Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Infections CTFMon, Afisicx, Atsxyzd.sys,Noxtcyr.exe,macidwe.exe


  • This topic is locked This topic is locked
38 replies to this topic

#1 RobbpastorII

RobbpastorII

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 November 2008 - 07:56 AM

Hi Everyone,
Please help. I am severely infected. I have already run Ad Aware, Spybot, Housecall, and Stinger. Of course, none of these have helped. Initially, I could not log on to Internet Explorer at all. Now, I am able to do so but I keep getting multiple pop-up error messages. Here is my latest Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:50 AM, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\robert\Local Settings\Temp\snapsnet\dPI191065.exe
C:\WINDOWS\system32\prunnet.exe
c:\windows\system32\dwwnw64r.exe
C:\WINDOWS\system32\ncntlsdl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\robert\Application Data\NI.GSCNS\IUpd721.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [{A3-32-2F-F7-DW}] c:\windows\system32\dwwnw64r.exe DWmmm01
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\ncntlsdl.exe DWmmm01
O4 - HKLM\..\Run: [wphhfuenfsyk] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\luqorrdtug.dll"
O4 - HKLM\..\Run: [ecca3258] rundll32.exe "C:\WINDOWS\system32\newyldcp.dll",b
O4 - HKLM\..\Run: [IUpd721] C:\Documents and Settings\robert\Application Data\NI.GSCNS\IUpd721.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKLM\..\Policies\Explorer\Run: [mininyust] C:\WINDOWS\system32\inf\svchoct.exe C:\WINDOWS\wftadfi16_080823a.dll tanlt88
O4 - HKUS\S-1-5-21-436374069-113007714-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-113007714-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-436374069-113007714-839522115-1003\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe" (User '?')
O4 - HKUS\S-1-5-21-436374069-113007714-839522115-1003\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-21-436374069-113007714-839522115-1003 Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntlsdl.exe (User '?')
O4 - S-1-5-21-436374069-113007714-839522115-1003 Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe (User '?')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntlsdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\dwwnw64r.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mmchost.dll
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094997537187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187648681859
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://games.bellsouth.net/Gh/DeliciousWeb/zylomplayer.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/ps/en/check/qdiagh.cab?326
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O20 - AppInit_DLLs: dbi102.dll xnevkv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Internet Service - Unknown owner - C:\WINDOWS\smss.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11512 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:41 AM

Posted 24 November 2008 - 05:05 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

I will do my best to communicate clearly to you so that we can resolve your issues as quickly as possible. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to fix your computer. Please communicate freely with me about how your computer is reacting and behaving as we work through this process.


Please download random's system information tool (RSIT) and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 November 2008 - 07:08 PM

Hi Sam,
Thank you for trying to assist me.

I loaded the RSIT program and when I select "Continue" after opening it, I get a box that says "AutoIt Error" "Error: Incorrect number of parameters in function call".

Whatever, I have on my computer, it doesnt allow me to run or download any programs. I have to download to my laptop and then transfer the program to my computer via a jump drive. For some reason it tries to put a .bin suffix on everything.


Robb

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:41 AM

Posted 24 November 2008 - 07:16 PM

Try this... rename rsit.exe to rs.com
Windows might not like it, but it should run ok.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 November 2008 - 07:20 PM

That didnt work either. I still get a pop-up box that says "AutoIt Error" "Error: Incorrect number of parameters in function call"

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:41 AM

Posted 24 November 2008 - 07:25 PM

Ok, let's try this.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Documents and Settings\robert\Local Settings\Temp\snapsnet\dPI191065.exe
    C:\WINDOWS\system32\prunnet.exe
    c:\windows\system32\dwwnw64r.exe
    C:\WINDOWS\system32\ncntlsdl.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Documents and Settings\robert\Application Data\NI.GSCNS\IUpd721.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    
    :files
    C:\WINDOWS\system32\prunnet.exe
    c:\windows\system32\dwwnw64r.exe
    C:\WINDOWS\system32\ncntlsdl.exe
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 November 2008 - 07:43 PM

:processes
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Documents and Settings\robert\Local Settings\Temp\snapsnet\dPI191065.exe
C:\WINDOWS\system32\prunnet.exe
c:\windows\system32\dwwnw64r.exe
C:\WINDOWS\system32\ncntlsdl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\robert\Application Data\NI.GSCNS\IUpd721.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

:files
C:\WINDOWS\system32\prunnet.exe
c:\windows\system32\dwwnw64r.exe
C:\WINDOWS\system32\ncntlsdl.exe

:Commands
[EmptyTemp]
[Reboot]

#8 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 November 2008 - 07:45 PM

Hang on. Let me try that again

#9 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 24 November 2008 - 07:47 PM

========== PROCESSES ==========
Unable to kill process: C:\WINDOWS\Explorer.EXE
Unable to kill process: C:\Program Files\Mozilla Firefox\firefox.exe
Unable to kill process: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
Unable to kill process: C:\Documents and Settings\robert\Local Settings\Temp\snapsnet\dPI191065.exe
Unable to kill process: C:\WINDOWS\system32\prunnet.exe
Unable to kill process: c:\windows\system32\dwwnw64r.exe
Unable to kill process: C:\WINDOWS\system32\ncntlsdl.exe
Unable to kill process: C:\PROGRA~1\Yahoo!\browser\ycommon.exe
Unable to kill process: C:\WINDOWS\system32\rundll32.exe
Unable to kill process: C:\Documents and Settings\robert\Application Data\NI.GSCNS\IUpd721.exe
Unable to kill process: C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
Unable to kill process: C:\Program Files\Internet Explorer\IEXPLORE.EXE
========== FILES ==========
File/Folder C:\WINDOWS\system32\prunnet.exe not found.
File/Folder c:\windows\system32\dwwnw64r.exe not found.
C:\WINDOWS\system32\ncntlsdl.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\robert\LOCALS~1\Temp\etilqs_34uxJVkCIZJenpjoCO5E scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\robert\LOCALS~1\Temp\~DFA6E2.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_420.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11242008_194105

Files moved on Reboot...
File move failed. C:\DOCUME~1\robert\LOCALS~1\Temp\etilqs_34uxJVkCIZJenpjoCO5E scheduled to be moved on reboot.
File move failed. C:\DOCUME~1\robert\LOCALS~1\Temp\~DFA6E2.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_420.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_001_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_002_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_003_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\Cache\_CACHE_MAP_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\urlclassifier3.sqlite scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\robert\Local Settings\Application Data\Mozilla\Firefox\Profiles\fyekn7z5.default\XUL.mfl scheduled to be moved on reboot.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:41 AM

Posted 25 November 2008 - 02:52 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 25 November 2008 - 06:38 PM

SDFix: Version 1.240
Run by robert on Tue 11/25/2008 at 06:28 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File
Resetting SecurityProviders Value

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\iifgEtrO.dll - Deleted
C:\WINDOWS\system32\luqorrdtug.dll - Deleted
C:\WINDOWS\system32\tqdnwmwkfysyacv.exe - Deleted
C:\WINDOWS\system32\winpfz33.sys - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted


Could Not Remove C:\WINDOWS\system32\drivers\core.cache.dsk
Could Not Remove C:\WINDOWS\system32\msansspc.dll
Could Not Remove C:\WINDOWS\system32\TDSSoiqt.dll

Folder C:\Temp\tn3 - Removed
Folder C:\WINDOWS\system32\GP2 - Removed


Removing Temp Files

ADS Check :



Final Check :

disk not found C:\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox"
"C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"="C:\\Program Files\\Yahoo!\\browser\\ybrowser.exe:*:Enabled:Yahoo! Browser"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

C:\WINDOWS\system32\drivers\core.cache.dsk Found
C:\WINDOWS\system32\msansspc.dll Found
C:\WINDOWS\system32\TDSSoiqt.dll Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Sun 13 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Misc. Support Library (Spybot - Search & Destroy)\Tools.dll"
Thu 2 Nov 2006 782,336 A..H. --- "C:\Program Files\OpenAL\oalinst.exe"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\SDHelper (Spybot - Search & Destroy)\SDHelper.dll"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Thu 14 Aug 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Wed 30 Jul 2008 4,891,984 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 22 Sep 2004 73,728 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Mon 5 Mar 2007 5 A.SH. --- "C:\WINDOWS\system32\cdcaaddad5_g.dll"
Sat 11 Dec 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 24 Nov 2008 7,829,056 A..H. --- "C:\Program Files\Google\Picasa3\setup.exe"
Sat 30 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 26 Feb 2005 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Sat 26 Feb 2005 12,888 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Fri 19 Nov 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"

Finished!

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:41 AM

Posted 26 November 2008 - 03:03 PM

Copy this text into OTMoveIt3 and click MoveIt just like you did before.

:files
C:\WINDOWS\system32\drivers\core.cache.dsk 
C:\WINDOWS\system32\msansspc.dll 
C:\WINDOWS\system32\TDSSoiqt.dll


Please post the resulting log.


Then let's try to get some more detail.
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop.
  • Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Copy and Paste the logs into your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 26 November 2008 - 06:01 PM

========== FILES ==========
File move failed. C:\WINDOWS\system32\drivers\core.cache.dsk scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\msansspc.dll
C:\WINDOWS\system32\msansspc.dll NOT unregistered.
C:\WINDOWS\system32\msansspc.dll moved successfully.
Item C:\WINDOWS\system32\ is whitelisted and cannot be moved.

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11262008_175709

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\core.cache.dsk scheduled to be moved on reboot.

#14 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 26 November 2008 - 06:07 PM

When I run OTViewIt, it runs for a few seconds and then I get an error that says:

Win 32 Error. Code:1717. The interface is unknown.

#15 RobbpastorII

RobbpastorII
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:41 AM

Posted 26 November 2008 - 06:08 PM

a

Edited by RobbpastorII, 26 November 2008 - 06:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users