Help! back door trojan

british147 · 18-Jul-2007, 12:30 AM #1

I keep getting errors saying I have a 'back door trojan' as well as numerous pop ups.

Here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:06:59 AM, on 7/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\retadpu77.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip110\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\qwerty12.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\retadpu77.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xvyar.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jqfedyr.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\pcseygzt.dll
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip110\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - AppInit_DLLs:
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vixxnnc.exe (file missing)

Help!!!! Thanks.

**cybertech** · 18-Jul-2007, 12:52 PM #2

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

british147 · 19-Jul-2007, 09:57 PM #3

I can follow the directions up to the "open the extracted SDFix folder. I can't find any SDFix folder. I do have an icon on the desktop that is SDTrial. It is for Spyware Doctor, which I don't actually have. I have also searched for this folder with no luck. Help!

**cybertech** · 20-Jul-2007, 01:02 PM #4

The folder should be at C:\SDFix unless you changed the location when you ran the downloaded program.

british147 · 20-Jul-2007, 10:06 PM #5

SDFix: Version 1.92

Run by Owner on Fri 07/20/2007 at 09:45 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
core
runtime
runtime2
Windows Overlay Components

ImagePath:
system32\drivers\core.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
\SystemRoot\system32\drivers\runtime2.sys
C:\WINDOWS\vixxnnc.exe

core - Deleted
runtime2 - Deleted
Windows Overlay Components - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\diskperf.dll - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\Documents and Settings\Owner\Recent\WinAntiSpyware 2007.lnk - Deleted
C:\Documents and Settings\Owner\Application Data\Install.dat - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\abc123.pid - Deleted
C:\DOCUME~1\Owner\LOCALS~1\Temp\mc-110-12-0000103.exe - Deleted
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe - Deleted
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe - Deleted
C:\WINDOWS\poolsv.exe - Deleted
C:\WINDOWS\retadpu.exe - Deleted
C:\WINDOWS\retadpu1000106.exe - Deleted
C:\WINDOWS\retadpu77.exe - Deleted
C:\WINDOWS\svhost.exe - Deleted
C:\WINDOWS\system32\7_exception.nls - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\System32\\qwerty12.exe"="C:\\WINDOWS\\System32\\qwe"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\Administrator\NetHood\jobs on www.osuhousing.com\Desktop.ini
C:\Documents and Settings\Administrator\NetHood\RASelection on www.osuhousing.com\Desktop.ini
C:\Documents and Settings\Default User\NetHood\jobs on www.osuhousing.com\Desktop.ini
C:\Documents and Settings\Default User\NetHood\RASelection on www.osuhousing.com\Desktop.ini
C:\Documents and Settings\Owner\NetHood\jobs on www.osuhousing.com\Desktop.ini
C:\Documents and Settings\Owner\NetHood\RASelection on www.osuhousing.com\Desktop.ini
C:\WINDOWS\IA\asappsrv.dll
C:\WINDOWS\system32\pcseygzt.dllbox
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\IA\command.exe
C:\WINDOWS\SMINST\HPCD.sys
C:\Documents and Settings\Administrator\My Documents\~WRL0003.tmp
C:\Documents and Settings\Administrator\My Documents\~WRL0788.tmp
C:\Documents and Settings\Administrator\My Documents\~WRL3418.tmp
C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL0001.tmp
C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL0053.tmp
C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL0481.tmp
C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL1490.tmp
C:\Documents and Settings\Default User\My Documents\~WRL0003.tmp
C:\Documents and Settings\Default User\My Documents\~WRL0788.tmp
C:\Documents and Settings\Default User\My Documents\~WRL3418.tmp
C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL0001.tmp
C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL0053.tmp
C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL0481.tmp
C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL1490.tmp
C:\Documents and Settings\Owner\My Documents\~WRL0003.tmp
C:\Documents and Settings\Owner\My Documents\~WRL0788.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3418.tmp
C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL0001.tmp
C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL0053.tmp
C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL0481.tmp
C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL1490.tmp
C:\WINDOWS\LastGood.Tmp\INF\dasetup.inf
C:\WINDOWS\LastGood.Tmp\INF\dasetup.PNF
C:\WINDOWS\LastGood.Tmp\INF\mdacxpak.inf
C:\WINDOWS\LastGood.Tmp\INF\mdacxpak.PNF
C:\WINDOWS\LastGood.Tmp\INF\msxmlx.inf
C:\WINDOWS\LastGood.Tmp\INF\msxmlx.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem78.inf
C:\WINDOWS\LastGood.Tmp\INF\oem78.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem79.inf
C:\WINDOWS\LastGood.Tmp\INF\oem79.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem80.inf
C:\WINDOWS\LastGood.Tmp\INF\oem80.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem81.inf
C:\WINDOWS\LastGood.Tmp\INF\oem81.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem82.inf
C:\WINDOWS\LastGood.Tmp\INF\oem82.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem83.inf
C:\WINDOWS\LastGood.Tmp\INF\oem83.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem84.inf
C:\WINDOWS\LastGood.Tmp\INF\oem84.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem85.inf
C:\WINDOWS\LastGood.Tmp\INF\oem85.PNF
C:\WINDOWS\LastGood.Tmp\INF\oem86.inf
C:\WINDOWS\LastGood.Tmp\INF\oem86.PNF
C:\WINDOWS\LastGood.Tmp\INF\rspfiles.inf
C:\WINDOWS\LastGood.Tmp\INF\rspfiles.PNF
C:\WINDOWS\LastGood.Tmp\INF\sqlnet.inf
C:\WINDOWS\LastGood.Tmp\INF\sqlnet.PNF
C:\WINDOWS\LastGood.Tmp\INF\sqlodbc.inf
C:\WINDOWS\LastGood.Tmp\INF\sqlodbc.PNF
C:\WINDOWS\LastGood.Tmp\INF\sqloldb.inf
C:\WINDOWS\LastGood.Tmp\INF\sqloldb.PNF
C:\WINDOWS\LastGood.Tmp\INF\sqlxmlxp.inf
C:\WINDOWS\LastGood.Tmp\INF\sqlxmlxp.PNF
C:\WINDOWS\LastGood.Tmp\INF\wdsetup.inf
C:\WINDOWS\LastGood.Tmp\INF\wdsetup.PNF
C:\WINDOWS\IA\KE.vbs

