duhast04

Members
  • Content Count

    20
  • Joined

  • Last visited

Everything posted by duhast04

  1. Yep, I haven't had it since I moved those files to the Vault. Does it look like there is anything suspicious in my HJT log? Around the time this all started I began experiencing really long log-in times. After typing in the password and hitting OK it has taken up to a minute or more to reach the desktop. Sometimes less, 20-30 seconds. I turned off some programs using msconfig, but that hasn't seemed to have done anything.
  2. File/Folder C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP146\A0021381.exe not found. OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10092008_200211 HijackThis C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\nvsvc32.exe C:\W
  3. Just received a threat message from AVG File name: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP146\A0021381.exe Threat name: Trojan horse Downloader.Zlob_r.CM Detected on open. I selected Move to Vault Edit (7:15pm) - Another threat detected by AVG File name: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP147\A0021383.exe Threat name: Trojan horse Agent.ADFJ Detected on open. Again selected Move to Vault
  4. Hello sarahw I updated Java, ran ATF, and scanned with Kaspersky. Kaspersky didn't find anything and didn't give me a log file to copy/paste, even ran the scan twice to be sure and it didn't give a log either time.
  5. One of those fake anti-spyware programs installed itself on a PC and I want to make sure I got it all. I ran Malwarebytes Anti-Malware and it picked up the following: Malwarebytes' Anti-Malware 1.28 Database version: 1205 Windows 5.1.2600 Service Pack 3 9/25/2008 7:12:16 PM mbam-log-2008-09-25 (19-12-16).txt Scan type: Full Scan (C:\|) Objects scanned: 175625 Time elapsed: 52 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 7 Memory Processes
  6. Awesome! Thanks for all your help these last couple weeks, Monster!
  7. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:10:55 AM, on 7/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Comm
  8. I ran the Fix as requested for Hijackthis, but the scan I did after running Kaspersky still shows those (file missing) entries. All the hits that Kaspersky found are items we have locked up in quarantine. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 25, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 25, 2008 17:18:29 Records in database: 1008024 -------------------------------------
  9. I just ran OTMoveIt again, but this time I added perfs.exe to the move list. Below is a new OTMoveIt log and a new Hijackthis log Explorer killed successfully C:\WINDOWS\system32\afinding.exe moved successfully. File/Folder C:\WINDOWS\system32\atpsck.exe not found. File/Folder C:\WINDOWS\system32\axtpsck.exe not found. File/Folder C:\WINDOWS\system32\cerwxfst.sys not found. C:\WINDOWS\system32\cexwxfst.sys moved successfully. File/Folder C:\WINDOWS\system32\mtsycod.sys not found. File/Folder C:\WINDOWS\system32\nftscpd.sys not found. File/Folder C:\WINDOWS\system32\Nobicyt.exe not found. File
  10. Update - This morning Nobicyt.exe tried to reinstall itself. AVG caught it and moved it to the vault. I checked his Task Manager and wserving.exe, afinding.exe, and routing.exe have reinstalled themselves. His AVG has also caught these programs trying to run: A0003611.exe A0003612.exe A0003613.exe Edit - The three A000361* programs have tried again to run themselves after the steps I took below.
  11. Since running the last program he has been unable to access many web pages. He can get to some, like his favorite football team, but Yahoo, Myspace, BestTechie, Google, ect, give error messages. "Page cannot be displayed" or "Invalid syntax error". Did one of these nasties screw with his browser before getting nailed by OTMoveIt? He uses the net as part of his job duties, so he's kind of stuck without full access Edit - We got it fixed. Ran 'regsvr32 urlmon.dll' and it fixed everything. Must have gotten pointed in the wrong direction after the move this morning?
  12. Cool, I thought I was doing something wrong with that program. Here is the OTMoveIt log and a new Hijackthis log. Unless I'm overlooking something, it appears that perfs.exe is the only one left of the original baddies. Explorer killed successfully C:\WINDOWS\system32\afinding.exe moved successfully. File/Folder C:\WINDOWS\system32\atpsck.exe not found. C:\WINDOWS\system32\axtpsck.exe moved successfully. C:\WINDOWS\system32\cerwxfst.sys moved successfully. C:\WINDOWS\system32\cexwxfst.sys moved successfully. File/Folder C:\WINDOWS\system32\mtsycod.sys not found. C:\WINDOWS\system32\nftscpd.sy
  13. I'm not sure this worked right. When I ran the program it said "File Not Found" three times, rebooted, then said "File Not Found" again. Program didn't put a folder on the desktop or anywhere else that I could find. Searched for fix.bat, but it didn't appear on the computer. Tried it several times with the same results. WIN32DELFKIL LOGFILE - by Marckie version 3.131 Mon 07/21/2008 12:28:12.18 running from: "C:\Documents and Settings\smiller\Desktop" --- File(s) found in Windows directory --- --- File(s) found in system32 folder --- --- Services --- --- Export SharedTaskScheduler key --
  14. Second Kaspersky scan -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 18, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 18, 2008 18:38:45 Records in database: 969432 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\
  15. After 5pm EST today I won't be able to work on his computer until Monday. So I took the libery of running some extra scans to try and kill these things. First I tried Spyware Doctor, it claimed to have cleaned out some items, but after I ran another Kaspersky there appears to be much left on the system. I also ran Superantispyware, but it found nothing. Spyware Doctor PC Tools Spyware Doctor Date Status 7/18/2008 1:27:33 PM:440 Service Started Spyware Doctor Service Application started 7/18/2008 1:27:34 PM:128 OnGuard Detection Quarantined Threat Name - Trojan-Downloader.Delf.DDI Type
  16. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, July 18, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, July 18, 2008 12:52:01 Records in database: 968327 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: File
  17. Update – He still has something on his computer, I just went into his office to grab a paper off the printer and for 5 seconds a British woman was talking about something made in Germany
  18. MBAM Log Malwarebytes' Anti-Malware 1.20 Database version: 954 Windows 5.1.2600 Service Pack 2 1:18:32 PM 7/15/2008 mbam-log-7-15-2008 (13-18-32).txt Scan type: Full Scan (C:\|) Objects scanned: 75669 Time elapsed: 8 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Value
  19. Hello Monster Here is the log for ComboFix and a new HijackThis log. Looks like at least one of the programs I had listed above, Nobicyt.exe, is still on the computer. I also advised him and one of his friends who uses the computer often of the warning to change their passwords and monitor their financial accounts. ComboFix 08-07-14.2 - smiller 2008-07-15 8:36:16.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1702 [GMT -4:00] Running from: C:\Documents and Settings\smiller\Desktop\ComboFix.exe * Created a new restore point . (((((((((((((((((((((((((((((((((((((((
  20. Hello, A friend of mine recenty started hearing random sound clips on his PC, even when no windows were open. Ranges from commercials to BBC news reports. I did some checking and found these programs that appear to be malware/rootkits: afinding.exe axtpsck.exe Nobicyt.exe perfs.exe routing.exe wserving.exe I have run Spybot, AVG, and Sophos Anti-rootkit, but none of these programs had hits on the files I listed above. Is there one sure fire killer program to get rid of these bugs or is it a multi-step process? I just noticed on the HJT log that axtpsck.exe doesn't appear now, but it was th