duhast04

Hijackthis Log[RESOLVED]

Recommended Posts

Hello,

A friend of mine recenty started hearing random sound clips on his PC, even when no windows were open. Ranges from commercials to BBC news reports. I did some checking and found these programs that appear to be malware/rootkits:

afinding.exe

axtpsck.exe

Nobicyt.exe

perfs.exe

routing.exe

wserving.exe

I have run Spybot, AVG, and Sophos Anti-rootkit, but none of these programs had hits on the files I listed above. Is there one sure fire killer program to get rid of these bugs or is it a multi-step process? I just noticed on the HJT log that axtpsck.exe doesn't appear now, but it was there earlier. Appreciate any help.

Computer is a Dell Optiplex 330.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:36:03 PM, on 7/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\afinding.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\Nobicyt.exe

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\system32\wserving.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local

O17 - HKLM\Software\..\Telephony: DomainName = klinge.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll

O23 - Service: AFinding log Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe

O23 - Service: perfmons - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Index Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

--

End of file - 5375 bytes

Share this post


Link to post
Share on other sites

Hello and Welcome to the forums. :)

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Looking at your system now, one or more of the identified infections is a backdoor application which can allow attackers to access your computer, stealing passwords and personal data.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Please visit this web page for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Once you have finished installing the Windows Recovery Console, please continue with the rest of the tutorial at the above link.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

Hello Monster

Here is the log for ComboFix and a new HijackThis log. Looks like at least one of the programs I had listed above, Nobicyt.exe, is still on the computer. I also advised him and one of his friends who uses the computer often of the warning to change their passwords and monitor their financial accounts.

ComboFix 08-07-14.2 - smiller 2008-07-15 8:36:16.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1702 [GMT -4:00]

Running from: C:\Documents and Settings\smiller\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\afinding.exe

C:\WINDOWS\system32\andt.sys

C:\WINDOWS\system32\comsa32.sys

C:\WINDOWS\system32\Indt2.sys

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\system32\WServing.exe

C:\WINDOWS\system32\x64

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AFINDING

-------\Legacy_PERFMONS

-------\Legacy_ROUTING

-------\Legacy_WSERVING

-------\Service_AFinding

-------\Service_perfmons

-------\Service_Routing

-------\Service_WServing

((((((((((((((((((((((((( Files Created from 2008-06-15 to 2008-07-15 )))))))))))))))))))))))))))))))

.

2008-07-14 15:28 . 2008-07-14 15:28 <DIR> d-------- C:\Program Files\Trend Micro

2008-07-14 13:32 . 2008-07-14 13:32 <DIR> d-------- C:\Program Files\Sophos

2008-07-03 09:32 . 2008-07-03 15:16 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg

2008-07-03 09:32 . 2008-07-03 09:32 <DIR> d-------- C:\Program Files\AVG

2008-07-03 09:32 . 2008-07-03 10:29 <DIR> d-------- C:\Documents and Settings\smiller\Application Data\AVGTOOLBAR

2008-07-03 09:32 . 2008-07-03 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8

2008-07-03 09:32 . 2008-07-03 09:32 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-03 09:32 . 2008-07-03 09:32 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll

2008-07-03 08:43 . 2008-07-03 08:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-07-03 08:43 . 2008-07-03 09:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-06-25 08:13 . 2008-06-25 08:13 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData

2008-06-24 14:37 . 2008-06-27 13:00 <DIR> d-------- C:\MDT

2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\Documents and Settings\smiller\Application Data\CyberLink

2008-06-24 14:23 . 2008-06-24 14:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink

2008-06-20 13:41 . 2008-06-20 13:41 245,248 --------- C:\WINDOWS\system32\dllcache\mswsock.dll

2008-06-20 06:44 . 2008-06-20 06:44 138,368 --------- C:\WINDOWS\system32\dllcache\afd.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-07-14 18:59 --------- d-----w C:\Documents and Settings\smiller\Application Data\AdobeUM

2008-07-14 14:41 --------- d-----w C:\Program Files\AutoCAD R14

2008-07-07 21:03 --------- d-----w C:\Program Files\Google

2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys

2008-05-30 19:44 --------- d-----w C:\Program Files\Common Files\Adobe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-07-17 14:23 141848]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-07-17 14:23 162328]

"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-07-17 14:23 137752]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-26 20:03 178712]

"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-09-24 20:12 1036288]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

--a------ 2008-07-03 09:32 1177368 C:\PROGRA~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

--------- 2007-09-17 12:56 124200 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"avg8wd"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=

"C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 09:32]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 15:30]

R2 NOBICYT;NOBICYT;C:\WINDOWS\system32\Nobicyt.exe [2004-08-04 06:00]

S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\A3.tmp []

S4 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 09:32]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Google Desktop Search - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-15 08:39:15

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\C:\WINDOWS\system32\A3.tmp"

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\igfxsrvc.exe

.

**************************************************************************

.

Completion time: 2008-07-15 8:42:37 - machine was rebooted

ComboFix-quarantined-files.txt 2008-07-15 12:42:34

Pre-Run: 68,380,143,616 bytes free

Post-Run: 68,475,232,256 bytes free

116 --- E O F --- 2008-07-09 12:54:07

===================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:44, on 2008-07-15

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\Nobicyt.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local

O17 - HKLM\Software\..\Telephony: DomainName = klinge.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe

--

End of file - 4900 bytes

Share this post


Link to post
Share on other sites

Hello again,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites

MBAM Log

Malwarebytes' Anti-Malware 1.20

Database version: 954

Windows 5.1.2600 Service Pack 2

1:18:32 PM 7/15/2008

mbam-log-7-15-2008 (13-18-32).txt

Scan type: Full Scan (C:\|)

Objects scanned: 75669

Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

Update – He still has something on his computer, I just went into his office to grab a paper off the printer and for 5 seconds a British woman was talking about something made in Germany :lol:

Share this post


Link to post
Share on other sites

Hello and Welcome to the forums. :)

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Please do an online scan with Kaspersky WebScanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • Once they are downloaded, the database will be updated.
    Please accept any ActiveX or Java notifications[i/]
  • After the files have been updated, go to the left side of the page under the Scan section and select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Share this post


Link to post
Share on other sites

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Friday, July 18, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Friday, July 18, 2008 12:52:01

Records in database: 968327

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 40411

Threat name: 21

Infected objects: 30

Suspicious objects: 0

Duration of the scan: 00:31:46

File name / Threat name / Threats count

C:\WINDOWS\system32\afinding.exe/C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1

C:\WINDOWS\system32\Nobicyt.exe/C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1

C:\WINDOWS\system32\perfs.exe/C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.uvf 1

C:\WINDOWS\system32\routing.exe/C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1

C:\WINDOWS\system32\wserving.exe/C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1

C:\WINDOWS\system32\yaxcnxd.sys/C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1

C:\WINDOWS\system32\cexwxfst.sys/C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1

C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1

C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1

C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1

C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1

C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1

C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1

C:\WINDOWS\system32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1

C:\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1

C:\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1

C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1

C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1

C:\WINDOWS\system32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\WINDOWS\system32\perfs.exe Infected: Trojan.Win32.Agent.uvf 1

C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1

C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1

C:\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1

C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1

C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1

C:\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1

C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1

The selected area was scanned.

Share this post


Link to post
Share on other sites

After 5pm EST today I won't be able to work on his computer until Monday. So I took the libery of running some extra scans to try and kill these things. First I tried Spyware Doctor, it claimed to have cleaned out some items, but after I ran another Kaspersky there appears to be much left on the system.

I also ran Superantispyware, but it found nothing.

Spyware Doctor

PC Tools Spyware Doctor

Date Status

7/18/2008 1:27:33 PM:440 Service Started

Spyware Doctor Service Application started

7/18/2008 1:27:34 PM:128 OnGuard Detection Quarantined

Threat Name - Trojan-Downloader.Delf.DDI

Type - Process

Risk Level - Medium

Infection - perfs.exe (C:\WINDOWS\system32\perfs.exe)

7/18/2008 1:27:34 PM:206 Startup Memory Cleaner found infections

Threat Name - Trojan-Downloader.Delf.DDI

Type - Process

Risk Level - Medium

Infection - perfs.exe (C:\WINDOWS\system32\perfs.exe)

7/18/2008 1:27:53 PM:577 Scan Started

Scan Type - Full Scan

7/18/2008 1:27:56 PM:78 Infection was detected on this computer

Threat Name - Adware.Advertising

Type - Cookie

Risk Level - Low

Infection - atdmt.com/ atdmt.com

7/18/2008 1:28:01 PM:910 Infection was detected on this computer

Threat Name - Trojan-Downloader.Delf.DDI

Type - File

Risk Level - Medium

Infection - c:\windows\system32\perfs.exe

7/18/2008 1:28:01 PM:910 Infection was detected on this computer

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:28:01 PM:910 Infection was detected on this computer

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:28:01 PM:910 Infection was detected on this computer

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:28:12 PM:948 OnGuards status

All OnGuards were Enabled

7/18/2008 1:28:14 PM:183 Immunizer Results

ActiveX section has been immunized, Processed 4124 items.

7/18/2008 1:33:50 PM:429 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE

7/18/2008 1:33:50 PM:737 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE

7/18/2008 1:34:25 PM:883 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\swxcacls.exe

7/18/2008 1:35:35 PM:234 Infection was detected on this computer

Threat Name - Trojan-PWS.Tanspy

Type - Registry Key

Risk Level - High

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

7/18/2008 1:35:35 PM:728 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

7/18/2008 1:35:35 PM:728 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

7/18/2008 1:35:35 PM:743 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot

7/18/2008 1:35:35 PM:743 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - Registry Key

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware

7/18/2008 1:35:35 PM:743 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance

7/18/2008 1:35:35 PM:743 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - Registry Key

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME

7/18/2008 1:35:36 PM:175 Infection was detected on this computer

Threat Name - Trojan.Generic

Type - Registry Key

Risk Level - Medium

Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget

7/18/2008 1:35:40 PM:555 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - Folder

Risk Level - Info & PUAs

Infection - C:\ComboFix\

7/18/2008 1:35:40 PM:585 Scan Finished

Scan Type - Full Scan

Items Processed - 213949

Threats Detected - 5

Infections Detected - 17

Infections Ignored - 0

7/18/2008 1:38:10 PM:212 Infection cleaned

Threat Name - Adware.Advertising

Type - Cookie

Risk Level - Low

Infection - atdmt.com/ atdmt.com

7/18/2008 1:38:10 PM:399 Infection quarantined

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:38:10 PM:399 Infection quarantined

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:38:10 PM:414 Infection quarantined

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:38:10 PM:477 Infection quarantined

Threat Name - Trojan-Downloader.Delf.DDI

Type - File

Risk Level - Medium

Infection - c:\windows\system32\perfs.exe

7/18/2008 1:38:10 PM:508 Infection cleaned

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:38:10 PM:508 Infection cleaned

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:38:10 PM:508 Infection cleaned

Threat Name - Trojan-Downloader.Delf.DDI

Type - Startup

Risk Level - Medium

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\perfmons, ImagePath = C:\WINDOWS\system32\perfs.exe

7/18/2008 1:38:10 PM:539 Infection cleaned

Threat Name - Trojan-Downloader.Delf.DDI

Type - File

Risk Level - Medium

Infection - c:\windows\system32\perfs.exe

7/18/2008 1:38:10 PM:539 Infection quarantined

Threat Name - Application.NirCmd

Type - Folder

Risk Level - Info & PUAs

Infection - C:\ComboFix\

7/18/2008 1:38:10 PM:554 Infection quarantined

Threat Name - Application.NirCmd

Type - Registry Key

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME

7/18/2008 1:38:10 PM:554 Infection quarantined

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance

7/18/2008 1:38:10 PM:554 Infection quarantined

Threat Name - Application.NirCmd

Type - Registry Key

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware

7/18/2008 1:38:10 PM:554 Infection quarantined

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot

7/18/2008 1:38:10 PM:570 Infection quarantined

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

7/18/2008 1:38:10 PM:570 Infection quarantined

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

7/18/2008 1:38:10 PM:694 Infection quarantined

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\swxcacls.exe

7/18/2008 1:38:10 PM:710 Infection quarantined

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE

7/18/2008 1:38:10 PM:725 Infection quarantined

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE

7/18/2008 1:38:10 PM:741 Infection cleaned

Threat Name - Application.NirCmd

Type - Folder

Risk Level - Info & PUAs

Infection - C:\ComboFix\

7/18/2008 1:38:10 PM:741 Infection cleaned

Threat Name - Application.NirCmd

Type - Registry Key

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME

7/18/2008 1:38:10 PM:741 Infection cleaned

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CATCHME, NextInstance

7/18/2008 1:38:10 PM:741 Infection cleaned

Threat Name - Application.NirCmd

Type - Registry Key

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware

7/18/2008 1:38:10 PM:741 Infection cleaned

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot

7/18/2008 1:38:10 PM:741 Infection cleaned

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs

7/18/2008 1:38:10 PM:741 Infection cleaned

Threat Name - Application.NirCmd

Type - Registry Value

Risk Level - Info & PUAs

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow

7/18/2008 1:38:10 PM:756 Infection cleaned

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\swxcacls.exe

7/18/2008 1:38:10 PM:756 Infection cleaned

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\erdnt\subs\ERDNT.EXE

7/18/2008 1:38:10 PM:756 Infection cleaned

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE

7/18/2008 1:38:10 PM:756 Infection quarantined

Threat Name - Trojan-PWS.Tanspy

Type - Registry Key

Risk Level - High

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

7/18/2008 1:38:10 PM:772 Infection cleaned

Threat Name - Trojan-PWS.Tanspy

Type - Registry Key

Risk Level - High

Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load

7/18/2008 1:38:10 PM:788 Infection quarantined

Threat Name - Trojan.Generic

Type - Registry Key

Risk Level - Medium

Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget

7/18/2008 1:38:10 PM:788 Infection cleaned

Threat Name - Trojan.Generic

Type - Registry Key

Risk Level - Medium

Infection - HKEY_USERS\S-1-5-21-1696548339-3282243236-3790282902-1144\Software\Wget

7/18/2008 1:38:12 PM:808 Infections Quarantined/Removed Summary

Quarantined - 16

Quarantine Failed - 0

Removed - 17

Remove Failed - 0

7/18/2008 1:39:33 PM:653 Service Stopped

Spyware Doctor Service Application Stopped

7/18/2008 1:40:29 PM:265 Service Started

Spyware Doctor Service Application started

7/18/2008 1:40:59 PM:468 Scan Started

Scan Type - Full Scan

7/18/2008 1:42:49 PM:468 Scan Finished

Scan Type - Full Scan

Items Processed - 53510

Threats Detected - 0

Infections Detected - 0

Infections Ignored - 0

7/18/2008 1:43:55 PM:359 Scan Started

Scan Type - Full Scan

7/18/2008 1:46:22 PM:234 Infection was detected on this computer

Threat Name - Trojan-Downloader.MisleadApp!sd6

Type - File

Risk Level - High

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe

7/18/2008 1:46:52 PM:140 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe

7/18/2008 1:46:52 PM:187 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE

7/18/2008 1:46:52 PM:218 Infection was detected on this computer

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE

7/18/2008 1:49:33 PM:203 Scan Finished

Scan Type - Full Scan

Items Processed - 209356

Threats Detected - 2

Infections Detected - 4

Infections Ignored - 0

7/18/2008 2:20:01 PM:781 Infection quarantined

Threat Name - Trojan-Downloader.MisleadApp!sd6

Type - File

Risk Level - High

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe

7/18/2008 2:20:01 PM:796 Infection cleaned

Threat Name - Trojan-Downloader.MisleadApp!sd6

Type - File

Risk Level - High

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP38\A0002156.exe

7/18/2008 2:20:01 PM:828 Infection quarantined

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE

7/18/2008 2:20:01 PM:843 Infection quarantined

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE

7/18/2008 2:20:01 PM:906 Infection quarantined

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe

7/18/2008 2:20:01 PM:953 Infection cleaned

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003333.EXE

7/18/2008 2:20:01 PM:968 Infection cleaned

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003332.EXE

7/18/2008 2:20:01 PM:984 Infection cleaned

Threat Name - Application.NirCmd

Type - File

Risk Level - Info & PUAs

Infection - C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP56\A0003331.exe

7/18/2008 2:20:03 PM:984 Infections Quarantined/Removed Summary

Quarantined - 4

Quarantine Failed - 0

Removed - 4

Remove Failed - 0

Edited by duhast04

Share this post


Link to post
Share on other sites

Second Kaspersky scan

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Friday, July 18, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Friday, July 18, 2008 18:38:45

Records in database: 969432

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 30250

Threat name: 20

Infected objects: 22

Suspicious objects: 0

Duration of the scan: 00:27:32

File name / Threat name / Threats count

C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1

C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1

C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1

C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1

C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1

C:\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1

C:\WINDOWS\system32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1

C:\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1

C:\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1

C:\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1

C:\WINDOWS\system32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1

C:\WINDOWS\system32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1

C:\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1

C:\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1

C:\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1

C:\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1

C:\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1

C:\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1

The selected area was scanned.

