duhast04 Posted July 14, 2008 Report Share Posted July 14, 2008 Hello,A friend of mine recenty started hearing random sound clips on his PC, even when no windows were open. Ranges from commercials to BBC news reports. I did some checking and found these programs that appear to be malware/rootkits:afinding.exeaxtpsck.exeNobicyt.exeperfs.exerouting.exewserving.exeI have run Spybot, AVG, and Sophos Anti-rootkit, but none of these programs had hits on the files I listed above. Is there one sure fire killer program to get rid of these bugs or is it a multi-step process? I just noticed on the HJT log that axtpsck.exe doesn't appear now, but it was there earlier. Appreciate any help.Computer is a Dell Optiplex 330.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:36:03 PM, on 7/14/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\Program Files\AVG\AVG8\avgrsx.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\afinding.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\Nobicyt.exeC:\WINDOWS\system32\perfs.exeC:\WINDOWS\system32\routing.exeC:\WINDOWS\system32\wserving.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\WINDOWS\system32\userinit.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.comR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.localO17 - HKLM\Software\..\Telephony: DomainName = klinge.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.localO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dllO23 - Service: AFinding log Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exeO23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exeO23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exeO23 - Service: Routing Index Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exeO23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe--End of file - 5375 bytes Link to post Share on other sites
Andro1d Posted July 15, 2008 Report Share Posted July 15, 2008 Hello and Welcome to the forums. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Looking at your system now, one or more of the identified infections is a backdoor application which can allow attackers to access your computer, stealing passwords and personal data.If this computer is ever used for on-line banking, I suggest you do the following immediately:1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.Please visit this web page for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixThis includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.Once you have finished installing the Windows Recovery Console, please continue with the rest of the tutorial at the above link.Post the log from ComboFix when you've accomplished that, along with a new HijackThis log. Link to post Share on other sites
duhast04 Posted July 15, 2008 Author Report Share Posted July 15, 2008 Hello MonsterHere is the log for ComboFix and a new HijackThis log. Looks like at least one of the programs I had listed above, Nobicyt.exe, is still on the computer. I also advised him and one of his friends who uses the computer often of the warning to change their passwords and monitor their financial accounts.ComboFix 08-07-14.2 - smiller 2008-07-15 8:36:16.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1702 [GMT -4:00]Running from: C:\Documents and Settings\smiller\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\afinding.exeC:\WINDOWS\system32\andt.sysC:\WINDOWS\system32\comsa32.sysC:\WINDOWS\system32\Indt2.sysC:\WINDOWS\system32\routing.exeC:\WINDOWS\system32\WServing.exeC:\WINDOWS\system32\x64.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_AFINDING-------\Legacy_PERFMONS-------\Legacy_ROUTING-------\Legacy_WSERVING-------\Service_AFinding-------\Service_perfmons-------\Service_Routing-------\Service_WServing((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 ))))))))))))))))))))))))))))))).2008-07-14 15:28 . 2008-07-14 15:28 <DIR> d-------- C:\Program Files\Trend Micro2008-07-14 13:32 . 2008-07-14 13:32 <DIR> d-------- C:\Program Files\Sophos2008-07-03 09:32 . 2008-07-03 15:16 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg2008-07-03 09:32 . 2008-07-03 09:32 <DIR> d-------- C:\Program Files\AVG2008-07-03 09:32 . 2008-07-03 10:29 <DIR> d-------- C:\Documents and Settings\smiller\Application Data\AVGTOOLBAR2008-07-03 09:32 . 2008-07-03 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg82008-07-03 09:32 . 2008-07-03 09:32 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys2008-07-03 09:32 . 2008-07-03 09:32 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll2008-07-03 08:43 . 2008-07-03 08:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-07-03 08:43 . 2008-07-03 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-06-25 08:13 . 2008-06-25 08:13 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData2008-06-24 14:37 . 