Solve : Annoying "Talking" Virus?

1.	Solve : Annoying "Talking" Virus?
Answer» This thing is really starting to piss me off... It'll start up some .sys file (changes almost every time I see it) and start playing me some COMMERCIALS or some ads or something. This is a shared computer in my office, so I don't know who/what/when/etc. happened. One thing I do know though... this thing has created a user account in windows with administrative access... I've deleted it, changed it's password, changed it's rights... just keeps coming back. User name is IUser_Admin. Someone please help. Thanks! Oh, here's the hijackthis log... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:46:39 AM, on 9/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\a-squared free\a2service.exe C:\WINDOWS\system32\afisicx.exe C:\Documents and Settings\oper\.cisco_mds9000\bin\Wrapper.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Java\jre1.5.0\bin\javaw.exe C:\WINDOWS\system32\mabidwe.exe C:\WINDOWS\system32\macidwe.exe C:\WINDOWS\system32\noxtcyr.exe C:\WINDOWS\system32\noytcyr.exe C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\PDF Complete\pdfsvc.exe C:\WINDOWS\system32\roytctm.exe C:\WINDOWS\system32\soxpeca.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\tdxdowkc.exe C:\WINDOWS\system32\tdydowkc.exe C:\WINDOWS\system32\wsldoekd.exe C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\PDF Complete\pdfsty.exe C:\WINDOWS\system32\NWTRAY.EXE C:\Program Files\UltraMon\UltraMon.exe C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe C:\WINDOWS\TEMP\BO1A3B.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe C:\Program Files\UltraMon\UltraMonTaskbar.exe C:\Program Files\Atomic Clock Sync\Atomic.exe C:\Novell\Messenger\NMCL32.exe C:\PROGRA~1\SHOREL~1\SHOREW~1\STCHost.exe C:\WINDOWS\system32\taskmgr.exe C:\PROGRA~1\SHOREL~1\SHOREW~1\CSISCMGR.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O1 - Hosts: 75.125.165.202 axexe.com O2 - BHO: ADOBE PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe O4 - HKCU\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe" O4 - HKCU\..\Run: [Fomiu] C:\WINDOWS\system32\??mantec\l?gonui.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Startup: taskmgr.lnk = C:\WINDOWS\system32\taskmgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://172.16.10.16:4343/officescan/console/html/ClientInstall/WinNTChk.cab O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://172.16.10.16:4343/officescan/console/html/ClientInstall/setup.cab O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} (WSpell ActiveX Spelling Checker V5.15) - http://magic8app/magic/wspell.cab O16 - DPF: {25B82430-A083-4C36-9D72-A4868E744CE2} (MGCSpellCheckAM.MDictionaryAM) - http://magic8app/magic/wspellAM.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://172.16.10.16:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184157984937 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://magic8app/SCRmagic/Reports/activeXViewer/activexviewer.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clarksdns.com O17 - HKLM\Software\..\Telephony: DomainName = clarksdns.com O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clarksdns.com O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe O23 - Service: afisicx Settings storage service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe O23 - Service: Cisco MDS Fabric Manager (FMServer) - Unknown owner - C:\Documents and Settings\oper\.cisco_mds9000\bin\Wrapper.exe O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe O23 - Service: noxtcyr Manages messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing) O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe O23 - Service: wsldoekd Portable Media Serial Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe -- End of file - 10189 bytes One last note... This is an office computer and IE7, Firefox, and XP SP3 have not been 'approved' yet, so that's why they are not installed.We need permission from the IT department before advising any further as this is a work machine...Quote from: patio on September 14, 2008, 08:59:37 AM We need permission from the IT department before advising any further as this is a work machine... I spoke with the Desktop Support Manager about trying this and he said he's sick of pulling his hair out, so if I can find other answers I can do it as long as I don't upgrade to SP3 (some of our software hasn't been tested with it yet) or upgrade to IE7 (some of our web based applications don't appear to work with it - yet). Also, I am in the IT department (I work in the NOC), but I mostly deal with the mainframe and Novell and Linux based servers, so Windows and I don't get along...Got it. In the meantime i'm going to move this to the Virus and Spyware section... One of our Specialists should be along shortly. Best of Luck and Welcome Aboard !Thanks... and sorry for posting in the wrong board. I look forward to whatever help y'all can give me... :-)This is a severely infected computer. I see at least 5 rootkits installed. If you know anything about rootkits then you know just how dangerous they can be to a computer, not to mention a shared office computer. My suggestion is to flatten the drive and reinstall. Read the below information and let me know what you want to do. One or more of the identified infections was related to a rootkit componet. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because a rootkit has been removed the computer is secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read When should I re-format? How should I reinstall? and Reformatting the computer or troubleshooting; which is best?. Wow... that was not happy news... Thanks for the input. I'll let my Desktop Support guy know what's going on... could you please tell me which ones are "rootkits" so that I can give him a better report? Great... I have used this computer for banking needs too... sigh Thanks again...These are the ones that are showing. Remember HijackThis only shows some forms of malware and running processes. It doesn't see hidden nasties. I have helped in cleaning this type of infection before but it isn't easy and can easily stretch into a few days or more (depending on your and my schedules). These are the ones that are easily identified. This particular rootkit will often install 2 or 3 drivers for each rootkit service it installs so there is definitely much more going on then what I can see now. O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing) O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe ---------- Lets go ahead and maybe see just how bad it is. Sometimes they will go away without a huge fight. Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved directly to your Desktop Close any open Web BROWSERS. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. When finished ComboFix will produce a log for you. Post the ComboFix log and a new HijackThis log in your next reply. Important:** Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. Best way out of this is too wipe the hard drive clean, its going to take a lot of time to remove all infected files. Quote from: kizza1645 on September 16, 2008, 03:40:07 AM Best way out of this is too wipe the hard drive clean, its going to take a lot of time to remove all infected files. That may be the easiest way for you.... Would you like to learn to fight malware?Quote from: evilfantasy on September 16, 2008, 10:10:12 AM Quote from: kizza1645 on September 16, 2008, 03:40:07 AM Best way out of this is too wipe the hard drive clean, its going to take a lot of time to remove all infected files. That may be the easiest way for you.... Would you like to learn to fight malware? No, i dont, its just so easy to wipe it. why bother searching for the littbe buggers.Quote from: kizza1645 on September 17, 2008, 12:06:36 AM No, i dont, Then leave it for those of us that do....

