Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan Downloader.win32 Detected Nobicyt.exe

  • This topic is locked This topic is locked
2 replies to this topic

#1 jasonTHX


  • Members
  • 44 posts
  • Gender:Male
  • Location:Vermont
  • Local time:11:29 AM

Posted 02 August 2008 - 11:50 AM

Hello agian, I have a Dell PC with windows 2000 pro sp4 that is infected. Weird sounds, music and voices out of no where. They last only a couple of seconds at irregular intervals. Some program errors. I ran Ad-Aware and Norton on-line scan to verify infection. I have CA ETrust running but it is an old trial version that doesn't work to good. Help please.

Thanks in advance,

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-08-02 12:26:36
Computer is in Normal Mode.

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-02 12:27:59
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\eTrust Antivirus\inoweb.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\Tools\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.password.dealerconnection.com/l...ion.com/portal/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: PrintTemplateViewerCab () - http://salespoint.dealerconnection.com/Com...plateViewer.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1188418856109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_07) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/...p/TLIEFlash.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7910.3275115741
O16 - DPF: {A440BD76-CFE1-4D46-AB1F-15F238437A3D} (EncryptedData Class) - http://salespoint.dealerconnection.com/Com...oldsCapicom.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.com/Com...GridControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ddslive.webex.com/client/T23L/webex/ieatgpc.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{47610624-AD26-41B6-839D-BF355FDA3D12}: NameServer =,
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AcuConnect 7.2.0 on the default port (5632) (AcuConnect) - Acucorp, Inc. - C:\Acucorp\Acucbl720\AcuGT\bin\acurcl.exe
O23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINNT\SYSTEM32\afinding.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\AWHOST32.EXE
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\SYSTEM32\dmadmin.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus Admin Server (InoNmSrv) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoNmSrv.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: eTrust Antivirus Web Access Server (Inoweb) - Unknown owner - C:\Program Files\CA\eTrust Antivirus\inoweb.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\SYSTEM32\NMSSvc.Exe
O23 - Service: NOBICYT Service (NOBICYT) - Unknown owner - C:\WINNT\SYSTEM32\Nobicyt.exe
O23 - Service: perfmons - Unknown owner - C:\WINNT\SYSTEM32\perfs.exe
O23 - Service: Remote Shell Daemon - Denicomp Systems - C:\WRSHDNT\WRSHDNT.EXE
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINNT\SYSTEM32\routing.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: WServing Service (WServing) - Unknown owner - C:\WINNT\SYSTEM32\wserving.exe

End of file - 9076 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Gernuwa - c:\winnt\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>
R0 INO_FLPY - c:\winnt\system32\drivers\ino_flpy.sys <Not Verified; Computer Associates; CA eTrust eTrust Antivirus/InoculateIT version 7.X/6.X/4.X>
R1 AW_HOST - c:\winnt\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 awlegacy - c:\winnt\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 omci (OMCI WDM Device Driver) - c:\winnt\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 INO_FLTR - c:\winnt\system32\drivers\ino_fltr.sys <Not Verified; Computer Associates; CA eTrust eTrust Antivirus/InoculateIT version 6.0>
R2 NetAlrt - c:\winnt\system32\drivers\netalrt.sys <Not Verified; Intel Corporation; Intel Alert on LAN® 2>
R2 PlatAlrt - c:\winnt\system32\drivers\platalrt.sys <Not Verified; Intel Corporation; Intel Alert on LAN® 2>

S3 CO_Mon - c:\winnt\system32\drivers\co_mon.sys
S3 DCamUSBDXGTech (Dual-Mode DSC (Video Camera)) - c:\winnt\system32\drivers\gt891x1.sys <Not Verified; Grandtech Semiconductor Corp.; Grandtech GT891x DualMode DSC Driver>
S3 GT890x (Dual-Mode DSC (Still Camera)) - c:\winnt\system32\drivers\gt890x.sys <Not Verified; Grandtech Semiconductor Corp.; Grandtech USB Camera/Scanner Controller>
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\winnt\system32\drivers\nmscfg.sys <Not Verified; Intel Corporation; Intel® NMSCFG Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AFinding (AFinding Service) - c:\winnt\system32\afinding.exe
R2 ASFAgent (ASF Agent) - c:\program files\intel\asf agent\asfagent.exe <Not Verified; Intel Corporation; Intel® PRO Alerting Suite ASF 1.0 Compatible>
R2 Iap - c:\program files\dell\openmanage\client\iap.exe <Not Verified; Dell Computer Corporation; OpenManage Client Instrumentation>
R2 LogWatch (Event Log Watch) - c:\program files\ca\sharedcomponents\ca_lic\logwatnt.exe <Not Verified; Computer Associates; Computer Associates LogWatNT>
R2 NOBICYT (NOBICYT Service) - c:\winnt\system32\nobicyt.exe
R2 perfmons - c:\winnt\system32\perfs.exe
R2 Remote Shell Daemon - c:\wrshdnt\wrshdnt.exe <Not Verified; Denicomp Systems; Winsock RSHD/NT>
R2 Routing (Routing Service) - c:\winnt\system32\routing.exe
R2 WServing (WServing Service) - c:\winnt\system32\wserving.exe

S2 AcuConnect (AcuConnect 7.2.0 on the default port (5632)) - c:\acucorp\acucbl720\acugt\bin\acurcl.exe -startservice <Not Verified; Acucorp, Inc.; AcuRCL>
S2 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere>
S3 CA_LIC_CLNT (CA License Client) - c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe <Not Verified; Computer Associates; Computer Associates lic98rmt>
S3 CA_LIC_SRVR (CA License Server) - c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe <Not Verified; Computer Associates; Computer Associates lic98rmtd>
S3 NMSSvc (Intel® NMS) - c:\winnt\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-08-02 00:00:00 316 --a------ C:\WINNT\Tasks\killapp.job
2003-03-12 14:24:57 428 --a------ C:\WINNT\Tasks\Symantec NetDetect.job

-- Files created between 2008-07-02 and 2008-08-02 -----------------------------

2008-08-02 10:05:37 0 d-------- C:\WINNT\Sun
2008-08-02 10:05:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-08-02 10:03:21 0 d-------- C:\Program Files\Java
2008-08-02 10:03:02 0 d-------- C:\Program Files\Common Files\Java
2008-08-02 08:17:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 08:17:21 0 d-------- C:\Program Files\Spyware Doctor
2008-08-02 08:17:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-08-01 17:04:33 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_584.dat
2008-08-01 17:01:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-01 17:01:21 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 10:16:27 0 d-------- C:\Acucorp
2008-07-23 16:46:02 0 d-------- C:\Acu
2008-07-20 14:02:14 1007212 ---h----- C:\WINNT\ShellIconCache
2008-07-12 20:41:15 0 d-------- C:\Documents and Settings\Default User\Application Data\AdobeUM
2008-07-02 15:50:42 0 d-------- C:\Program Files\Coupons

-- Find3M Report ---------------------------------------------------------------

2008-08-01 17:02:20 0 d-------- C:\Program Files\Lavasoft
2008-08-01 17:02:19 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-08-01 17:01:21 0 d-a------ C:\Program Files\Common Files
2008-08-01 16:55:29 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-07-23 14:19:10 0 d-------- C:\Program Files\Dubuque Data Services
2008-07-23 14:14:12 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-24 23:00:56 306688 --a------ C:\WINNT\system32\andt.sys

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\SYSTEM32\mobsync.exe]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [06/22/05 12:48a]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [06/22/05 12:44a]
"POINTER"="point32.exe" []
"DVDSentry"="C:\WINNT\System32\DSentry.exe" [08/14/02 08:22p]
"Realtime Monitor"="C:\PROGRA~1\CA\ETRUST~1\realmon.exe" [02/13/03 10:25a]
"BO1HelperStartUp"="C:\PROGRA~1\BUTTER~1\BO1HEL~1.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/12/06 03:58p]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/07/05 12:46a]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [08/09/04 07:03a]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [08/09/04 07:03a]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/08 04:27a]

"Internat.exe"="internat.exe" [05/08/01 08:00a C:\WINNT\SYSTEM32\INTERNAT.EXE]

"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 4:05:56 PM]
Printkey2000.lnk - C:\Program Files\PrintKey2000\Printkey2000.exe [2/4/2007 1:30:19 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 02/15/02 11:51a 24638 C:\WINNT\SYSTEM32\PCANotify.dll






[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

-- End of Deckard's System Scanner: finished at 2008-08-02 12:28:51 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 765.99 MiB / 562.81 MiB
Pagefile Memory (total/avail): 1106.11 MiB / 842.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1948.13 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.61 GiB total, 13.56 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST320011A - 18.65 GiB - 2 partitions
\PARTITION0 - Unknown - 31.35 MiB
\PARTITION1 (bootable) - Installable File System - 18.61 GiB - C:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
HOMEPATH=\Documents and Settings\Administrator
Path=C:\Program Files\Internet Explorer;;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Symantec\pcAnywhere\;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\PROGRA~1\CA\ETRUST~1
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
ProgramFiles=C:\Program Files
USERPROFILE=C:\Documents and Settings\Administrator

-- User Profiles ---------------------------------------------------------------

fiuser (admin)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

123 Free Solitaire --> C:\PROGRA~1\123FRE~1\UNWISE.EXE C:\PROGRA~1\123FRE~1\INSTALL.LOG
32 Bit HP BiDi Channel Components Installer --> MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}
AcuCobolSetupAndDeploymentComp --> MsiExec.exe /I{B4678488-DC19-44FF-B8CA-673F9FECDBBD}
Acucorp v7.2.0 --> C:\WINNT\uninst.exe -fC:\Acucorp\Acucbl720\DeIsL1.isu -c"C:\Acucorp\Acucbl720\uninst.dll
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ArcSoft PhotoImpression --> C:\WINNT\IsUninst.exe -f"C:\Program Files\ArcSoft\PhotoImpression\Uninst.isu"
CA eTrust Antivirus --> C:\WINNT\IsUninst.exe -f"C:\Program Files\CA\eTrust Antivirus\Uninst.isu" -c"C:\Program Files\CA\eTrust Antivirus\InoSetup.dll"
Cash Receipts --> MsiExec.exe /I{11B88B68-FF85-400B-8FCB-D27064A69D63}
Coupon Printer for Windows --> "C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
CRViewer10.0.0.1 --> MsiExec.exe /I{A5C5EB26-CA62-413B-8915-95A20CCAEC69}
Data Collection Module --> C:\Program Files\InstallShield Installation Information\{8EF6BC7D-AFCE-4C1E-86A8-87871E04BFD9}\setup.exe -runfromtemp -l0x0009 -removeonly
DDSApps --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{995F5FDF-2EEF-47C9-ABC3-C613207BA472}
DiMAGE Viewer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{976EA7B1-7562-483D-88DA-4323D263B7CD}\Setup.exe" -l0x9 anything
DVDSentry --> MsiExec.exe /I{98DF85D9-96C0-4F57-A92E-C3539477EF5E}
FreeZip --> rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\freezip.inf,Uninstall
GameShark DS Gamesaves --> "C:\Fire International\GamesharkDS\uninstall.exe"
ICE.TCP Pro --> C:\WINNT\IsUninst.exe -f"C:\Program Files\J River\ICETCP5\Uninst.isu"
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINNT\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
Intel® PROSet II --> MsiExec.exe /I{01A4AEDE-F219-49A2-B855-16A016EAF9A4}
Intel® Pro Alerting Agent, Version 3.0.0 --> MsiExec.exe /I{6797B492-3814-4129-AD07-C727D23FB5BF}
Intel® PRO Network Adapters WMI Provider (2.0) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C701994-43D2-4B7B-A548-C6E6C224D9A9}\setup.exe"
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
KONICA_MINOLTA DiMAGE remote camera driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{99E67091-D392-4031-AD2A-E9547F3615F8}\setup.exe" -l0x9
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft .NET Framework (English) --> MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework (English) v1.0.3705 --> C:\WINNT\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework 1.0 Hotfix (KB928367) --> "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp"
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB928366) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft IntelliPoint --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ABEA93FA-8D65-11D2-98AB-00C04F79C5D1}\setup.exe" Uninstall
Microsoft Office 2000 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Live Meeting 2005 --> MsiExec.exe /I{7228CB73-80E9-48D3-A7FD-C2A242686AB3}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
OMCI --> MsiExec.exe /X{73F1BDB7-11E1-11D5-9DC6-00C04F2FC33B}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\system32\QuickTime\Uninstall.log
RealArcade --> C:\Program Files\Real\RealArcade\Update\rnuninst.exe RealNetworks|RealArcade|1.2
Scheduler --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{A29F5ABA-CDB7-44BA-9DB1-5DCBE7889949}
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
Shockwave --> C:\WINNT\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\SYSTEM32\Macromed\SHOCKW~1\Install.log
Snapshot --> MsiExec.exe /I{F35BEDD2-E4B3-4C81-8CEE-14BAE4C40BC6}
Spyware Doctor 6.0 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Symantec pcAnywhere --> MsiExec.exe /I{C05E8183-866A-11D3-97DF-0000F8D8F2E9}
User's Guides --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
ViviCam 30 and 40 and 50 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F05EA6DF-F2E9-4D13-8686-C365FF2B5073}\Setup.exe"
VX2 Cleaner plug-in for Ad-Aware SE --> C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\VX2CLE~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\Plugins\VX2CLE~1\INSTALL.LOG
WebEx --> C:\WINNT\DOWNLO~1\atcliun.exe
WildTangent Web Driver --> C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Windows 2000 Service Pack 4 --> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
Winsock RSHD/NT by Denicomp Systems --> C:\WRSHDNT\WRSHDUN.EXE

-- Application Event Log -------------------------------------------------------

Event Record #/Type20809 / Error
Event Submitted/Written: 08/02/2008 00:12:46 PM
Event ID/Source: 5000 / CA_LIC
Event Description:
'Computer Associates Licensing -3EA1 - License Failure. Please run the appropriate license program to properly license your product. LRF=3EA1, 000874ecebb3, DESKTOP, PC12, 1'

Event Record #/Type20805 / Error
Event Submitted/Written: 08/02/2008 11:49:38 AM
Event ID/Source: 5000 / CA_LIC
Event Description:
'Computer Associates Licensing -3EA1 - License Failure. Please run the appropriate license program to properly license your product. LRF=3EA1, 000874ecebb3, DESKTOP, PC12, 1'

Event Record #/Type20800 / Error
Event Submitted/Written: 08/02/2008 10:09:38 AM
Event ID/Source: 5000 / CA_LIC
Event Description:
'Computer Associates Licensing -3EA1 - License Failure. Please run the appropriate license program to properly license your product. LRF=3EA1, 000874ecebb3, DESKTOP, PC12, 1'

Event Record #/Type20760 / Error
Event Submitted/Written: 08/01/2008 04:53:15 PM
Event ID/Source: 5000 / CA_LIC
Event Description:
'Computer Associates Licensing -3EA1 - License Failure. Please run the appropriate license program to properly license your product. LRF=3EA1, 000874ecebb3, DESKTOP, PC12, 1'

Event Record #/Type20739 / Warning
Event Submitted/Written: 08/01/2008 07:29:47 AM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2603 / Error
Event Submitted/Written: 08/02/2008 00:13:33 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Event Record #/Type2600 / Error
Event Submitted/Written: 08/02/2008 00:11:50 PM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The AcuConnect 7.2.0 on the default port (5632) service terminated with service-specific error 2.