2008-06-27 13:00 <DIR> d-------- C:\MDT2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\Documents and Settings\smiller\Application Data\CyberLink2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink2008-06-20 13:41 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll2008-06-20 06:44 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-07-14 18:59 --------- d-----w C:\Documents and Settings\smiller\Application Data\AdobeUM2008-07-14 14:41 --------- d-----w C:\Program Files\AutoCAD R142008-07-07 21:03 --------- d-----w C:\Program Files\Google2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys2008-05-30 19:44 --------- d-----w C:\Program Files\Common Files\Adobe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-17 14:23 141848]"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-17 14:23 162328]"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-17 14:23 137752]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 20:03 178712]"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 20:12 1036288]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]--a------ 2008-07-03 09:32 1177368 C:\PROGRA~1\AVG\AVG8\avgtray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]--------- 2007-09-17 12:56 124200 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"avg8wd"=2 (0x2)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"="C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 09:32]R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 15:30]R2 NOBICYT;NOBICYT;C:\WINDOWS\system32\Nobicyt.exe [2004-08-04 06:00]S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\A3.tmp []S4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 09:32].- - - - ORPHANS REMOVED - - - -MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-15 08:39:15Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]"ImagePath"="\??\C:\WINDOWS\system32\A3.tmp".------------------------ Other Running Processes ------------------------.C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\igfxsrvc.exe.**************************************************************************.Completion time: 2008-07-15 8:42:37 - machine was rebootedComboFix-quarantined-files.txt 2008-07-15 12:42:34Pre-Run: 68,380,143,616 bytes freePost-Run: 68,475,232,256 bytes free116 --- E O F --- 2008-07-09 12:54:07===================================================Logfile of Trend Micro HijackThis v2.0.2Scan saved at 08:44, on 2008-07-15Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\Nobicyt.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.localO17 - HKLM\Software\..\Telephony: DomainName = klinge.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.localO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe--End of file - 4900 bytes Link to post Share on other sites
Andro1d Posted July 15, 2008 Report Share Posted July 15, 2008 Hello again,Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites
duhast04 Posted July 15, 2008 Author Report Share Posted July 15, 2008 MBAM LogMalwarebytes' Anti-Malware 1.20Database version: 954Windows 5.1.2600 Service Pack 21:18:32 PM 7/15/2008mbam-log-7-15-2008 (13-18-32).txtScan type: Full Scan (C:\|)Objects scanned: 75669Time elapsed: 8 minute(s), 0 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully. Link to post Share on other sites
duhast04 Posted July 16, 2008 Author Report Share Posted July 16, 2008 Update Ć¢ā¬ā He still has something on his computer, I just went into his office to grab a paper off the printer and for 5 seconds a British woman was talking about something made in Germany Link to post Share on other sites
Andro1d Posted July 16, 2008 Report Share Posted July 16, 2008 Hello and Welcome to the forums. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Please do an online scan with Kaspersky WebScannerNote: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.Click on the Accept button and install any components it needs.The program will install and then begin downloading the latest definition files.Once they are downloaded, the database will be updated.Please accept any ActiveX or Java notifications[i/]After the files have been updated, go to the left side of the page under the Scan section and select My Computer.This will start the program and scan your system.The scan will take a while so be patient and let it run.Once the scan is complete, click on View scan reportNow, click on the Save Report as button.Save the file to your desktop.Copy and paste that information in your next post. Link to post Share on other sites
duhast04 Posted July 18, 2008 Author Report Share Posted July 18, 2008 --------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 18, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 18, 2008 12:52:01 Records in database: 968327--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - My Computer: C:\ D:\Scan statistics: Files scanned: 40411 Threat name: 21 Infected objects: 30 Suspicious objects: 0 Duration of the scan: 00:31:46File name / Threat name / Threats countC:\WINDOWS\system32\afinding.exe/C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1C:\WINDOWS\system32\Nobicyt.exe/C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1C:\WINDOWS\system32\perfs.exe/C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.uvf 1C:\WINDOWS\system32\routing.exe/C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1C:\WINDOWS\system32\wserving.exe/C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1C:\WINDOWS\system32\yaxcnxd.sys/C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1C:\WINDOWS\system32\cexwxfst.sys/C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1C:\WINDOWS\system32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1C:\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1C:\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1C:\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1C:\WINDOWS\system32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1C:\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.uvf 1C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1C:\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1C:\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1The selected area was scanned. Link to post Share on other sites
