINDOWS\system32\perfs.exe moved successfully.
C:\WINDOWS\system32\routing.exe moved successfully.
C:\WINDOWS\system32\stsycod.sys moved successfully.
File/Folder C:\WINDOWS\system32\swand.sys not found.
File/Folder C:\WINDOWS\system32\sxwand.sys not found.
C:\WINDOWS\system32\wserving.exe moved successfully.
File/Folder C:\WINDOWS\system32\xfst.sys not found.
C:\WINDOWS\system32\yaxcnxd.sys moved successfully.
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\mta23609.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta44437.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta44769.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta84210.dll scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07232008_112518
Files moved on Reboot...
C:\WINDOWS\temp\mta23609.dll unregistered successfully.
C:\WINDOWS\temp\mta23609.dll moved successfully.
C:\WINDOWS\temp\mta44437.dll unregistered successfully.
C:\WINDOWS\temp\mta44437.dll moved successfully.
C:\WINDOWS\temp\mta44769.dll unregistered successfully.
C:\WINDOWS\temp\mta44769.dll moved successfully.
C:\WINDOWS\temp\mta84210.dll unregistered successfully.
C:\WINDOWS\temp\mta84210.dll moved successfully.
-------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:45 AM, on 7/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local
O17 - HKLM\Software\..\Telephony: DomainName = klinge.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)
--
End of file - 5429 bytes
-
Update - This morning Nobicyt.exe tried to reinstall itself. AVG caught it and moved it to the vault. I checked his Task Manager and wserving.exe, afinding.exe, and routing.exe have reinstalled themselves.
His AVG has also caught these programs trying to run:
A0003611.exe
A0003612.exe
A0003613.exe
Edit - The three A000361* programs have tried again to run themselves after the steps I took below.
-
Since running the last program he has been unable to access many web pages. He can get to some, like his favorite football team, but Yahoo, Myspace, BestTechie, Google, ect, give error messages. "Page cannot be displayed" or "Invalid syntax error".
Did one of these nasties screw with his browser before getting nailed by OTMoveIt? He uses the net as part of his job duties, so he's kind of stuck without full access
Edit - We got it fixed. Ran 'regsvr32 urlmon.dll' and it fixed everything. Must have gotten pointed in the wrong direction after the move this morning?
-
Cool, I thought I was doing something wrong with that program.
Here is the OTMoveIt log and a new Hijackthis log. Unless I'm overlooking something, it appears that perfs.exe is the only one left of the original baddies.
Explorer killed successfully
C:\WINDOWS\system32\afinding.exe moved successfully.
File/Folder C:\WINDOWS\system32\atpsck.exe not found.
C:\WINDOWS\system32\axtpsck.exe moved successfully.
C:\WINDOWS\system32\cerwxfst.sys moved successfully.
C:\WINDOWS\system32\cexwxfst.sys moved successfully.
File/Folder C:\WINDOWS\system32\mtsycod.sys not found.
C:\WINDOWS\system32\nftscpd.sys moved successfully.
C:\WINDOWS\system32\Nobicyt.exe moved successfully.
File/Folder C:\WINDOWS\system32\ntscpd.sys not found.
C:\WINDOWS\system32\nxtscpd.sys moved successfully.
C:\WINDOWS\system32\routing.exe moved successfully.
C:\WINDOWS\system32\stsycod.sys moved successfully.
C:\WINDOWS\system32\swand.sys moved successfully.
C:\WINDOWS\system32\sxwand.sys moved successfully.
C:\WINDOWS\system32\wserving.exe moved successfully.
C:\WINDOWS\system32\xfst.sys moved successfully.
C:\WINDOWS\system32\yaxcnxd.sys moved successfully.
< EmptyTemp >
File delete failed. C:\WINDOWS\temp\mta118048.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta118183.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta58094.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta58952.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mta78409.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mtaw65509.dll scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\~DF59EB.tmp scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_083004
Files moved on Reboot...
C:\WINDOWS\temp\mta118048.dll unregistered successfully.
C:\WINDOWS\temp\mta118048.dll moved successfully.
File C:\WINDOWS\temp\mta118183.dll not found!
C:\WINDOWS\temp\mta58094.dll unregistered successfully.
C:\WINDOWS\temp\mta58094.dll moved successfully.
C:\WINDOWS\temp\mta58952.dll unregistered successfully.
C:\WINDOWS\temp\mta58952.dll moved successfully.
C:\WINDOWS\temp\mta78409.dll unregistered successfully.
C:\WINDOWS\temp\mta78409.dll moved successfully.
C:\WINDOWS\temp\mtaw65509.dll unregistered successfully.
C:\WINDOWS\temp\mtaw65509.dll moved successfully.
File C:\WINDOWS\temp\~DF59EB.tmp not found!
----------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:40 AM, on 7/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\perfs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgupd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local
O17 - HKLM\Software\..\Telephony: DomainName = klinge.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)
--
End of file - 5419 bytes
-
I'm not sure this worked right. When I ran the program it said "File Not Found" three times, rebooted, then said "File Not Found" again. Program didn't put a folder on the desktop or anywhere else that I could find. Searched for fix.bat, but it didn't appear on the computer. Tried it several times with the same results.
WIN32DELFKIL LOGFILE - by Marckie
version 3.131
Mon 07/21/2008 12:28:12.18
running from: "C:\Documents and Settings\smiller\Desktop"
--- File(s) found in Windows directory ---
--- File(s) found in system32 folder ---
--- Services ---
--- Export SharedTaskScheduler key ---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
--- Notify key ---
--- rebooting the computer ---
--- File(s) found in Windows directory ---
--- File(s) found in system32 folder ---
--- Services ---
--- Export SharedTaskSchedulerkey ---
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
--- Notify key ---
Finished!
--------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:13 PM, on 7/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afinding.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\wserving.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local
O17 - HKLM\Software\..\Telephony: DomainName = klinge.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe
--
End of file - 5495 bytes
-
Second Kaspersky scan
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 18, 2008 18:38:45
Records in database: 969432
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 30250
Threat name: 20
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 00:27:32
File name / Threat name / Threats count
C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1
C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1
C:\WINDOWS\system32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1
C:\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1
C:\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1
C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1
C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1
C:\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1
C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1
C:\WINDOWS\system32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1
C:\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1
C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1
C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1
C:\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1
C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1
C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1
C:\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1
C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1
The selected area was scanned.
-
After 5pm EST today I won't be able to work on his computer until Monday. So I took the libery of running some extra scans to try and kill these things. First I tried Spyware Doctor, it claimed to have cleaned out some items, but after I ran another Kaspersky there appears to be much left on the system.
I also ran Superantispyware, but it found nothing.
Spyware Doctor
PC Tools Spyware Doctor
Date Status
7/18/2008 1:27:33 PM:440 Service Started
Spyware Doctor Service Application started
7/18/2008 1:27:34 PM:128 OnGuard Detection Quarantined
Threat Name - Trojan-Downloader.Delf.DDI
Type - Process
Risk Level - Medium
Infection - perfs.exe (C:\WINDOWS\system32\perfs.exe)
7/18/2008 1:27:34 PM:206 Startup Memory Cleaner found infections
Threat Name - Trojan-Downloader.Delf.DDI
Type - Process
Risk Level - Medium
Infection - perfs.exe (C:\WINDOWS\system32\perfs.exe)
7/18/2008 1:27:53 PM:577 Scan Started
Scan Type - Full Scan
7/18/2008 1:27:56 PM:78 Infection was detected on this computer
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - atdmt.com/ atdmt.com
7/18/2008 1:28:01 PM:910 Infection was detected on this computer
Threat Name - Trojan-Downloader.Delf.DDI
Type - File
Risk Level - Medium
Infection - c:\windows\system32\perfs.exe
7/18/2008 1:28:01 PM:910 Infection was detected on this computer
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:28:01 PM:910 Infection was detected on this computer
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:28:01 PM:910 Infection was detected on this computer
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:28:12 PM:948 OnGuards status
All OnGuards were Enabled
7/18/2008 1:28:14 PM:183 Immunizer Results
ActiveX section has been immunized, Processed 4124 items.
7/18/2008 1:33:50 PM:429 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
7/18/2008 1:33:50 PM:737 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE
7/18/2008 1:34:25 PM:883 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\swxcacls.exe
7/18/2008 1:35:35 PM:234 Infection was detected on this computer
Threat Name - Trojan-PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
7/18/2008 1:35:35 PM:728 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
7/18/2008 1:35:35 PM:728 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
7/18/2008 1:35:35 PM:743 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot
7/18/2008 1:35:35 PM:743 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware
7/18/2008 1:35:35 PM:743 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
7/18/2008 1:35:35 PM:743 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
7/18/2008 1:35:36 PM:175 Infection was detected on this computer
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget
7/18/2008 1:35:40 PM:555 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - Folder
Risk Level - Info & PUAs
Infection - C:\ComboFix\
7/18/2008 1:35:40 PM:585 Scan Finished
Scan Type - Full Scan
Items Processed - 213949
Threats Detected - 5
Infections Detected - 17
Infections Ignored - 0
7/18/2008 1:38:10 PM:212 Infection cleaned
Threat Name - Adware.Advertising
Type - Cookie
Risk Level - Low
Infection - atdmt.com/ atdmt.com
7/18/2008 1:38:10 PM:399 Infection quarantined
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:38:10 PM:399 Infection quarantined
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:38:10 PM:414 Infection quarantined
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:38:10 PM:477 Infection quarantined
Threat Name - Trojan-Downloader.Delf.DDI
Type - File
Risk Level - Medium
Infection - c:\windows\system32\perfs.exe
7/18/2008 1:38:10 PM:508 Infection cleaned
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:38:10 PM:508 Infection cleaned
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:38:10 PM:508 Infection cleaned
Threat Name - Trojan-Downloader.Delf.DDI
Type - Startup
Risk Level - Medium
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe
7/18/2008 1:38:10 PM:539 Infection cleaned
Threat Name - Trojan-Downloader.Delf.DDI
Type - File
Risk Level - Medium
Infection - c:\windows\system32\perfs.exe
7/18/2008 1:38:10 PM:539 Infection quarantined
Threat Name - Application.NirCmd
Type - Folder
Risk Level - Info & PUAs
Infection - C:\ComboFix\
7/18/2008 1:38:10 PM:554 Infection quarantined
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
7/18/2008 1:38:10 PM:554 Infection quarantined
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
7/18/2008 1:38:10 PM:554 Infection quarantined
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware
7/18/2008 1:38:10 PM:554 Infection quarantined
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot
7/18/2008 1:38:10 PM:570 Infection quarantined
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
7/18/2008 1:38:10 PM:570 Infection quarantined
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
7/18/2008 1:38:10 PM:694 Infection quarantined
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\swxcacls.exe
7/18/2008 1:38:10 PM:710 Infection quarantined
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE
7/18/2008 1:38:10 PM:725 Infection quarantined
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
7/18/2008 1:38:10 PM:741 Infection cleaned
Threat Name - Application.NirCmd
Type - Folder
Risk Level - Info & PUAs
Infection - C:\ComboFix\
7/18/2008 1:38:10 PM:741 Infection cleaned
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME
7/18/2008 1:38:10 PM:741 Infection cleaned
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance
7/18/2008 1:38:10 PM:741 Infection cleaned
Threat Name - Application.NirCmd
Type - Registry Key
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware
7/18/2008 1:38:10 PM:741 Infection cleaned
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot
7/18/2008 1:38:10 PM:741 Infection cleaned
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
7/18/2008 1:38:10 PM:741 Infection cleaned
Threat Name - Application.NirCmd
Type - Registry Value
Risk Level - Info & PUAs
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
7/18/2008 1:38:10 PM:756 Infection cleaned
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\swxcacls.exe
7/18/2008 1:38:10 PM:756 Infection cleaned
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE
7/18/2008 1:38:10 PM:756 Infection cleaned
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
7/18/2008 1:38:10 PM:756 Infection quarantined
Threat Name - Trojan-PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
7/18/2008 1:38:10 PM:772 Infection cleaned
Threat Name - Trojan-PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
7/18/2008 1:38:10 PM:788 Infection quarantined
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget
7/18/2008 1:38:10 PM:788 Infection cleaned
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget
7/18/2008 1:38:12 PM:808 Infections Quarantined/Removed Summary
Quarantined - 16
Quarantine Failed - 0
Removed - 17
Remove Failed - 0
7/18/2008 1:39:33 PM:653 Service Stopped
Spyware Doctor Service Application Stopped
7/18/2008 1:40:29 PM:265 Service Started
Spyware Doctor Service Application started
7/18/2008 1:40:59 PM:468 Scan Started
Scan Type - Full Scan
7/18/2008 1:42:49 PM:468 Scan Finished
Scan Type - Full Scan
Items Processed - 53510
Threats Detected - 0
Infections Detected - 0
Infections Ignored - 0
7/18/2008 1:43:55 PM:359 Scan Started
Scan Type - Full Scan
7/18/2008 1:46:22 PM:234 Infection was detected on this computer
Threat Name - Trojan-Downloader.MisleadApp!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe
7/18/2008 1:46:52 PM:140 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe
7/18/2008 1:46:52 PM:187 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE
7/18/2008 1:46:52 PM:218 Infection was detected on this computer
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE
7/18/2008 1:49:33 PM:203 Scan Finished
Scan Type - Full Scan
Items Processed - 209356
Threats Detected - 2
Infections Detected - 4
Infections Ignored - 0
7/18/2008 2:20:01 PM:781 Infection quarantined
Threat Name - Trojan-Downloader.MisleadApp!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe
7/18/2008 2:20:01 PM:796 Infection cleaned
Threat Name - Trojan-Downloader.MisleadApp!sd6
Type - File
Risk Level - High
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe
7/18/2008 2:20:01 PM:828 Infection quarantined
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE
7/18/2008 2:20:01 PM:843 Infection quarantined
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE
7/18/2008 2:20:01 PM:906 Infection quarantined
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe
7/18/2008 2:20:01 PM:953 Infection cleaned
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE
7/18/2008 2:20:01 PM:968 Infection cleaned
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE
7/18/2008 2:20:01 PM:984 Infection cleaned
Threat Name - Application.NirCmd
Type - File
Risk Level - Info & PUAs
Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe
7/18/2008 2:20:03 PM:984 Infections Quarantined/Removed Summary
Quarantined - 4
Quarantine Failed - 0
Removed - 4
Remove Failed - 0
-
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 18, 2008 12:52:01
Records in database: 968327
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
Scan statistics:
Files scanned: 40411
Threat name: 21
Infected objects: 30
Suspicious objects: 0
Duration of the scan: 00:31:46
File name / Threat name / Threats count
C:\WINDOWS\system32\afinding.exe/C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1
C:\WINDOWS\system32\Nobicyt.exe/C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1
C:\WINDOWS\system32\perfs.exe/C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.uvf 1
C:\WINDOWS\system32\routing.exe/C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1
C:\WINDOWS\system32\wserving.exe/C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1
C:\WINDOWS\system32\yaxcnxd.sys/C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1
C:\WINDOWS\system32\cexwxfst.sys/C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1
C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1
C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1
C:\WINDOWS\system32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1
C:\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1
C:\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1
C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1
C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1
C:\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1
C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1
C:\WINDOWS\system32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1
C:\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1
C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.uvf 1
C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1
C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1
C:\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1
C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1
C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1
C:\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1
C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1
The selected area was scanned.
-
Update – He still has something on his computer, I just went into his office to grab a paper off the printer and for 5 seconds a British woman was talking about something made in Germany
-
MBAM Log
Malwarebytes' Anti-Malware 1.20
Database version: 954
Windows 5.1.2600 Service Pack 2
1:18:32 PM 7/15/2008
mbam-log-7-15-2008 (13-18-32).txt
Scan type: Full Scan (C:\|)
Objects scanned: 75669
Time elapsed: 8 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
-
Hello Monster
Here is the log for ComboFix and a new HijackThis log. Looks like at least one of the programs I had listed above, Nobicyt.exe, is still on the computer. I also advised him and one of his friends who uses the computer often of the warning to change their passwords and monitor their financial accounts.
ComboFix 08-07-14.2 - smiller 2008-07-15 8:36:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1702 [GMT -4:00]
Running from: C:\Documents and Settings\smiller\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\afinding.exe
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\WServing.exe
C:\WINDOWS\system32\x64
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFINDING
-------\Legacy_PERFMONS
-------\Legacy_ROUTING
-------\Legacy_WSERVING
-------\Service_AFinding
-------\Service_perfmons
-------\Service_Routing
-------\Service_WServing
((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))
.
2008-07-14 15:28 . 2008-07-14 15:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-14 13:32 . 2008-07-14 13:32 <DIR> d-------- C:\Program Files\Sophos
2008-07-03 09:32 . 2008-07-03 15:16 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-03 09:32 . 2008-07-03 09:32 <DIR> d-------- C:\Program Files\AVG
2008-07-03 09:32 . 2008-07-03 10:29 <DIR> d-------- C:\Documents and Settings\smiller\Application Data\AVGTOOLBAR
2008-07-03 09:32 . 2008-07-03 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-03 09:32 . 2008-07-03 09:32 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 09:32 . 2008-07-03 09:32 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-03 08:43 . 2008-07-03 08:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-03 08:43 . 2008-07-03 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 08:13 . 2008-06-25 08:13 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-06-24 14:37 . 2008-06-27 13:00 <DIR> d-------- C:\MDT
2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\Documents and Settings\smiller\Application Data\CyberLink
2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-20 13:41 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 06:44 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-14 18:59 --------- d-----w C:\Documents and Settings\smiller\Application Data\AdobeUM
2008-07-14 14:41 --------- d-----w C:\Program Files\AutoCAD R14
2008-07-07 21:03 --------- d-----w C:\Program Files\Google
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 19:44 --------- d-----w C:\Program Files\Common Files\Adobe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-17 14:23 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-17 14:23 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-17 14:23 137752]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 20:03 178712]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 20:12 1036288]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-07-03 09:32 1177368 C:\PROGRA~1\AVG\AVG8\avgtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2007-09-17 12:56 124200 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avg8wd"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 09:32]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 15:30]
R2 NOBICYT;NOBICYT;C:\WINDOWS\system32\Nobicyt.exe [2004-08-04 06:00]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\A3.tmp []
S4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 09:32]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 08:39:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\A3.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-07-15 8:42:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 12:42:34
Pre-Run: 68,380,143,616 bytes free
Post-Run: 68,475,232,256 bytes free
116 --- E O F --- 2008-07-09 12:54:07
===================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:44, on 2008-07-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local
O17 - HKLM\Software\..\Telephony: DomainName = klinge.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
--
End of file - 4900 bytes
-
Hello,
A friend of mine recenty started hearing random sound clips on his PC, even when no windows were open. Ranges from commercials to BBC news reports. I did some checking and found these programs that appear to be malware/rootkits:
afinding.exe
axtpsck.exe
Nobicyt.exe
perfs.exe
routing.exe
wserving.exe
I have run Spybot, AVG, and Sophos Anti-rootkit, but none of these programs had hits on the files I listed above. Is there one sure fire killer program to get rid of these bugs or is it a multi-step process? I just noticed on the HJT log that axtpsck.exe doesn't appear now, but it was there earlier. Appreciate any help.
Computer is a Dell Optiplex 330.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:03 PM, on 7/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\afinding.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Nobicyt.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
C:\WINDOWS\system32\wserving.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local
O17 - HKLM\Software\..\Telephony: DomainName = klinge.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O23 - Service: AFinding log Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe
O23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Index Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe
--
End of file - 5375 bytes
Hijackthis Log
in Malware Removal
Posted
Yep, I haven't had it since I moved those files to the Vault. Does it look like there is anything suspicious in my HJT log? Around the time this all started I began experiencing really long log-in times. After typing in the password and hitting OK it has taken up to a minute or more to reach the desktop. Sometimes less, 20-30 seconds. I turned off some programs using msconfig, but that hasn't seemed to have done anything.