Event Record #/Type2596 / Error
Event Submitted/Written: 08/02/2008 11:48:43 AM
Event ID/Source: 7024 / Service Control Manager
Event Description:
The AcuConnect 7.2.0 on the default port (5632) service terminated with service-specific error 2.

Event Record #/Type2594 / Error
Event Submitted/Written: 08/02/2008 11:47:17 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

Event Record #/Type2593 / Error
Event Submitted/Written: 08/02/2008 11:45:10 AM
Event ID/Source: 10010 / DCOM
Event Description:
The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.

-- End of Deckard's System Scanner: finished at 2008-08-02 12:28:51 ------------

Saturday, August 2, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version:
Program database last update: Saturday, August 02, 2008 15:11:57
Records in database: 1044906

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Program Files

Scan statistics
Files scanned 24555
Threat name 17
Infected objects 23
Suspicious objects 0
Duration of the scan 00:32:58

File name Threat name Threats count
C:\WINNT\system32\afinding.exe/C:\WINNT\system32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kxr 1

C:\WINNT\system32\Nobicyt.exe/C:\WINNT\system32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.lda 1

C:\WINNT\system32\routing.exe/C:\WINNT\system32\routing.exe Infected: Trojan.Win32.Agent.wib 1

C:\WINNT\system32\wserving.exe/C:\WINNT\system32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.ldb 1

C:\WINNT\SYSTEM32\afinding.exe Infected: Trojan-Downloader.Win32.Delf.kxr 1

C:\WINNT\SYSTEM32\andt.sys Infected: Trojan.Win32.DNSChanger.ewi 1

C:\WINNT\SYSTEM32\atpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.ai 1

C:\WINNT\SYSTEM32\axtpsck.exe Infected: not-a-virus:AdWare.Win32.AlexaBar.aj 1

C:\WINNT\SYSTEM32\ceswxfst.sys Infected: Trojan-Clicker.Win32.VB.bjp 1

C:\WINNT\SYSTEM32\cexwxfst.sys Infected: Trojan-Clicker.Win32.VB.bft 1

C:\WINNT\SYSTEM32\mtsycod.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINNT\SYSTEM32\nftscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\WINNT\SYSTEM32\Nobicyt.exe Infected: Trojan-Downloader.Win32.Delf.lda 1

C:\WINNT\SYSTEM32\ntscpd.sys Infected: Trojan.Win32.Delf.daj 1

C:\WINNT\SYSTEM32\nxtscpd.sys Infected: Trojan.Win32.Delf.dbc 1

C:\WINNT\SYSTEM32\otaxyzd.sys Infected: Trojan.Win32.DNSChanger.fzq 1

C:\WINNT\SYSTEM32\routing.exe Infected: Trojan.Win32.Agent.wib 1

C:\WINNT\SYSTEM32\stsycod.sys Infected: Trojan.Win32.Delf.djl 1

C:\WINNT\SYSTEM32\swand.sys Infected: Trojan.Win32.DNSChanger.ews 1

C:\WINNT\SYSTEM32\sxtsyctd.sys Infected: Trojan.Win32.Delf.dsu 1

C:\WINNT\SYSTEM32\sxwand.sys Infected: Trojan.Win32.DNSChanger.ffj 1

C:\WINNT\SYSTEM32\wserving.exe Infected: Trojan-Downloader.Win32.Delf.ldb 1

C:\WINNT\SYSTEM32\xwxfst.sys Infected: Trojan-Clicker.Win32.VB.bbn 1

The selected area was scanned.

BC AdBot (Login to Remove)




    missy malware magnet

  • Members
  • 2,676 posts
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:04:29 PM

Posted 10 August 2008 - 11:28 PM

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

If you already preformed the steps above We still need to see the current state of the machine fresh scan and logs are still necessary

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Check All
click Scan
DSS will now run again when finished
Please post back both logs that open in notepad
Main txt and extra txt

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post back with dss reports main.txt, extra.txt and Kaspersky report.

Posted Image



    missy malware magnet

  • Members
  • 2,676 posts
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:04:29 PM

Posted 21 August 2008 - 04:28 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users