duhast04 Posted July 18, 2008 Author Report Share Posted July 18, 2008 (edited) After 5pm EST today I won't be able to work on his computer until Monday. So I took the libery of running some extra scans to try and kill these things. First I tried Spyware Doctor, it claimed to have cleaned out some items, but after I ran another Kaspersky there appears to be much left on the system.I also ran Superantispyware, but it found nothing.Spyware Doctor PC Tools Spyware Doctor Date Status 7/18/2008 1:27:33 PM:440 Service Started Spyware Doctor Service Application started 7/18/2008 1:27:34 PM:128 OnGuard Detection QuarantinedThreat Name - Trojan-Downloader.Delf.DDIType - ProcessRisk Level - MediumInfection - perfs.exe (C:\WINDOWS\system32\perfs.exe)7/18/2008 1:27:34 PM:206 Startup Memory Cleaner found infections Threat Name - Trojan-Downloader.Delf.DDIType - ProcessRisk Level - MediumInfection - perfs.exe (C:\WINDOWS\system32\perfs.exe)7/18/2008 1:27:53 PM:577 Scan Started Scan Type - Full Scan7/18/2008 1:27:56 PM:78 Infection was detected on this computer Threat Name - Adware.AdvertisingType - CookieRisk Level - LowInfection - atdmt.com/ atdmt.com7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDIType - FileRisk Level - MediumInfection - c:\windows\system32\perfs.exe7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:28:12 PM:948 OnGuards status All OnGuards were Enabled 7/18/2008 1:28:14 PM:183 Immunizer Results ActiveX section has been immunized, Processed 4124 items. 7/18/2008 1:33:50 PM:429 Infection was detected on this computer Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE7/18/2008 1:33:50 PM:737 Infection was detected on this computer Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\erdnt\subs\ERDNT.EXE7/18/2008 1:34:25 PM:883 Infection was detected on this computer Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\swxcacls.exe7/18/2008 1:35:35 PM:234 Infection was detected on this computer Threat Name - Trojan-PWS.TanspyType - Registry KeyRisk Level - HighInfection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load7/18/2008 1:35:35 PM:728 Infection was detected on this computer Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow7/18/2008 1:35:35 PM:728 Infection was detected on this computer Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmdType - Registry KeyRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmdType - Registry KeyRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME7/18/2008 1:35:36 PM:175 Infection was detected on this computer Threat Name - Trojan.GenericType - Registry KeyRisk Level - MediumInfection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget7/18/2008 1:35:40 PM:555 Infection was detected on this computer Threat Name - Application.NirCmdType - FolderRisk Level - Info & PUAsInfection - C:\ComboFix\7/18/2008 1:35:40 PM:585 Scan Finished Scan Type - Full ScanItems Processed - 213949Threats Detected - 5Infections Detected - 17Infections Ignored - 07/18/2008 1:38:10 PM:212 Infection cleaned Threat Name - Adware.AdvertisingType - CookieRisk Level - LowInfection - atdmt.com/ atdmt.com7/18/2008 1:38:10 PM:399 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:38:10 PM:399 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:38:10 PM:414 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:38:10 PM:477 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDIType - FileRisk Level - MediumInfection - c:\windows\system32\perfs.exe7/18/2008 1:38:10 PM:508 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:38:10 PM:508 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:38:10 PM:508 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDIType - StartupRisk Level - MediumInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe7/18/2008 1:38:10 PM:539 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDIType - FileRisk Level - MediumInfection - c:\windows\system32\perfs.exe7/18/2008 1:38:10 PM:539 Infection quarantined Threat Name - Application.NirCmdType - FolderRisk Level - Info & PUAsInfection - C:\ComboFix\7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmdType - Registry KeyRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmdType - Registry KeyRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot7/18/2008 1:38:10 PM:570 Infection quarantined Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs7/18/2008 1:38:10 PM:570 Infection quarantined Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow7/18/2008 1:38:10 PM:694 Infection quarantined Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\swxcacls.exe7/18/2008 1:38:10 PM:710 Infection quarantined Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\erdnt\subs\ERDNT.EXE7/18/2008 1:38:10 PM:725 Infection quarantined Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmdType - FolderRisk