Answer»

This thing is really starting to piss me off... It'll start up some .sys file (changes almost every time I see it) and start playing me some COMMERCIALS or some ads or something. This is a shared computer in my office, so I don't know who/what/when/etc. happened. One thing I do know though... this thing has created a user account in windows with administrative access... I've deleted it, changed it's password, changed it's rights... just keeps coming back. User name is IUser_Admin. Someone please help. Thanks!

Oh, here's the hijackthis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:39 AM, on 9/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\a-squared free\a2service.exe
C:\WINDOWS\system32\afisicx.exe
C:\Documents and Settings\oper\.cisco_mds9000\bin\Wrapper.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Java\jre1.5.0\bin\javaw.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\macidwe.exe
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tdxdowkc.exe
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\BO1A3B.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\Novell\Messenger\NMCL32.exe
C:\PROGRA~1\SHOREL~1\SHOREW~1\STCHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\SHOREL~1\SHOREW~1\CSISCMGR.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 75.125.165.202 axexe.com
O2 - BHO: ADOBE PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [ShoreTel Personal Call Manager] C:\Program Files\Shoreline Communications\ShoreWare Client\StartCli.exe
O4 - HKCU\..\Run: [Novell Messenger] "C:\Novell\Messenger\NMCL32.exe"
O4 - HKCU\..\Run: [Fomiu] C:\WINDOWS\system32\??mantec\l?gonui.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: taskmgr.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra 'Tools' menuitem: Novell Messenger - {3C3171BC-1025-43d1-8D1D-61CF4B38A28F} - C:\Novell\MESSEN~1\NMCL32.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://172.16.10.16:4343/officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://172.16.10.16:4343/officescan/console/html/ClientInstall/setup.cab
O16 - DPF: {245338C3-BCA3-4A2C-A7B7-53345999A8E8} (WSpell ActiveX Spelling Checker V5.15) - http://magic8app/magic/wspell.cab
O16 - DPF: {25B82430-A083-4C36-9D72-A4868E744CE2} (MGCSpellCheckAM.MDictionaryAM) - http://magic8app/magic/wspellAM.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://172.16.10.16:4343/officescan/console/html/ClientInstall/RemoveCtrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184157984937
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} (Crystal ActiveX Report Viewer Control 10.0) - http://magic8app/SCRmagic/Reports/activeXViewer/activexviewer.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clarksdns.com
O17 - HKLM\Software\..\Telephony: DomainName = clarksdns.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clarksdns.com
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: afisicx Settings storage service (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco MDS Fabric Manager (FMServer) - Unknown owner - C:\Documents and Settings\oper\.cisco_mds9000\bin\Wrapper.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe
O23 - Service: noxtcyr Manages messages (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: wsldoekd Portable Media Serial Service (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--
End of file - 10189 bytes

One last note... This is an office computer and IE7, Firefox, and XP SP3 have not been 'approved' yet, so that's why they are not installed.We need permission from the IT department before advising any further as this is a work machine...Quote from: patio on September 14, 2008, 08:59:37 AM

We need permission from the IT department before advising any further as this is a work machine...

I spoke with the Desktop Support Manager about trying this and he said he's sick of pulling his hair out, so if I can find other answers I can do it as long as I don't upgrade to SP3 (some of our software hasn't been tested with it yet) or upgrade to IE7 (some of our web based applications don't appear to work with it - yet). Also, I am in the IT department (I work in the NOC), but I mostly deal with the mainframe and Novell and Linux based servers, so Windows and I don't get along...Got it.
In the meantime i'm going to move this to the Virus and Spyware section...
One of our Specialists should be along shortly.
Best of Luck and Welcome Aboard !Thanks... and sorry for posting in the wrong board. I look forward to whatever help y'all can give me... :-)This is a severely infected computer. I see at least 5 rootkits installed. If you know anything about rootkits then you know just how dangerous they can be to a computer, not to mention a shared office computer.

My suggestion is to flatten the drive and reinstall.

Read the below information and let me know what you want to do.

One or more of the identified infections was related to a rootkit componet. Rootkits are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because a rootkit has been removed the computer is secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read When should I re-format? How should I reinstall? and Reformatting the computer or troubleshooting; which is best?.

Wow... that was not happy news... Thanks for the input. I'll let my Desktop Support guy know what's going on... could you please tell me which ones are "rootkits" so that I can give him a better report?

Great... I have used this computer for banking needs too... *sigh*

Thanks again...These are the ones that are showing. Remember HijackThis only shows some forms of malware and running processes. It doesn't see hidden nasties. I have helped in cleaning this type of infection before but it isn't easy and can easily stretch into a few days or more (depending on your and my schedules).

These are the ones that are easily identified. This particular rootkit will often install 2 or 3 drivers for each rootkit service it installs so there is definitely much more going on then what I can see now.

O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe
O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe

----------

Lets go ahead and maybe see just how bad it is. Sometimes they will go away without a huge fight.

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web BROWSERS. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

Best way out of this is too wipe the hard drive clean, its going to take a lot of time to remove all infected files. Quote from: kizza1645 on September 16, 2008, 03:40:07 AM

Best way out of this is too wipe the hard drive clean, its going to take a lot of time to remove all infected files.

That may be the easiest way for you....

Would you like to learn to fight malware?Quote from: evilfantasy on September 16, 2008, 10:10:12 AM

Quote from: kizza1645 on September 16, 2008, 03:40:07 AM
Best way out of this is too wipe the hard drive clean, its going to take a lot of time to remove all infected files.

That may be the easiest way for you....

Would you like to learn to fight malware?

No, i dont, its just so easy to wipe it. why bother searching for the littbe buggers.Quote from: kizza1645 on September 17, 2008, 12:06:36 AM

Solve : Annoying "Talking" Virus?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment