Sponsored By

duhast04

Members
  • Content Count

    20
  • Joined

  • Last visited

About duhast04

  • Rank
    Member
  1. Yep, I haven't had it since I moved those files to the Vault. Does it look like there is anything suspicious in my HJT log? Around the time this all started I began experiencing really long log-in times. After typing in the password and hitting OK it has taken up to a minute or more to reach the desktop. Sometimes less, 20-30 seconds. I turned off some programs using msconfig, but that hasn't seemed to have done anything.
  2. File/Folder C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP146\A0021381.exe not found. OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10092008_200211 HijackThis C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080410 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: (no name) - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - (no file) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing) O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://72.167.249.153:8443/msrdp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  3. Just received a threat message from AVG File name: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP146\A0021381.exe Threat name: Trojan horse Downloader.Zlob_r.CM Detected on open. I selected Move to Vault Edit (7:15pm) - Another threat detected by AVG File name: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP147\A0021383.exe Threat name: Trojan horse Agent.ADFJ Detected on open. Again selected Move to Vault
  4. Hello sarahw I updated Java, ran ATF, and scanned with Kaspersky. Kaspersky didn't find anything and didn't give me a log file to copy/paste, even ran the scan twice to be sure and it didn't give a log either time.
  5. One of those fake anti-spyware programs installed itself on a PC and I want to make sure I got it all. I ran Malwarebytes Anti-Malware and it picked up the following: Malwarebytes' Anti-Malware 1.28 Database version: 1205 Windows 5.1.2600 Service Pack 3 9/25/2008 7:12:16 PM mbam-log-2008-09-25 (19-12-16).txt Scan type: Full Scan (C:\|) Objects scanned: 175625 Time elapsed: 52 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{144a6b24-0ebc-4d89-bf09-a06a718e57b5} (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\smile (Trojan.Zlob) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\*********\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Documents and Settings\*********\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Documents and Settings\*********\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\Antivirus Scan.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Desktop\Online Spyware Test.url (Rogue.Link) -> Quarantined and deleted successfully. And here is the HJT log from after running Malwarebytes: Logfile of HijackThis v1.99.1 Scan saved at 7:21:09 PM, on 9/25/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080410 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll O3 - Toolbar: (no name) - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - (no file) O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://72.167.249.153:8443/msrdp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  6. Awesome! Thanks for all your help these last couple weeks, Monster!
  7. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:10:55 AM, on 7/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local O17 - HKLM\Software\..\Telephony: DomainName = klinge.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe -- End of file - 4847 bytes
  8. I ran the Fix as requested for Hijackthis, but the scan I did after running Kaspersky still shows those (file missing) entries. All the hits that Kaspersky found are items we have locked up in quarantine. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 25, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 25, 2008 17:18:29 Records in database: 1008024 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 37677 Threat name: 18 Infected objects: 19 Suspicious objects: 0 Duration of the scan: 00:38:00 File name / Threat name / Threats count C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1 C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1 C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1 C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1 C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1 C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1 The selected area was scanned. ------------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:53:03 PM, on 7/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local O17 - HKLM\Software\..\Telephony: DomainName = klinge.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing) O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing) O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing) O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing) -- End of file - 5359 bytes
  9. I just ran OTMoveIt again, but this time I added perfs.exe to the move list. Below is a new OTMoveIt log and a new Hijackthis log Explorer killed successfully C:\WINDOWS\system32\afinding.exe moved successfully. File/Folder C:\WINDOWS\system32\atpsck.exe not found. File/Folder C:\WINDOWS\system32\axtpsck.exe not found. File/Folder C:\WINDOWS\system32\cerwxfst.sys not found. C:\WINDOWS\system32\cexwxfst.sys moved successfully. File/Folder C:\WINDOWS\system32\mtsycod.sys not found. File/Folder C:\WINDOWS\system32\nftscpd.sys not found. File/Folder C:\WINDOWS\system32\Nobicyt.exe not found. File/Folder C:\WINDOWS\system32\ntscpd.sys not found. File/Folder C:\WINDOWS\system32\nxtscpd.sys not found. C:\WINDOWS\system32\perfs.exe moved successfully. C:\WINDOWS\system32\routing.exe moved successfully. C:\WINDOWS\system32\stsycod.sys moved successfully. File/Folder C:\WINDOWS\system32\swand.sys not found. File/Folder C:\WINDOWS\system32\sxwand.sys not found. C:\WINDOWS\system32\wserving.exe moved successfully. File/Folder C:\WINDOWS\system32\xfst.sys not found. C:\WINDOWS\system32\yaxcnxd.sys moved successfully. < EmptyTemp > File delete failed. C:\WINDOWS\temp\mta23609.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta44437.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta44769.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta84210.dll scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07232008_112518 Files moved on Reboot... C:\WINDOWS\temp\mta23609.dll unregistered successfully. C:\WINDOWS\temp\mta23609.dll moved successfully. C:\WINDOWS\temp\mta44437.dll unregistered successfully. C:\WINDOWS\temp\mta44437.dll moved successfully. C:\WINDOWS\temp\mta44769.dll unregistered successfully. C:\WINDOWS\temp\mta44769.dll moved successfully. C:\WINDOWS\temp\mta84210.dll unregistered successfully. C:\WINDOWS\temp\mta84210.dll moved successfully. ------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:27:45 AM, on 7/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\notepad.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\userinit.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local O17 - HKLM\Software\..\Telephony: DomainName = klinge.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing) O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing) O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing) O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing) O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing) -- End of file - 5429 bytes
  10. Update - This morning Nobicyt.exe tried to reinstall itself. AVG caught it and moved it to the vault. I checked his Task Manager and wserving.exe, afinding.exe, and routing.exe have reinstalled themselves. His AVG has also caught these programs trying to run: A0003611.exe A0003612.exe A0003613.exe Edit - The three A000361* programs have tried again to run themselves after the steps I took below.
  11. Since running the last program he has been unable to access many web pages. He can get to some, like his favorite football team, but Yahoo, Myspace, BestTechie, Google, ect, give error messages. "Page cannot be displayed" or "Invalid syntax error". Did one of these nasties screw with his browser before getting nailed by OTMoveIt? He uses the net as part of his job duties, so he's kind of stuck without full access Edit - We got it fixed. Ran 'regsvr32 urlmon.dll' and it fixed everything. Must have gotten pointed in the wrong direction after the move this morning?
  12. Cool, I thought I was doing something wrong with that program. Here is the OTMoveIt log and a new Hijackthis log. Unless I'm overlooking something, it appears that perfs.exe is the only one left of the original baddies. Explorer killed successfully C:\WINDOWS\system32\afinding.exe moved successfully. File/Folder C:\WINDOWS\system32\atpsck.exe not found. C:\WINDOWS\system32\axtpsck.exe moved successfully. C:\WINDOWS\system32\cerwxfst.sys moved successfully. C:\WINDOWS\system32\cexwxfst.sys moved successfully. File/Folder C:\WINDOWS\system32\mtsycod.sys not found. C:\WINDOWS\system32\nftscpd.sys moved successfully. C:\WINDOWS\system32\Nobicyt.exe moved successfully. File/Folder C:\WINDOWS\system32\ntscpd.sys not found. C:\WINDOWS\system32\nxtscpd.sys moved successfully. C:\WINDOWS\system32\routing.exe moved successfully. C:\WINDOWS\system32\stsycod.sys moved successfully. C:\WINDOWS\system32\swand.sys moved successfully. C:\WINDOWS\system32\sxwand.sys moved successfully. C:\WINDOWS\system32\wserving.exe moved successfully. C:\WINDOWS\system32\xfst.sys moved successfully. C:\WINDOWS\system32\yaxcnxd.sys moved successfully. < EmptyTemp > File delete failed. C:\WINDOWS\temp\mta118048.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta118183.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta58094.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta58952.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mta78409.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mtaw65509.dll scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\~DF59EB.tmp scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_083004 Files moved on Reboot... C:\WINDOWS\temp\mta118048.dll unregistered successfully. C:\WINDOWS\temp\mta118048.dll moved successfully. File C:\WINDOWS\temp\mta118183.dll not found! C:\WINDOWS\temp\mta58094.dll unregistered successfully. C:\WINDOWS\temp\mta58094.dll moved successfully. C:\WINDOWS\temp\mta58952.dll unregistered successfully. C:\WINDOWS\temp\mta58952.dll moved successfully. C:\WINDOWS\temp\mta78409.dll unregistered successfully. C:\WINDOWS\temp\mta78409.dll moved successfully. C:\WINDOWS\temp\mtaw65509.dll unregistered successfully. C:\WINDOWS\temp\mtaw65509.dll moved successfully. File C:\WINDOWS\temp\~DF59EB.tmp not found! ---------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:35:40 AM, on 7/22/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\perfs.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\AVG\AVG8\avgupd.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local O17 - HKLM\Software\..\Telephony: DomainName = klinge.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing) O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing) O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing) O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing) -- End of file - 5419 bytes
  13. I'm not sure this worked right. When I ran the program it said "File Not Found" three times, rebooted, then said "File Not Found" again. Program didn't put a folder on the desktop or anywhere else that I could find. Searched for fix.bat, but it didn't appear on the computer. Tried it several times with the same results. WIN32DELFKIL LOGFILE - by Marckie version 3.131 Mon 07/21/2008 12:28:12.18 running from: "C:\Documents and Settings\smiller\Desktop" --- File(s) found in Windows directory --- --- File(s) found in system32 folder --- --- Services --- --- Export SharedTaskScheduler key --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" --- Notify key --- --- rebooting the computer --- --- File(s) found in Windows directory --- --- File(s) found in system32 folder --- --- Services --- --- Export SharedTaskSchedulerkey --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" --- Notify key --- Finished! -------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:30:13 PM, on 7/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\afinding.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\Nobicyt.exe C:\WINDOWS\system32\perfs.exe C:\WINDOWS\system32\routing.exe C:\WINDOWS\system32\wserving.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local O17 - HKLM\Software\..\Telephony: DomainName = klinge.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe -- End of file - 5495 bytes
  14. Second Kaspersky scan -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 18, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 18, 2008 18:38:45 Records in database: 969432 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 30250 Threat name: 20 Infected objects: 22 Suspicious objects: 0 Duration of the scan: 00:27:32 File name / Threat name / Threats count C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1 C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1 C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1 C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1 C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1 C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1 C:\WINDOWS\system32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1 C:\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1 C:\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1 C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1 C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1 C:\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1 C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1 C:\WINDOWS\system32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1 C:\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1 C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1 C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1 C:\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1 C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1 C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1 C:\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1 C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1 The selected area was scanned.
  15. After 5pm EST today I won't be able to work on his computer until Monday. So I took the libery of running some extra scans to try and kill these things. First I tried Spyware Doctor, it claimed to have cleaned out some items, but after I ran another Kaspersky there appears to be much left on the system. I also ran Superantispyware, but it found nothing. Spyware Doctor PC Tools Spyware Doctor Date Status 7/18/2008 1:27:33 PM:440 Service Started Spyware Doctor Service Application started 7/18/2008 1:27:34 PM:128 OnGuard Detection Quarantined Threat Name - Trojan-Downloader.Delf.DDI Type - Process Risk Level - Medium Infection - perfs.exe (C:\WINDOWS\system32\perfs.exe) 7/18/2008 1:27:34 PM:206 Startup Memory Cleaner found infections Threat Name - Trojan-Downloader.Delf.DDI Type - Process Risk Level - Medium Infection - perfs.exe (C:\WINDOWS\system32\perfs.exe) 7/18/2008 1:27:53 PM:577 Scan Started Scan Type - Full Scan 7/18/2008 1:27:56 PM:78 Infection was detected on this computer Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - atdmt.com/ atdmt.com 7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDI Type - File Risk Level - Medium Infection - c:\windows\system32\perfs.exe 7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:28:01 PM:910 Infection was detected on this computer Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:28:12 PM:948 OnGuards status All OnGuards were Enabled 7/18/2008 1:28:14 PM:183 Immunizer Results ActiveX section has been immunized, Processed 4124 items. 7/18/2008 1:33:50 PM:429 Infection was detected on this computer Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE 7/18/2008 1:33:50 PM:737 Infection was detected on this computer Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE 7/18/2008 1:34:25 PM:883 Infection was detected on this computer Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\swxcacls.exe 7/18/2008 1:35:35 PM:234 Infection was detected on this computer Threat Name - Trojan-PWS.Tanspy Type - Registry Key Risk Level - High Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load 7/18/2008 1:35:35 PM:728 Infection was detected on this computer Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow 7/18/2008 1:35:35 PM:728 Infection was detected on this computer Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs 7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot 7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmd Type - Registry Key Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware 7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance 7/18/2008 1:35:35 PM:743 Infection was detected on this computer Threat Name - Application.NirCmd Type - Registry Key Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME 7/18/2008 1:35:36 PM:175 Infection was detected on this computer Threat Name - Trojan.Generic Type - Registry Key Risk Level - Medium Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget 7/18/2008 1:35:40 PM:555 Infection was detected on this computer Threat Name - Application.NirCmd Type - Folder Risk Level - Info & PUAs Infection - C:\ComboFix\ 7/18/2008 1:35:40 PM:585 Scan Finished Scan Type - Full Scan Items Processed - 213949 Threats Detected - 5 Infections Detected - 17 Infections Ignored - 0 7/18/2008 1:38:10 PM:212 Infection cleaned Threat Name - Adware.Advertising Type - Cookie Risk Level - Low Infection - atdmt.com/ atdmt.com 7/18/2008 1:38:10 PM:399 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:38:10 PM:399 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:38:10 PM:414 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:38:10 PM:477 Infection quarantined Threat Name - Trojan-Downloader.Delf.DDI Type - File Risk Level - Medium Infection - c:\windows\system32\perfs.exe 7/18/2008 1:38:10 PM:508 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:38:10 PM:508 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:38:10 PM:508 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDI Type - Startup Risk Level - Medium Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe 7/18/2008 1:38:10 PM:539 Infection cleaned Threat Name - Trojan-Downloader.Delf.DDI Type - File Risk Level - Medium Infection - c:\windows\system32\perfs.exe 7/18/2008 1:38:10 PM:539 Infection quarantined Threat Name - Application.NirCmd Type - Folder Risk Level - Info & PUAs Infection - C:\ComboFix\ 7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmd Type - Registry Key Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME 7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance 7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmd Type - Registry Key Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware 7/18/2008 1:38:10 PM:554 Infection quarantined Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot 7/18/2008 1:38:10 PM:570 Infection quarantined Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs 7/18/2008 1:38:10 PM:570 Infection quarantined Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow 7/18/2008 1:38:10 PM:694 Infection quarantined Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\swxcacls.exe 7/18/2008 1:38:10 PM:710 Infection quarantined Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE 7/18/2008 1:38:10 PM:725 Infection quarantined Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE 7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmd Type - Folder Risk Level - Info & PUAs Infection - C:\ComboFix\ 7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmd Type - Registry Key Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME 7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance 7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmd Type - Registry Key Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware 7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot 7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs 7/18/2008 1:38:10 PM:741 Infection cleaned Threat Name - Application.NirCmd Type - Registry Value Risk Level - Info & PUAs Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow 7/18/2008 1:38:10 PM:756 Infection cleaned Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\swxcacls.exe 7/18/2008 1:38:10 PM:756 Infection cleaned Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE 7/18/2008 1:38:10 PM:756 Infection cleaned Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE 7/18/2008 1:38:10 PM:756 Infection quarantined Threat Name - Trojan-PWS.Tanspy Type - Registry Key Risk Level - High Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load 7/18/2008 1:38:10 PM:772 Infection cleaned Threat Name - Trojan-PWS.Tanspy Type - Registry Key Risk Level - High Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load 7/18/2008 1:38:10 PM:788 Infection quarantined Threat Name - Trojan.Generic Type - Registry Key Risk Level - Medium Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget 7/18/2008 1:38:10 PM:788 Infection cleaned Threat Name - Trojan.Generic Type - Registry Key Risk Level - Medium Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget 7/18/2008 1:38:12 PM:808 Infections Quarantined/Removed Summary Quarantined - 16 Quarantine Failed - 0 Removed - 17 Remove Failed - 0 7/18/2008 1:39:33 PM:653 Service Stopped Spyware Doctor Service Application Stopped 7/18/2008 1:40:29 PM:265 Service Started Spyware Doctor Service Application started 7/18/2008 1:40:59 PM:468 Scan Started Scan Type - Full Scan 7/18/2008 1:42:49 PM:468 Scan Finished Scan Type - Full Scan Items Processed - 53510 Threats Detected - 0 Infections Detected - 0 Infections Ignored - 0 7/18/2008 1:43:55 PM:359 Scan Started Scan Type - Full Scan 7/18/2008 1:46:22 PM:234 Infection was detected on this computer Threat Name - Trojan-Downloader.MisleadApp!sd6 Type - File Risk Level - High Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe 7/18/2008 1:46:52 PM:140 Infection was detected on this computer Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe 7/18/2008 1:46:52 PM:187 Infection was detected on this computer Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE 7/18/2008 1:46:52 PM:218 Infection was detected on this computer Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE 7/18/2008 1:49:33 PM:203 Scan Finished Scan Type - Full Scan Items Processed - 209356 Threats Detected - 2 Infections Detected - 4 Infections Ignored - 0 7/18/2008 2:20:01 PM:781 Infection quarantined Threat Name - Trojan-Downloader.MisleadApp!sd6 Type - File Risk Level - High Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe 7/18/2008 2:20:01 PM:796 Infection cleaned Threat Name - Trojan-Downloader.MisleadApp!sd6 Type - File Risk Level - High Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe 7/18/2008 2:20:01 PM:828 Infection quarantined Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE 7/18/2008 2:20:01 PM:843 Infection quarantined Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE 7/18/2008 2:20:01 PM:906 Infection quarantined Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe 7/18/2008 2:20:01 PM:953 Infection cleaned Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE 7/18/2008 2:20:01 PM:968 Infection cleaned Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE 7/18/2008 2:20:01 PM:984 Infection cleaned Threat Name - Application.NirCmd Type - File Risk Level - Info & PUAs Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe 7/18/2008 2:20:03 PM:984 Infections Quarantined/Removed Summary Quarantined - 4 Quarantine Failed - 0 Removed - 4 Remove Failed - 0