afisicx and other bad things

Hi, I’ve been hacked and my computer is in a real mess, I hope somebody on the forum can help. Please note I’m writing to this forum on an old win 98 computer and dial up (as my regular machine is in a mess) so there is a limit to what I can access and download. I am an amateur as far as modern computers are concerned so I may not have the knowledge you would consider basic. The problem is yesterday my computer (windows xp) become stuck in a crawl while I was connected to broadband so I went to get a drink. When I came back some time later Norton Internet Security reported that there was a problem with (as far as I can recall) bloodhound, which I believe means its detected something suspicious and removed it. Thinking I was in the clear I rebooted and reconnected to recheck the definition of this problem at their web site, while looking at the log I discovered it deleted something it said was a loader at “system32\umtcdtw.sys”. It also flagged up attention to other files but considered the risk low and did nothing. The files were “afisicx.exe” “tpszxyd.sys” “msrstart.exe” and were all in windows\system32, I then decided to remove one of them without reading correctly that the file may be harmless (tpszxyd.sys) so I don’t know if I did any damage there. Then I decided to use system restore from safe mode and go back a month to be on the safe side, but the progress bar for this went by far to quickly and when the computer finally did reboot it said it was unable to restore to that point, I tried various point to no avail. Then the computer started to behave eccentrically and finally I can’t boot into the system, I just get a black screen and a moveable mouse pointer, I can still boot into safe mode. I should point out that this problem with system restore seem to of started a couple of days ago after I viewed a youtube video, I could still restore to a recent safe point but thats all, I don’t know if that was the first attack? Should I remove afisicx and the other files? Many thanks in advance.

 

I did discover that I could boot up normally, it was just there was an extremely long delay before the task bar first appears. When the task bar appears though no anti virus software was automatically loaded. I carried out all the procedures in “Read Me Run Me First” for XP computers. I didn’t allow automatic downloads of updates for SAS, as my Norton Security seemed to be compromised, so I manually updated it. After SAS cleaned some files etc and I rebooted, Norton automatically loaded, but too fast so I think it was still compromised. However, I couldn’t seem to get spybot to run without auto updates so I took a risk and downloaded it online, I auto updated Malwarebytes as well. I read the instructions for combofix, these suggested that I should download windows recovery console, I decided manually download this on my old computer with dial up, I then followed the instructions to drag and drop on the comobofix icon so combofix would install it. However, it didn’t install it, instead it asked for an internet download again, however it did run smoothly (should I install the recovery console myself) . When I got to Mgtools,. That program produced the processdll.exe application error, I read that I needed .NET framework. After all this was carried out, the computer was still taking an age to boot, from the pointer appearing with the blank screen (I don’t use wall paper) to the taskbar appearing took approx. 140+ Seconds and a further 25 seconds for the desktop icons to fully appear. I decided to take a risk and download .NET framework through broadband as I figured I had some immunity and the bite had been taken out of the trojans. However, the computer locked up again, I pulled the plug after a while when I got suspicious, I took some time out and when I returned Norton reported I needed to reboot because of security problems, norton recent history reported that Infostealer.Gampass had been detected and removed, but there was also other suspicious activity that wasn’t acted upon. Earlier on in the day spybotsd162.tmp made modifications to my computer (I hope this is the spybot program), but also there was the following activity around the time when I went online.
Swreg.exe modified my windows startup settings
Swregcf.exe made 13 modifications to my windows startup settings
Catchme.sys made modifications to my windows system settings
Cf32766.exe accessed my network resources
Regt.cfexe made 198 modifications to my computer
Swreg.exe made 2 modifications to my windows startup settings
I can’t seem to export the recent activity log so I had to enter them manually, I can export a file on Infostealer and downloader (previous) if that can help.
I wasn’t sure what to do so I cleaned the system again with Ccleaner and started SAS, it reported only one item for deletion – Rootkit.Agent/Gen-FraudLoad. I haven’t deleted it yet or switched my machine off or rebooted in case I cause more problems. I should also point out that my AOL spyware blocker (not sure how to switch this off in case that’s your next thought) kept reporting ISTbar as a Hijacker and Mirar as a nuisance, this happened after I installed spybot search and destroy, as I wasn’t certain if that was the cause, I didn’t block them I simply closed the window when it appeared. However, this hasn’t happened for a while and AOL isn’t reporting the spyware blocker as active now for some reason. I have included the logs, should I repeat the process for the new problems and send you the logs? Could the anti malware applications I have installed become infected with this new wave of problems? Should I reinstall? Im having to copy files of from my WIN98 on a memory stick as my CDRW is producing errors for some reason (I think its broke).

 

Hi, I cant seem to get an attachments button, I think its because Im using an old version of explorer on my win98 machine, could I email you the files? Many Thanks

 

Hi, I managed to attach the files, more to follow. As a matter of interest, do you think its possible to catch such malware from auctiva?

 

Please find more logs attached. The first lot of logs were for Superantispyware and Spybotsd162, I obtained two logs from spybot one short and one large. The second lot of logs are for malwarebytes, combofix and mgtools.

 

Thanks for getting back, 256MB was good in it day, I think

Atlsystem40322.sys and u222145133.dll were nowhere to be found, u202127735.dll deleted without a fight but u222153536.dll is somehow protected. I get the message that access is denied and that either the file is in use or the disk maybe write protected.

 

By the way, should I get rid of ISTbar and Mirar. My AOL spyware protection software identifies them when I run a scan. It reports ISTbar as a Hijacker and Mirar as a nuisance, the other antispyware software I ran didnt seem to touch them.

 

First lot of attached files, please see the next post for the rest

 

Sorry Ive been late in replying, but Ive been trying to work out the current situation with my PC.

I executed the avenger program and it deleted the problem file. I dont think the ISTbar and Mirar toolbars are present as I first thought. I scanned using AOL antispyware software again and there were warnings as usual, as I used a more detailed scan this time it also flagged up Bifrost and prockill, which a google search suggested was more malware. Ive just discovered how to get more info on each flagged problem, when I select more information on the ISTbar and Mirar warnings I don't get file names but what looks like registry entrys:
hkey_local_machine \software\microsoft\windows\currentversion\internetsettings\zonemap\domains\contentmatch.net
hkey_local_machine \software\microsoft\windows\currentversion\internetsettings\zonemap\domains\mirarsearch.com

Bifrost (Backdoor):
hkey_current_user\software\wget

Im now guessing the AOL antispyware must be pointing to entries in the registry that spybot put there for immunity, is that correct? Im not sure about Bifrost, could that be a genuine threat? Prockill seems to be pointing to a component of MGtools (process.exe) which Im assuming is another false alarm.

I then went online with my usual explorer security settings to test the water and download the Microsoft NET framework required for MGtools. The settings dont allow for unsigned activex controls etc and prompts for anything else that may be dodgy (dont know how I got hacked in the first place). It looked fine and seemed that I was in the clear, but then a pop up started appearing in my AOL browser. Whenever the welcome page was opened, it would appear. The pop up looks like AOL's search engine at -
http://aolsearch.aol.co.uk/aol/webhome but the windows address is completely different. The POP ups address starts with aka-cdn-ns.adtech.de it in turn points to a page who's address starts with aolcdn. I haven't sent the full address as I don't know if its ok to post web addresses on this forum with potentially dangerous content. If you need to take a look at it, I'll send the full address in my next message. I've had a look at the content (quite long), but Im no HTML expert and I don't know what changes it makes.

I then turned on AOL and explorers pop blockers and set all my internet explorer security settings to block just about everything except active scripting, but it still kept popping up. The only thing that stops it is blocking everything including active scripting. Also, on a couple of occasions ive found "PopupMgr" in IE pop up blockers allowed sites list, ive deleted it but its appeared again.

I then carried out the read and run me first procedures and recorded the logs which Ive included. I did this with all except MGtools, this was because I couldn't get the necessary NET framework to install (see my previous post about the error message). When I try I get the following message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This is suspicious as I can copy the file from one directory to another without a problem.

Please find the rest of the log files in the previous post. Thanks for your help.

 

I get the ProcessDLL.EXE - Application Error when I run MGtools, I was under the impression that the logs it generates was missing critical info if this error was produced, so I didn't think you'd be interested in it unless it was complete. Ive attached the log zip file now. When I ran MGtools I also didn't get the Hijack This window popping up as I did when I first executed it so I dont know if that component worked?

I carried out the atr-cleaner procedure, I clicked select all, was that correct? This didn't have any effect on the pop up window.

Im as certain as I can be that the AOL search window pop up is sinister. Its content has some lines starting with "#adult", and if you click on the search button or AOL logo you are sent to the real search engine web address. The real search engine page is 12KB, the pop up is 75KB. If you deliberately go to the AOL search engine from the welcome page you are sent to the real web site, there seems no rationale for this site except dishonest purposes.

Although start up is a bit quicker, its still slow. It was 145 seconds, now its 106 until the task bar appears after the blue welcome screen has gone.

I carried out a full scan with norton on the 27th and it found and deleted some files that I think "the read and run me first" utilities quarantined:
c:\qoobox\quarantine\c\windows\system32\200921230.dll.vir
C:\Qoobox\Quarantine\C\WINDOWS\system32\200925727.dll.vir
C:\RECYCLER\S-1-5-21-757298511-357967339-2079644369-1003\Dc1.dll
I will make another full scan, but I strongly doubt I'll find anything with it. While Im on this point, Norton is asking to update files, I been putting it off. Is it safe to update norton before Ive got the all clear?

I done a bit of searching around my PC for any clues, Ive found what follows. I dont know if this info is useful to you or not but I thought Id pass it on.

I noticed that the malware dll files were dated 21/02/2009. The file C:\ProgramFiles\Real\RealPlayer\Msg\Category.dat was modified on that date - 21 February 2009, 19:22:14. It may be harmless but I trying to find any changes that occurred to my PC on that date. When clicking on some youtube videos on that date I did get some odd messages about scripts not working in the video, I don't know if this has something to do with the malware.

I also searched the registry for the DLL files that you advised I should delete. I found the following entries containing the U222153536.DLL file.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\eq2soft\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\eq2soft\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eq2soft\Parameters

I then searched the registry for eq2soft and found:
HKEY_LOCAL_MACHINE\SOFTWARE\INSTALLCOOL\eq2soft

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost netsvcs REG_MULTI_SZ which contained the text Im including in file1.txt which Ive attached. It includes the name eq2soft at the end along with other sus sounding names like softyinforwow1

 

The problem with the pop up now seems to have been a red herring, sorry for the false alarm. AOLs technical message boards aren't easy to find from the welcome page for some strange reason, but I finally discovered the AOLs message board for technical problems. Apparently its all been a strange advertisement experiment which left users baffled, it stopped for a while today but now its back. It was just my bad luck their experiment coincided with my malware problem.
http://messageboards.aol.co.uk/aol/...=false&filterHidden=true&filterUnhidden=false

So now the only odd thing about my system is the delay between the blue welcome screen disappearing and the task bars appearance. It was 106 seconds, after windows and then norton installed an update it went down to about 80 seconds. After I used SDFix it went back up to 100 seconds? I dont know if it has any relevance but I opted to turn the computer off and let windows automatically update as usual, when I returned I found that the machine had hung on the switch off screen, but when I rebooted it did say a critical update was installed.

I dont know if this is evidence for Malware, but AOL's anti spyware used to be loaded on boot up automatically. It still has to be manually started. Also as I stated before, I cant execute the dotnetfx.exe microsoft NET framwork upgrade, is this evidence of malicious software or is the error message (see prev post) entirely legitimate.

After I used SDFix, I deleted the registry entries as you advised. However, I found that there were more eq2soft entries than before. Ive listed them below plus some other entries Ive discovered. The entries that weren't in the registry before seem to be stored in branches ending in Enum\Root rather than "Services" like the following:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EQ2SOFT
Were these created by SDFix? As I didn't find these entries before. Is the Enum\Root branches merely backups made by SDFix, should I delete all entries in Enum\Root (there are a lot) or should I leave them alone.
The registry entries I found are listed below, some of the softyinforwow1 entries contain references to C:\WINDOWS\system32\200925727.dll. Should I delete all the entries below?
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_EQ2SOFT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_EQ2SOFT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_EQ2SOFT
HKEY_LOCAL_MACHINE\SOFTWARE\OKME
HKEY_LOCAL_MACHINE\SOFTWARE\OKME\softyinforwow1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SOFTYINFORWOW1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\softyinforwow1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SOFTYINFORWOW1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\softyinforwow1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOFTYINFORWOW1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\softyinforwow1

After I used the SDFix program I examined the results file.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb
The reports log highlights the above file name as hidden, this file didn't look overly threatening being labelled a temp file, but I tried to open it with notepad to see any text buried in the code but I couldn't as it was in use. I then selected details to see the files date, but it disappeared? Hidden files are selected to be visible, and when I did see the file its icon wasn't translucent like other hidden files. I went to the previous documents and clicked on its name but it could no longer be accessed. Also, it never ended up in the recycle bin, was it just a temporary file used by XP? The directory chain it was in "C:\WINDOWS\SoftwareDistribution" has a file called ReportingEvents.log. In it amongst the list of events it recorded are two of which that occurred on the same day the Malware DLLs were saved, the event times and their labels are given below.
2009-02-21 12:39:17 Success Content Install Reboot completed.
2009-02-21 19:15:52 Success Software Synchronization

I then executed combofix, but a message came up stating that it could only now run a cut down version as the date was the 2nd of March? Should I still use this cut down version and send you the log?

 

I would just like to add one more thing to the previous post for you to consider. Ive just looked into the recent history of Norton Security and have found something odd. There didn't seem to be anything strange at first glance, just a reference to swreg.exe having made 5 changes to my windows start up settings. Now I know that swreg.exe is in mgtools and then it occurred to me that I hadn't run mgtools for at least 24 hours, yet its listed as being active on 2/3/2009 22/52/01. I cant remember what I was doing at the time but I don't think I was running any of your suggested utilities, I think I either rebooted the pc or was online. I then checked the previous entries of swreg.exe in my recent history, they referred to the file c:\mgtools\swreg.exe. But the latest history entry was referring to c:\32788r22fwjfw\swreg.exe ??? That directory doesn't exist and isn't in the recycle bin.

 

Im afraid I jumped the gun a little. I checked the softyinforwow1and netmantow in google, I also checked other peoples normal netsvcs registry entries through google. After being convinced these were left overs of the malware I managed to get rid of, I deleted them. The system is working so these entries must of been safe to delete I guess, but I made a backup of the whole registry and the individual items I deleted. Just to clarify I only deleted the text - eq2soft, softyinforwow1, netmantow in netsvcs register entry, I did not delete the whole entry. Would you like me to restore them before I carry out your CCleaner etc procedure?

I'll carry out your procedure tomorrow as its very late here and Im dog tired. Im thinking of using system restore to test if this works, as I said in my original post, this feature was somehow disabled, returning the message that the system could not restore when it rebooted. I won't reboot to a point when the system was infected with the malware I deleted, just the previous restore point (which will be today I suppose). If you think that wouldn't be a good idea, please let me know. Thanks

 

I used ccleaner to scan the log and I selected to fix all. See the file "registry.txt" for the items that ccleaner processed. Everything seems to be functioning, but please take a look at the registry.txt file to see if any deletion may cause a problem. Should I insert any of the items back into the registry?

The speed of the boot has improved but not because of ccleaner. As ccleaner was indicating uninstall registry entries, I thought Id get rid of some old apps just in case I couldn't in the future. I had a malware false alarm about 1-2 years ago and had installed panda active scan, kapersky antivirus scanner software, ewido antispyware software and a lavasoft app. I deleted the first two and there was no change, but after I deleted ewido the speed improved. What do you think was causing the problem, do you think ewido had become infected or can be used to access a computer over the internet for an attack? Could the malware caused it to malfunction? Or was it simply clashing with the other antispyware software Ive recently downloaded? The ewido version was the free one without background scanning as far as I know, so I don't think it was meant to be loaded from boot, because of this its behaviour is a mystery. The uninstall program did ask if I wished to delete the files it had quarantined which I did. I had run ewido, despite being very out of date, as soon as the malware problem came to light, it didn't identify anything.

You can see the boot times below, Ive broke it down into stages, stage 1 - duration of windows XP logo and animated "activity bar", stage 2 - period before pointer appears, stage 3 - period before blue welcome screen appears, stage 4 - duration of blue welcome screen, stage 5 - period before task bar appears, stage 6 - time for icons to appear on the desktop.

Before I uninstalled ewido the times were in seconds - stage 1: 35 to 45, stage 2: 22 to 27, stage 3: 11, stage 4: 37 to 39, stage 5: 84 to 120, stage 6: 30 to 40
After I uninstalled ewido the time were - stage 1: 30 to 33, stage 2: 22 to 28, stage 3: 11, stage 4: 36 to 40, stage 5: 22 to 30, stage 5: 3


Please note: I accidentally clicked on a backup of mgtools on a pen drive. Major Geeks MGTools guide says that its critical that its executed from the root drive that windows is stored in. I then ran MGTools normally as you instructed. Will my error cause any problems with the log?

I haven't checked system restore, I'll do that tomorrow.

I followed your instructions after I uninstalled the old apps and have included the logs, does it look clean? Could there be any possibility that any of the malware installed a boot virus? Thanks

 

Many thanks for your help.