Level - Info & PUAsInfection - C:\ComboFix\7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmdType - Registry KeyRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmdType - Registry KeyRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmdType - Registry ValueRisk Level - Info & PUAsInfection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow7/18/2008 1:38:10 PM:756 Infection cleaned Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\swxcacls.exe7/18/2008 1:38:10 PM:756 Infection cleaned Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\erdnt\subs\ERDNT.EXE7/18/2008 1:38:10 PM:756 Infection cleaned Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE7/18/2008 1:38:10 PM:756 Infection quarantined Threat Name - Trojan-PWS.TanspyType - Registry KeyRisk Level - HighInfection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load7/18/2008 1:38:10 PM:772 Infection cleaned Threat Name - Trojan-PWS.TanspyType - Registry KeyRisk Level - HighInfection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load7/18/2008 1:38:10 PM:788 Infection quarantined Threat Name - Trojan.GenericType - Registry KeyRisk Level - MediumInfection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget7/18/2008 1:38:10 PM:788 Infection cleaned Threat Name - Trojan.GenericType - Registry KeyRisk Level - MediumInfection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget7/18/2008 1:38:12 PM:808 Infections Quarantined/Removed Summary Quarantined - 16Quarantine Failed - 0Removed - 17Remove Failed - 07/18/2008 1:39:33 PM:653 Service Stopped Spyware Doctor Service Application Stopped 7/18/2008 1:40:29 PM:265 Service Started Spyware Doctor Service Application started 7/18/2008 1:40:59 PM:468 Scan Started Scan Type - Full Scan7/18/2008 1:42:49 PM:468 Scan Finished Scan Type - Full ScanItems Processed - 53510Threats Detected - 0Infections Detected - 0Infections Ignored - 07/18/2008 1:43:55 PM:359 Scan Started Scan Type - Full Scan7/18/2008 1:46:22 PM:234 Infection was detected on this computer Threat Name - Trojan-Downloader.MisleadApp!sd6Type - FileRisk Level - HighInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe7/18/2008 1:46:52 PM:140 Infection was detected on this computer Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe7/18/2008 1:46:52 PM:187 Infection was detected on this computer Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE7/18/2008 1:46:52 PM:218 Infection was detected on this computer Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE7/18/2008 1:49:33 PM:203 Scan Finished Scan Type - Full ScanItems Processed - 209356Threats Detected - 2Infections Detected - 4Infections Ignored - 07/18/2008 2:20:01 PM:781 Infection quarantined Threat Name - Trojan-Downloader.MisleadApp!sd6Type - FileRisk Level - HighInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe7/18/2008 2:20:01 PM:796 Infection cleaned Threat Name - Trojan-Downloader.MisleadApp!sd6Type - FileRisk Level - HighInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe7/18/2008 2:20:01 PM:828 Infection quarantined Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE7/18/2008 2:20:01 PM:843 Infection quarantined Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE7/18/2008 2:20:01 PM:906 Infection quarantined Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe7/18/2008 2:20:01 PM:953 Infection cleaned Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE7/18/2008 2:20:01 PM:968 Infection cleaned Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE7/18/2008 2:20:01 PM:984 Infection cleaned Threat Name - Application.NirCmdType - FileRisk Level - Info & PUAsInfection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe7/18/2008 2:20:03 PM:984 Infections Quarantined/Removed Summary Quarantined - 4Quarantine Failed - 0Removed - 4Remove Failed - 0 Edited July 18, 2008 by duhast04 Link to post Share on other sites
duhast04 Posted July 18, 2008 Author Report Share Posted July 18, 2008 Second Kaspersky scan--------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 18, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 18, 2008 18:38:45 Records in database: 969432--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - My Computer: C:\ D:\Scan statistics: Files scanned: 30250 Threat name: 20 Infected objects: 22 Suspicious objects: 0 Duration of the scan: 00:27:32File name / Threat name / Threats countC:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1C:\WINDOWS\system32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1C:\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1C:\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1C:\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1C:\WINDOWS\system32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1C:\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1C:\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1C:\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1The selected area was scanned. Link to post Share on other sites
Andro1d Posted July 19, 2008 Report Share Posted July 19, 2008 Hello again,Download win32delfkil.exe.Save it on your desktop., and close all windows.Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.Close all windows, open the win32delfkil folder and double click on fix.bat.The computer will reboot automatically.Post the contents of the logfile c\windelf.txt, along with a new hijackhislog. Link to post Share on other sites
duhast04 Posted July 21, 2008 Author Report Share Posted July 21, 2008 (edited) I'm not sure this worked right. When I ran the program it said "File Not Found" three times, rebooted, then said "File Not Found" again. Program didn't put a folder on the desktop or anywhere else that I could find. Searched for fix.bat, but it didn't appear on the computer. Tried it several times with the same results.WIN32DELFKIL LOGFILE - by Marckieversion 3.131 Mon 07/21/2008 12:28:12.18 running from: "C:\Documents and Settings\smiller\Desktop"--- File(s) found in Windows directory ------ File(s) found in system32 folder ------ Services ------ Export SharedTaskScheduler key ---REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"--- Notify key ------ rebooting the computer --- --- File(s) found in Windows directory ------ File(s) found in system32 folder ------ Services ------ Export SharedTaskSchedulerkey ---REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"--- Notify key --- Finished! --------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:30:13 PM, on 7/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\afinding.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\Nobicyt.exeC:\WINDOWS\system32\perfs.exeC:\WINDOWS\system32\routing.exeC:\WINDOWS\system32\wserving.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.localO17 - HKLM\Software\..\Telephony: DomainName = klinge.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.localO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exeO23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IntelĆĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exeO23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exeO23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exeO23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe--End of file - 5495 bytes Edited July 21, 2008 by duhast04 Link to post Share on other sites
Andro1d Posted July 21, 2008 Report Share Posted July 21, 2008 Hello again,The program ran fine, so please follow my instructions below.Please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):[kill explorer]C:\WINDOWS\system32\afinding.exeC:\WINDOWS\system32\atpsck.exeC:\WINDOWS\system32\axtpsck.exeC:\WINDOWS\system32\cerwxfst.sysC:\WINDOWS\system32\cexwxfst.sysC:\WINDOWS\system32\mtsycod.sysC:\WINDOWS\system32\nftscpd.sysC:\WINDOWS\system32\Nobicyt.exeC:\WINDOWS\system32\ntscpd.sysC:\WINDOWS\system32\nxtscpd.sysC:\WINDOWS\system32\routing.exeC:\WINDOWS\system32\stsycod.sysC:\WINDOWS\system32\swand.sysC:\WINDOWS\system32\sxwand.sysC:\WINDOWS\system32\wserving.exeC:\WINDOWS\system32\xfst.sysC:\WINDOWS\system32\yaxcnxd.sysEmptyTemp[start explorer] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.Click the red Moveit! button.A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.Close OTMoveIt2If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Link to post Share on other sites
duhast04 Posted July 22, 2008 Author Report Share Posted July 22, 2008 (edited) Cool, I thought I was doing something wrong with that program.Here is the OTMoveIt log and a new Hijackthis log. Unless I'm overlooking something, it appears that perfs.exe is the only one left of the original baddies.Explorer killed successfullyC:\WINDOWS\system32\afinding.exe moved successfully.File/Folder C:\WINDOWS\system32\atpsck.exe not found.C:\WINDOWS\system32\axtpsck.exe moved successfully.C:\WINDOWS\system32\cerwxfst.sys moved successfully.C:\WINDOWS\system32\cexwxfst.sys moved successfully.File/Folder C:\WINDOWS\system32\mtsycod.sys not found.C:\WINDOWS\system32\nftscpd.sys moved successfully.C:\WINDOWS\system32\Nobicyt.exe moved successfully.File/Folder C:\WINDOWS\system32\ntscpd.sys not found.C:\WINDOWS\system32\nxtscpd.sys moved successfully.C:\WINDOWS\system32\routing.exe moved successfully.C:\WINDOWS\system32\stsycod.sys moved successfully.C:\WINDOWS\system32\swand.sys moved successfully.C:\WINDOWS\system32\sxwand.sys moved successfully.C:\WINDOWS\system32\wserving.exe moved successfully.C:\WINDOWS\system32\xfst.sys moved successfully.C:\WINDOWS\system32\yaxcnxd.sys moved successfully.< EmptyTemp >File delete failed. C:\WINDOWS\temp\mta118048.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mta118183.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mta58094.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mta58952.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mta78409.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mtaw65509.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\~DF59EB.tmp scheduled to be deleted on reboot.Temp folders emptied.IE temp folders emptied.Explorer started successfullyOTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_083004Files moved on Reboot...C:\WINDOWS\temp\mta118048.dll unregistered successfully.C:\WINDOWS\temp\mta118048.dll moved successfully.File C:\WINDOWS\temp\mta118183.dll not found!C:\WINDOWS\temp\mta58094.dll unregistered successfully.C:\WINDOWS\temp\mta58094.dll moved successfully.C:\WINDOWS\temp\mta58952.dll unregistered successfully.C:\WINDOWS\temp\mta58952.dll moved successfully.C:\WINDOWS\temp\mta78409.dll unregistered successfully.C:\WINDOWS\temp\mta78409.dll moved successfully.C:\WINDOWS\temp\mtaw65509.dll unregistered successfully.C:\WINDOWS\temp\mtaw65509.dll moved successfully.File C:\WINDOWS\temp\~DF59EB.tmp not found!