Share this post


Link to post
Share on other sites

Hello again,

Download win32delfkil.exe.

Save it on your desktop., and close all windows.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.

Post the contents of the logfile c\windelf.txt, along with a new hijackhislog.

Share this post


Link to post
Share on other sites

I'm not sure this worked right. When I ran the program it said "File Not Found" three times, rebooted, then said "File Not Found" again. Program didn't put a folder on the desktop or anywhere else that I could find. Searched for fix.bat, but it didn't appear on the computer. Tried it several times with the same results.

WIN32DELFKIL LOGFILE - by Marckie

version 3.131

Mon 07/21/2008 12:28:12.18

running from: "C:\Documents and Settings\smiller\Desktop"

--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskScheduler key ---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

--- Notify key ---

--- rebooting the computer ---

--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

--- Notify key ---

Finished!

--------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:30:13 PM, on 7/21/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\afinding.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\Nobicyt.exe

C:\WINDOWS\system32\perfs.exe

C:\WINDOWS\system32\routing.exe

C:\WINDOWS\system32\wserving.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local

O17 - HKLM\Software\..\Telephony: DomainName = klinge.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe

--

End of file - 5495 bytes

Edited by duhast04

Share this post


Link to post
Share on other sites

Hello again,

The program ran fine, so please follow my instructions below.

Please download the OTMoveIt2 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    [kill explorer]
    C:\WINDOWS\system32\afinding.exe
    C:\WINDOWS\system32\atpsck.exe
    C:\WINDOWS\system32\axtpsck.exe
    C:\WINDOWS\system32\cerwxfst.sys
    C:\WINDOWS\system32\cexwxfst.sys
    C:\WINDOWS\system32\mtsycod.sys
    C:\WINDOWS\system32\nftscpd.sys
    C:\WINDOWS\system32\Nobicyt.exe
    C:\WINDOWS\system32\ntscpd.sys
    C:\WINDOWS\system32\nxtscpd.sys
    C:\WINDOWS\system32\routing.exe
    C:\WINDOWS\system32\stsycod.sys
    C:\WINDOWS\system32\swand.sys
    C:\WINDOWS\system32\sxwand.sys
    C:\WINDOWS\system32\wserving.exe
    C:\WINDOWS\system32\xfst.sys
    C:\WINDOWS\system32\yaxcnxd.sys
    EmptyTemp
    [start explorer]


  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Share this post


Link to post
Share on other sites

Cool, I thought I was doing something wrong with that program.

Here is the OTMoveIt log and a new Hijackthis log. Unless I'm overlooking something, it appears that perfs.exe is the only one left of the original baddies.

Explorer killed successfully

C:\WINDOWS\system32\afinding.exe moved successfully.

File/Folder C:\WINDOWS\system32\atpsck.exe not found.

C:\WINDOWS\system32\axtpsck.exe moved successfully.

C:\WINDOWS\system32\cerwxfst.sys moved successfully.

C:\WINDOWS\system32\cexwxfst.sys moved successfully.

File/Folder C:\WINDOWS\system32\mtsycod.sys not found.

C:\WINDOWS\system32\nftscpd.sys moved successfully.

C:\WINDOWS\system32\Nobicyt.exe moved successfully.

File/Folder C:\WINDOWS\system32\ntscpd.sys not found.

C:\WINDOWS\system32\nxtscpd.sys moved successfully.

C:\WINDOWS\system32\routing.exe moved successfully.

C:\WINDOWS\system32\stsycod.sys moved successfully.

C:\WINDOWS\system32\swand.sys moved successfully.

C:\WINDOWS\system32\sxwand.sys moved successfully.

C:\WINDOWS\system32\wserving.exe moved successfully.

C:\WINDOWS\system32\xfst.sys moved successfully.

C:\WINDOWS\system32\yaxcnxd.sys moved successfully.

< EmptyTemp >

File delete failed. C:\WINDOWS\temp\mta118048.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mta118183.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mta58094.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mta58952.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mta78409.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mtaw65509.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\~DF59EB.tmp scheduled to be deleted on reboot.

Temp folders emptied.

IE temp folders emptied.

Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07222008_083004

Files moved on Reboot...

C:\WINDOWS\temp\mta118048.dll unregistered successfully.

C:\WINDOWS\temp\mta118048.dll moved successfully.

File C:\WINDOWS\temp\mta118183.dll not found!

C:\WINDOWS\temp\mta58094.dll unregistered successfully.

C:\WINDOWS\temp\mta58094.dll moved successfully.

C:\WINDOWS\temp\mta58952.dll unregistered successfully.

C:\WINDOWS\temp\mta58952.dll moved successfully.

C:\WINDOWS\temp\mta78409.dll unregistered successfully.

C:\WINDOWS\temp\mta78409.dll moved successfully.

C:\WINDOWS\temp\mtaw65509.dll unregistered successfully.

C:\WINDOWS\temp\mtaw65509.dll moved successfully.

File C:\WINDOWS\temp\~DF59EB.tmp not found!

----------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:35:40 AM, on 7/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\perfs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\AVG\AVG8\avgupd.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local

O17 - HKLM\Software\..\Telephony: DomainName = klinge.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)

O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)

--

End of file - 5419 bytes

Edited by duhast04

Share this post


Link to post
Share on other sites

Since running the last program he has been unable to access many web pages. He can get to some, like his favorite football team, but Yahoo, Myspace, BestTechie, Google, ect, give error messages. "Page cannot be displayed" or "Invalid syntax error".

Did one of these nasties screw with his browser before getting nailed by OTMoveIt? He uses the net as part of his job duties, so he's kind of stuck without full access :unsure:

Edit - We got it fixed. Ran 'regsvr32 urlmon.dll' and it fixed everything. Must have gotten pointed in the wrong direction after the move this morning?

Edited by duhast04

Share this post


Link to post
Share on other sites

Update - This morning Nobicyt.exe tried to reinstall itself. AVG caught it and moved it to the vault. I checked his Task Manager and wserving.exe, afinding.exe, and routing.exe have reinstalled themselves.

His AVG has also caught these programs trying to run:

A0003611.exe

A0003612.exe

A0003613.exe

Edit - The three A000361* programs have tried again to run themselves after the steps I took below.

Edited by duhast04

Share this post


Link to post
Share on other sites

I just ran OTMoveIt again, but this time I added perfs.exe to the move list. Below is a new OTMoveIt log and a new Hijackthis log

Explorer killed successfully

C:\WINDOWS\system32\afinding.exe moved successfully.

File/Folder C:\WINDOWS\system32\atpsck.exe not found.

File/Folder C:\WINDOWS\system32\axtpsck.exe not found.

File/Folder C:\WINDOWS\system32\cerwxfst.sys not found.

C:\WINDOWS\system32\cexwxfst.sys moved successfully.

File/Folder C:\WINDOWS\system32\mtsycod.sys not found.

File/Folder C:\WINDOWS\system32\nftscpd.sys not found.

File/Folder C:\WINDOWS\system32\Nobicyt.exe not found.

File/Folder C:\WINDOWS\system32\ntscpd.sys not found.

File/Folder C:\WINDOWS\system32\nxtscpd.sys not found.

C:\WINDOWS\system32\perfs.exe moved successfully.

C:\WINDOWS\system32\routing.exe moved successfully.

C:\WINDOWS\system32\stsycod.sys moved successfully.

File/Folder C:\WINDOWS\system32\swand.sys not found.

File/Folder C:\WINDOWS\system32\sxwand.sys not found.

C:\WINDOWS\system32\wserving.exe moved successfully.

File/Folder C:\WINDOWS\system32\xfst.sys not found.

C:\WINDOWS\system32\yaxcnxd.sys moved successfully.

< EmptyTemp >

File delete failed. C:\WINDOWS\temp\mta23609.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mta44437.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mta44769.dll scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mta84210.dll scheduled to be deleted on reboot.

Temp folders emptied.

IE temp folders emptied.

Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07232008_112518

Files moved on Reboot...

C:\WINDOWS\temp\mta23609.dll unregistered successfully.

C:\WINDOWS\temp\mta23609.dll moved successfully.

C:\WINDOWS\temp\mta44437.dll unregistered successfully.

C:\WINDOWS\temp\mta44437.dll moved successfully.

C:\WINDOWS\temp\mta44769.dll unregistered successfully.

C:\WINDOWS\temp\mta44769.dll moved successfully.

C:\WINDOWS\temp\mta84210.dll unregistered successfully.

C:\WINDOWS\temp\mta84210.dll moved successfully.

-------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:27:45 AM, on 7/23/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\notepad.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local

O17 - HKLM\Software\..\Telephony: DomainName = klinge.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)

O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)

--

End of file - 5429 bytes

Share this post


Link to post
Share on other sites

Hello again,

Step 1

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)

O23 - Service: NOBICYT - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)

O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

Step 2

Please do an online scan with Kaspersky WebScanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • Once they are downloaded, the database will be updated.
    Please accept any ActiveX or Java notifications[i/]
  • After the files have been updated, go to the left side of the page under the Scan section and select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Share this post


Link to post
Share on other sites

I ran the Fix as requested for Hijackthis, but the scan I did after running Kaspersky still shows those (file missing) entries. All the hits that Kaspersky found are items we have locked up in quarantine.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Friday, July 25, 2008

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Friday, July 25, 2008 17:18:29

Records in database: 1008024

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 37677

Threat name: 18

Infected objects: 19

Suspicious objects: 0

Duration of the scan: 00:38:00

File name / Threat name / Threats count

C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqy 1

C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan.Win32.DNSChanger.ewi 1

C:\QooBox\Quarantine\C\WINDOWS\system32\Indt2.sys.vir Infected: Trojan-Clicker.Win32.VB.bdq 1

C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir Infected: Trojan.Win32.Agent.tjk 1

C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir Infected: Trojan-Downloader.Win32.Delf.jqv 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kip 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cerwxfst.sys Infected: Trojan-Clicker.Win32.VB.bed 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bgc 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.jqz 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\routing.exe Infected: Trojan.Win32.Agent.uws 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\stsycod.sys Infected: Trojan.Win32.Delf.djd 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.kiq 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\xfst.sys Infected: Trojan-Clicker.Win32.VB.bae 1

C:\_OTMoveIt\MovedFiles7222008_083004\WINDOWS\system32\yaxcnxd.sys Infected: Trojan.Win32.DNSChanger.fgv 1

The selected area was scanned.

-------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:53:03 PM, on 7/25/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local

O17 - HKLM\Software\..\Telephony: DomainName = klinge.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exe (file missing)

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)

O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe (file missing)

--

End of file - 5359 bytes

Edited by duhast04

Share this post


Link to post
Share on other sites

Hello again,

Please copy (Ctrl C) and paste (Ctrl V) the following text in the code box to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

@echo off
sc stop AFinding
sc delete AFinding
sc stop NOBICYT
sc delete NOBICYT
sc stop perfmons
sc delete perfmons
sc stop Routing
sc delete Routing
sc stop WServing
sc delete WServing
DEL fixservices.bat

Double click fixservices.bat. A window will open and close. This is normal.

Now post a fresh HJT log please.

Share this post


Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:10:55 AM, on 7/28/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080503

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = klinge.local

O17 - HKLM\Software\..\Telephony: DomainName = klinge.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = klinge.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

--

End of file - 4847 bytes

Share this post


Link to post
Share on other sites

Nice job your log looks clean!

Please use the following suggestions to help prevent reinfection.

Time for some housekeeping

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    • CF_Cleanup.png

    [*] When shown the disclaimer, Select "2"

The above procedure will:

  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present

    [*] Reset the clock settings.

    [*] Hide file extensions, if required.

    [*] Hide System/Hidden files, if required.

    [*] Reset System Restore.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.

Malwarebytes' Anti-Malware - A very powerful tool which searches and kills malware that infects your system.

**Tutorial on installing & using this product can be found HERE**

SpywareBlaster - Great prevention tool to keep malware from installing on your system.

**Tutorial on installing & using this product can be found HERE**

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

**Tutorial on installing & using this product can be found HERE**

IE-SpyAd - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

**Tutorial on installing & using this product can be found HERE**

ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle

Firewall A firewall is very important, in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Comodo, Online Armor, or Outpost.

**Tutorial on Firewalls can be found HERE**

It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like SpywareBlaster and IE-Spyads do not conflict with any of these since they don't have a real time scanning engine that would conflict.

Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

It is also highly recommended to stay on top of your updates at all times, for Windows and all the above mentioned applications. This will ensure that you stay protected at the maximum level possible.

Finally, I strongly recommend action-smiley-036.gifHow did I get infected in the first place? (by Tony Klein)

Good luck and safe surfing :)

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.