Finished

**cybertech** · 21-Jul-2007, 11:21 AM #6

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

british147 · 21-Jul-2007, 09:38 PM #7

"Owner" - 2007-07-21 21:24:13 - ComboFix 07-07-17.8 - Service Pack 1 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\pcseygzt.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

C:\WINDOWS\system32\pcseygzt.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\~.exe

((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))

2007-07-21 18:11 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 22:04 <DIR> d-------- C:\Program Files\Google
2007-07-20 22:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-07-20 21:44 <DIR> d-------- C:\WINDOWS\ERUNT
2007-07-18 21:37 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-18 21:37 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\System
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Yahoo! Messenger
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Template
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SmartDraw
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Musicmatch
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lycos
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterVideo
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\interMute
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\HP
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Common Files
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ACDInTouch
2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ACD Systems
2007-07-18 18:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-18 18:32 119,512 --a------ C:\WINDOWS\installer4x.exe
2007-07-17 19:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-07-16 22:47 85,720 --a------ C:\WINDOWS\system32\regwiz.dll
2007-07-16 22:46 323,584 --ah----- C:\WINDOWS\system32\pcseygzt.dll
2007-07-15 22:02 50,688 --a------ C:\WINDOWS\system32\qwerty12.exe
2007-07-14 18:21 <DIR> d-------- C:\WINDOWS\system32\driver
2007-07-14 18:21 <DIR> d-------- C:\WINDOWS\system32\b10FdUe
2007-07-14 18:21 <DIR> d-------- C:\temp\brr
2007-07-14 18:21 <DIR> d-------- C:\temp\0c2
2007-06-28 21:47 <DIR> d-------- C:\Program Files\FreeRIP3

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-21 22:20:05 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-07-21 21:56:30 1,648 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-07-14 23:21:10 -------- d-----w C:\Program Files\AVPersonal
2007-06-25 03:03:22 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-09 20:26:59 -------- d-----w C:\Program Files\SystemRequirementsLab
2007-06-09 20:26:59 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SystemRequirementsLab
2006-05-30 02:29:36 35,456 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2004-05-16 08:53:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-05-15 10:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
2006-11-30 09:50 67136 --a------ C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-07-21 21:29 323584 --ah----- C:\WINDOWS\system32\pcseygzt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-07-20 22:04 324536 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"VTTimer"="VTTimer.exe" [2003-05-08 02:32 C:\WINDOWS\system32\VTTimer.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 16:35 C:\WINDOWS\ALCXMNTR.EXE]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 C:\WINDOWS\ltmsg.exe]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 09:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 14:39]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-21 02:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll,nViewLoadHook" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-04-27 16:44]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 22:04]
"Regscan"="C:\WINDOWS\System32\regscan.exe" [2003-10-31 16:05]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-20 22:04:42]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]
WinZip Quick Pick.lnk - C:\Program Files\WinZip110\WZQKPICK.EXE [2007-02-28 16:34:39]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\xune.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcseygzt]
pcseygzt.dll --ah----- 2007-07-21 21:29 323584 C:\WINDOWS\system32\pcseygzt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

Contents of the 'Scheduled Tasks' folder
2006-08-08 00:33:52 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 21:31:14
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-21 21:33:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-21 21:32
C:\ComboFix2.txt ... 2007-07-21 18:28

--- E O F ---

british147 · 22-Jul-2007, 01:57 PM #8

I'm still getting error messages about a trojan.

**cybertech** · 22-Jul-2007, 06:18 PM #9

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\pcseygzt.dll
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\b10FdUe
C:\temp\0c2
C:\temp\brr
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
Click Close to exit the program.

british147 · 23-Jul-2007, 10:51 PM **#10**

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2007 at 11:43 PM

Application Version : 3.9.1008

Core Rules Database Version : 3272
Trace Rules Database Version: 1283

Scan type : Complete Scan
Total Scan Time : 01:27:50

Memory items scanned : 445
Memory threats detected : 1
Registry items scanned : 5676
Registry threats detected : 18
File items scanned : 89058
File threats detected : 147

Trojan.REGSCAN
C:\WINDOWS\SYSTEM32\REGSCAN.EXE
C:\WINDOWS\SYSTEM32\REGSCAN.EXE
[Regscan] C:\WINDOWS\SYSTEM32\REGSCAN.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PCSEYGZT.DLL
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKU\S-1-5-21-596918897-4040977404-3606967878-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\DESKTOP\AIMFIX_QUARANTINE\9205_GAH95ON6.EXE.BAK
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\AIMFIX_QUARANTINE\9205_GAH95ON6.EXE.BAK
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\HAMMER.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWS MEDIA PLAYER\QUSOXYCO83122.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\IA\COMMAND.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PCSEYGZT.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019881.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019907.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019925.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0021015.DLL
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\PCSEYGZT.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@revsci[2].txt
C:\Documents and Settings\Owner\Cookies\owner@html[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt

Trojan.Windows Overlay Components/SysMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallStr ing

Adware.MediaMotor
C:\WINDOWS\Downloaded Program Files\amm06.inf
C:\WINDOWS\mm06y.ini
C:\WINDOWS\AMM06.OCX
C:\WINDOWS\LASTGOOD\AMM06.OCX
C:\WINDOWS\UNSTALL.EXE

Trojan.Malware
C:\asdf.txt

Trojan.PestTrap
HKU\S-1-5-21-596918897-4040977404-3606967878-1003\Software\SNO2

Adware.IEPlugin
C:\WINDOWS\lu.dat

Adware.Media Access
C:\Program Files\Media Access\Info.txt
C:\Program Files\Media Access\MediaAccC.dll
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access

Adware.ConsumerAlertSystem
C:\DIST13.EXE
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y03SUEJZ\DIST13[1].EXE
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\CAS2STUB\CAS2STUB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\SYSTEM FILES\PLUGIN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\SYSTEM FILES\SYSTEM.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019883.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019886.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019887.EXE

Adware.SurfSideKick
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\X3HRT28M\SS1001[1].EXE
C:\SS1001NEWER.EXE

Trojan.Downloader-Gen/Doh
C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y8U1ZP4S\DOHINST-103[1].0000

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO14.TMP
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO15.TMP
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO16.TMP
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO17.TMP
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO19.TMP
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\{18A19~1\SERVICES.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\IA\KE.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\PF78.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\TELLER2.CHK.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013350.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019860.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019882.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019892.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019900.EXE
C:\WINDOWS\TEMPF.TXT

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\QOOBOX\QUARANTINE\C\DOCUME~1\OWNER\APPLIC~1\WINANTISPYWARE2007FREEINSTAL L[1].EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013381.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019905.EXE

Trojan.WinSysBan
C:\QOOBOX\QUARANTINE\C\KYBRDFG_7.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019856.EXE

Trojan.CmdService
C:\QOOBOX\QUARANTINE\C\MTE3NDI6ODOXNG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\MTE3NDI6ODOXNGNEW.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019857.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019858.EXE

Adware.Director
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\{18A19~1\UPDATE.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019893.EXE

Trojan.ZQuest
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA120.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA196.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA249.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA3.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA313.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA327.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA649.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA774.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA855.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA970.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019867.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019868.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019869.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019870.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019871.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019872.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019873.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019874.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019875.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019876.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019877.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019878.DLL

Adware.k8l
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\XUNE.HTML.VIR

Trojan.NetMon/DNSChange
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019884.EXE

Trojan.Downloader-Gen/BasicMath
C:\QOOBOX\QUARANTINE\C\WINDOWS\DLS0523PMW.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019898.EXE

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\IA\ASAPPSRV.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019880.DLL

Trojan.Downloader-VisFX
C:\QOOBOX\QUARANTINE\C\WINDOWS\OFFUN.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019899.EXE

Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AFJBKNTS.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MBTSNRFD.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PNWGMIXN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QWBGYJEE.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019913.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019914.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019916.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019917.EXE

Adware.SysMon
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\B5\Z53.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019897.EXE

Trojan.Downloader-Gen/TStamp
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FIQEVANV.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OHKGHPLR.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019915.EXE

Adware.SearchAssistant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32BEZ6N4R21.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019902.EXE

Unclassified.Unknown Origin/System
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32GHYNF.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019903.EXE

Adware.ZenoSearch
C:\QOOBOX\QUARANTINE\C\WINDOWS\TISKY009.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019909.EXE

Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013257.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013346.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013380.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014412.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014428.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014446.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014460.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019908.EXE

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013233.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013241.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013242.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013334.EXE

Adware.ClickSpring-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013328.EXE

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013348.DLL

Adware.ClickSpring
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013349.EXE

Adware.ClickSpring/Outer Info Network
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013385.EXE

Trojan.Downloader-Gen/RetAd
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014465.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019611.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019630.EXE

Trojan.Rootkit-TnCore
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019615.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019624.SYS

Trojan.Freeprod
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019627.EXE

Malware.SystemDoctor
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019634.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019635.EXE

Trojan.Rootkit-TnCore/Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019896.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019924.DLL

Adware.Mirar/NetNucleus
C:\WINDOWS\MIRAR.EXE

-------------------------------------------------------------------------------------
here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:52 PM, on 7/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip110\WZQKPICK.EXE
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip110\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pcseygzt - pcseygzt.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

**cybertech** · 24-Jul-2007, 12:05 PM **#11**

Run HJT again and put a check in the following:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pcseygzt - pcseygzt.dll (file missing)

Close all applications and browser windows before you click "fix checked".

How is it running now? Any problems?

Search
Search in:
Show Threads Show Posts
Advanced Search

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)