----------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:35:40 AM, on 7/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\perfs.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\WINDOWS\system32\wuauclt.exeC:\PROGRA~1\AVG\AVG8\avgupd.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.localO17 - HKLM\Software\..\Telephony: DomainName = klinge.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.localO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IntelĆĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exeO23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)--End of file - 5419 bytes Edited July 22, 2008 by duhast04 Link to post Share on other sites
duhast04 Posted July 22, 2008 Author Report Share Posted July 22, 2008 (edited) Since running the last program he has been unable to access many web pages. He can get to some, like his favorite football team, but Yahoo, Myspace, BestTechie, Google, ect, give error messages. "Page cannot be displayed" or "Invalid syntax error".Did one of these nasties screw with his browser before getting nailed by OTMoveIt? He uses the net as part of his job duties, so he's kind of stuck without full access Edit - We got it fixed. Ran 'regsvr32 urlmon.dll' and it fixed everything. Must have gotten pointed in the wrong direction after the move this morning? Edited July 22, 2008 by duhast04 Link to post Share on other sites
duhast04 Posted July 23, 2008 Author Report Share Posted July 23, 2008 (edited) Update - This morning Nobicyt.exe tried to reinstall itself. AVG caught it and moved it to the vault. I checked his Task Manager and wserving.exe, afinding.exe, and routing.exe have reinstalled themselves.His AVG has also caught these programs trying to run:A0003611.exeA0003612.exeA0003613.exeEdit - The three A000361* programs have tried again to run themselves after the steps I took below. Edited July 23, 2008 by duhast04 Link to post Share on other sites
duhast04 Posted July 23, 2008 Author Report Share Posted July 23, 2008 I just ran OTMoveIt again, but this time I added perfs.exe to the move list. Below is a new OTMoveIt log and a new Hijackthis logExplorer killed successfullyC:\WINDOWS\system32\afinding.exe moved successfully.File/Folder C:\WINDOWS\system32\atpsck.exe not found.File/Folder C:\WINDOWS\system32\axtpsck.exe not found.File/Folder C:\WINDOWS\system32\cerwxfst.sys not found.C:\WINDOWS\system32\cexwxfst.sys moved successfully.File/Folder C:\WINDOWS\system32\mtsycod.sys not found.File/Folder C:\WINDOWS\system32\nftscpd.sys not found.File/Folder C:\WINDOWS\system32\Nobicyt.exe not found.File/Folder C:\WINDOWS\system32\ntscpd.sys not found.File/Folder C:\WINDOWS\system32\nxtscpd.sys not found.C:\WINDOWS\system32\perfs.exe moved successfully.C:\WINDOWS\system32\routing.exe moved successfully.C:\WINDOWS\system32\stsycod.sys moved successfully.File/Folder C:\WINDOWS\system32\swand.sys not found.File/Folder C:\WINDOWS\system32\sxwand.sys not found.C:\WINDOWS\system32\wserving.exe moved successfully.File/Folder C:\WINDOWS\system32\xfst.sys not found.C:\WINDOWS\system32\yaxcnxd.sys moved successfully.< EmptyTemp >File delete failed. C:\WINDOWS\temp\mta23609.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mta44437.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mta44769.dll scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\mta84210.dll scheduled to be deleted on reboot.Temp folders emptied.IE temp folders emptied.Explorer started successfullyOTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07232008_112518Files moved on Reboot...C:\WINDOWS\temp\mta23609.dll unregistered successfully.C:\WINDOWS\temp\mta23609.dll moved successfully.C:\WINDOWS\temp\mta44437.dll unregistered successfully.C:\WINDOWS\temp\mta44437.dll moved successfully.C:\WINDOWS\temp\mta44769.dll unregistered successfully.C:\WINDOWS\temp\mta44769.dll moved successfully.C:\WINDOWS\temp\mta84210.dll unregistered successfully.C:\WINDOWS\temp\mta84210.dll moved successfully.-------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:27:45 AM, on 7/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\notepad.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\WINDOWS\system32\userinit.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.localO17 - HKLM\Software\..\Telephony: DomainName = klinge.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.localO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)--End of file - 5429 bytes Link to post Share on other sites
Andro1d Posted July 24, 2008 Report Share Posted July 24, 2008 Hello again,Step 1Please re-open HijackThis and scan. Check the boxes next to all the entries listed below. O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing) O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing) O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis. Step 2Please do an online scan with Kaspersky WebScannerNote: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.Click on the Accept button and install any components it needs.The program will install and then begin downloading the latest definition files.Once they are downloaded, the database will be updated.Please accept any ActiveX or Java notifications[i/]After the files have been updated, go to the left side of the page under the Scan section and select My Computer.This will start the program and scan your system.The scan will take a while so be patient and let it run.Once the scan is complete, click on View scan reportNow, click on the Save Report as button.Save the file to your desktop.Copy and paste that information in your next post. Link to post Share on other sites
duhast04 Posted July 25, 2008 Author Report Share Posted July 25, 2008 (edited) I ran the Fix as requested for Hijackthis, but the scan I did after running Kaspersky still shows those (file missing) entries. All the hits that Kaspersky found are items we have locked up in quarantine.--------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 25, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 25, 2008 17:18:29 Records in database: 1008024--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - My Computer: C:\ D:\Scan statistics: Files scanned: 37677 Threat name: 18 Infected objects: 19 Suspicious objects: 0 Duration of the scan: 00:38:00File name / Threat name / Threats countC:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1The selected area was scanned.-------------------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:53:03 PM, on 7/25/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\WINDOWS\system32\WISPTIS.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.localO17 - HKLM\Software\..\Telephony: DomainName = klinge.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.localO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IntelĆĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)--End of file - 5359 bytes Edited July 25, 2008 by duhast04 Link to post Share on other sites
Andro1d Posted July 25, 2008 Report Share Posted July 25, 2008 Hello again,Please copy (Ctrl C) and paste (Ctrl V) the following text in the code box to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.@echo offsc stop AFinding sc delete AFinding sc stop NOBICYTsc delete NOBICYTsc stop perfmonssc delete perfmonssc stop Routingsc delete Routingsc stop WServingsc delete WServingDEL fixservices.batDouble click fixservices.bat. A window will open and close. This is normal.Now post a fresh HJT log please. Link to post Share on other sites
duhast04 Posted July 28, 2008 Author Report Share Posted July 28, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:10:55 AM, on 7/28/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.comR1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.localO17 - HKLM\Software\..\Telephony: DomainName = klinge.localO17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.localO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IntelĀ® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe--End of file - 4847 bytes Link to post Share on other sites
Andro1d Posted July 28, 2008 Report Share Posted July 28, 2008 Nice job your log looks clean!Please use the following suggestions to help prevent reinfection.Time for some housekeeping Click START then RUN Now type Combofix /u in the runbox and click OK [*] When shown the disclaimer, Select "2"The above procedure will: Delete the following: ComboFix and its associated files and folders. VundoFix backups, if present The C:\Deckard folder, if present The C:_OtMoveIt folder, if present[*] Reset the clock settings.[*] Hide file extensions, if required.[*] Hide System/Hidden files, if required.[*] Reset System Restore.The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.Malwarebytes' Anti-Malware - A very powerful tool which searches and kills malware that infects your system. **Tutorial on installing & using this product can be found HERE**SpywareBlaster - Great prevention tool to keep malware from installing on your system.**Tutorial on installing & using this product can be found HERE**SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.**Tutorial on installing & using this product can be found HERE**IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.**Tutorial on installing & using this product can be found HERE**ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycleFirewall A firewall is very important, in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Comodo, Online Armor, or Outpost.**Tutorial on Firewalls can be found HERE**It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like SpywareBlaster and IE-Spyads do not conflict with any of these since they don't have a real time scanning engine that would conflict.Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.It is also highly recommended to stay on top of your updates at all times, for Windows and all the above mentioned applications. This will ensure that you stay protected at the maximum level possible.Finally, I strongly recommend How did I get infected in the first place? (by Tony Klein)Good luck and safe surfing Link to post Share on other sites
duhast04 Posted July 28, 2008 Author Report Share Posted July 28, 2008 Awesome! Thanks for all your help these last couple weeks, Monster! Link to post Share on other sites
Andro1d Posted July 28, 2008 Report Share Posted July 28, 2008 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts