1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help! back door trojan

Discussion in 'Virus & Other Malware Removal' started by british147, Jul 18, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. british147

    british147 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    6
    I keep getting errors saying I have a 'back door trojan' as well as numerous pop ups.

    Here is the logfile:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:06:59 AM, on 7/18/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\WINDOWS\svhost.exe
    C:\WINDOWS\retadpu77.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip110\WZQKPICK.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\System32\qwerty12.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\retadpu77.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osu.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\xvyar.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jqfedyr.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\System32\pcseygzt.dll
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
    O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
    O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip110\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O20 - AppInit_DLLs:
    O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe (file missing)
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\vixxnnc.exe (file missing)



    Help!!!! Thanks.
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  3. british147

    british147 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    6
    I can follow the directions up to the "open the extracted SDFix folder. I can't find any SDFix folder. I do have an icon on the desktop that is SDTrial. It is for Spyware Doctor, which I don't actually have. I have also searched for this folder with no luck. Help!
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    The folder should be at C:\SDFix unless you changed the location when you ran the downloaded program.
     
  5. british147

    british147 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    6
    SDFix: Version 1.92

    Run by Owner on Fri 07/20/2007 at 09:45 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    core
    runtime
    runtime2
    Windows Overlay Components

    ImagePath:
    system32\drivers\core.sys
    \??\C:\WINDOWS\System32\drivers\runtime.sys
    \SystemRoot\system32\drivers\runtime2.sys
    C:\WINDOWS\vixxnnc.exe

    core - Deleted
    runtime2 - Deleted
    Windows Overlay Components - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\system32\diskperf.dll - Deleted
    C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
    C:\Documents and Settings\Owner\Recent\WinAntiSpyware 2007.lnk - Deleted
    C:\Documents and Settings\Owner\Application Data\Install.dat - Deleted
    C:\DOCUME~1\Owner\LOCALS~1\Temp\abc123.pid - Deleted
    C:\DOCUME~1\Owner\LOCALS~1\Temp\mc-110-12-0000103.exe - Deleted
    C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe - Deleted
    C:\WINDOWS\Downloaded Program Files\USDR6_0001_D17M1107NetInstaller.exe - Deleted
    C:\WINDOWS\poolsv.exe - Deleted
    C:\WINDOWS\retadpu.exe - Deleted
    C:\WINDOWS\retadpu1000106.exe - Deleted
    C:\WINDOWS\retadpu77.exe - Deleted
    C:\WINDOWS\svhost.exe - Deleted
    C:\WINDOWS\system32\7_exception.nls - Deleted
    C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
    C:\WINDOWS\system32\drivers\core.sys - Deleted
    C:\WINDOWS\system32\form.txt - Deleted
    C:\WINDOWS\tcb.pmw - Deleted
    C:\WINDOWS\Temp\startdrv.exe - Deleted
    C:\WINDOWS\Uninst2.htm - Deleted
    C:\WINDOWS\Unist1.htm - Deleted
    C:\WINDOWS\wr.txt - Deleted
    C:\WINDOWS\system32\drivers\runtime2.sys - Deleted



    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
    "C:\\WINDOWS\\System32\\qwerty12.exe"="C:\\WINDOWS\\System32\\qwe"

    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    C:\Documents and Settings\Administrator\NetHood\jobs on www.osuhousing.com\Desktop.ini
    C:\Documents and Settings\Administrator\NetHood\RASelection on www.osuhousing.com\Desktop.ini
    C:\Documents and Settings\Default User\NetHood\jobs on www.osuhousing.com\Desktop.ini
    C:\Documents and Settings\Default User\NetHood\RASelection on www.osuhousing.com\Desktop.ini
    C:\Documents and Settings\Owner\NetHood\jobs on www.osuhousing.com\Desktop.ini
    C:\Documents and Settings\Owner\NetHood\RASelection on www.osuhousing.com\Desktop.ini
    C:\WINDOWS\IA\asappsrv.dll
    C:\WINDOWS\system32\pcseygzt.dllbox
    C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\IA\command.exe
    C:\WINDOWS\SMINST\HPCD.sys
    C:\Documents and Settings\Administrator\My Documents\~WRL0003.tmp
    C:\Documents and Settings\Administrator\My Documents\~WRL0788.tmp
    C:\Documents and Settings\Administrator\My Documents\~WRL3418.tmp
    C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL0001.tmp
    C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL0053.tmp
    C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL0481.tmp
    C:\Documents and Settings\Administrator\My Documents\Old Classes\350\~WRL1490.tmp
    C:\Documents and Settings\Default User\My Documents\~WRL0003.tmp
    C:\Documents and Settings\Default User\My Documents\~WRL0788.tmp
    C:\Documents and Settings\Default User\My Documents\~WRL3418.tmp
    C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL0001.tmp
    C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL0053.tmp
    C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL0481.tmp
    C:\Documents and Settings\Default User\My Documents\Old Classes\350\~WRL1490.tmp
    C:\Documents and Settings\Owner\My Documents\~WRL0003.tmp
    C:\Documents and Settings\Owner\My Documents\~WRL0788.tmp
    C:\Documents and Settings\Owner\My Documents\~WRL3418.tmp
    C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL0001.tmp
    C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL0053.tmp
    C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL0481.tmp
    C:\Documents and Settings\Owner\My Documents\Old Classes\fall05\hospmngt350\~WRL1490.tmp
    C:\WINDOWS\LastGood.Tmp\INF\dasetup.inf
    C:\WINDOWS\LastGood.Tmp\INF\dasetup.PNF
    C:\WINDOWS\LastGood.Tmp\INF\mdacxpak.inf
    C:\WINDOWS\LastGood.Tmp\INF\mdacxpak.PNF
    C:\WINDOWS\LastGood.Tmp\INF\msxmlx.inf
    C:\WINDOWS\LastGood.Tmp\INF\msxmlx.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem78.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem78.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem79.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem79.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem80.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem80.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem81.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem81.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem82.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem82.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem83.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem83.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem84.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem84.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem85.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem85.PNF
    C:\WINDOWS\LastGood.Tmp\INF\oem86.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem86.PNF
    C:\WINDOWS\LastGood.Tmp\INF\rspfiles.inf
    C:\WINDOWS\LastGood.Tmp\INF\rspfiles.PNF
    C:\WINDOWS\LastGood.Tmp\INF\sqlnet.inf
    C:\WINDOWS\LastGood.Tmp\INF\sqlnet.PNF
    C:\WINDOWS\LastGood.Tmp\INF\sqlodbc.inf
    C:\WINDOWS\LastGood.Tmp\INF\sqlodbc.PNF
    C:\WINDOWS\LastGood.Tmp\INF\sqloldb.inf
    C:\WINDOWS\LastGood.Tmp\INF\sqloldb.PNF
    C:\WINDOWS\LastGood.Tmp\INF\sqlxmlxp.inf
    C:\WINDOWS\LastGood.Tmp\INF\sqlxmlxp.PNF
    C:\WINDOWS\LastGood.Tmp\INF\wdsetup.inf
    C:\WINDOWS\LastGood.Tmp\INF\wdsetup.PNF
    C:\WINDOWS\IA\KE.vbs

    Finished
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download ComboFix from Here or Here to your Desktop.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  7. british147

    british147 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    6
    "Owner" - 2007-07-21 21:24:13 - ComboFix 07-07-17.8 - Service Pack 1 NTFS


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\pcseygzt.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    C:\WINDOWS\system32\pcseygzt.dll

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\~.exe


    ((((((((((((((((((((((((( Files Created from 2007-06-22 to 2007-07-22 )))))))))))))))))))))))))))))))


    2007-07-21 18:11 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-20 22:04 <DIR> d-------- C:\Program Files\Google
    2007-07-20 22:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
    2007-07-20 21:44 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-07-18 21:37 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
    2007-07-18 21:37 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\System
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Yahoo! Messenger
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Template
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SmartDraw
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Musicmatch
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lycos
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Leadertech
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterVideo
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\interMute
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\HP
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Common Files
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Aim
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ACDInTouch
    2007-07-18 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\ACD Systems
    2007-07-18 18:48 <DIR> d-------- C:\Program Files\Spyware Doctor
    2007-07-18 18:32 119,512 --a------ C:\WINDOWS\installer4x.exe
    2007-07-17 19:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Talkback
    2007-07-16 22:47 85,720 --a------ C:\WINDOWS\system32\regwiz.dll
    2007-07-16 22:46 323,584 --ah----- C:\WINDOWS\system32\pcseygzt.dll
    2007-07-15 22:02 50,688 --a------ C:\WINDOWS\system32\qwerty12.exe
    2007-07-14 18:21 <DIR> d-------- C:\WINDOWS\system32\driver
    2007-07-14 18:21 <DIR> d-------- C:\WINDOWS\system32\b10FdUe
    2007-07-14 18:21 <DIR> d-------- C:\temp\brr
    2007-07-14 18:21 <DIR> d-------- C:\temp\0c2
    2007-06-28 21:47 <DIR> d-------- C:\Program Files\FreeRIP3


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-21 22:20:05 -------- d-----w C:\Program Files\MSN Gaming Zone
    2007-07-21 21:56:30 1,648 ----a-w C:\WINDOWS\system32\d3d8caps.dat
    2007-07-14 23:21:10 -------- d-----w C:\Program Files\AVPersonal
    2007-06-25 03:03:22 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
    2007-06-09 20:26:59 -------- d-----w C:\Program Files\SystemRequirementsLab
    2007-06-09 20:26:59 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\SystemRequirementsLab
    2006-05-30 02:29:36 35,456 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
    2004-05-16 08:53:58 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2003-05-15 10:47 50376 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
    2006-11-30 09:50 67136 --a------ C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    2007-07-21 21:29 323584 --ah----- C:\WINDOWS\system32\pcseygzt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
    2007-07-20 22:04 324536 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
    "VTTimer"="VTTimer.exe" [2003-05-08 02:32 C:\WINDOWS\system32\VTTimer.exe]
    "AlcxMonitor"="ALCXMNTR.EXE" [2003-04-03 16:35 C:\WINDOWS\ALCXMNTR.EXE]
    "LTMSG"="LTMSG.exe" [2003-07-14 20:52 C:\WINDOWS\ltmsg.exe]
    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 09:50]
    "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 14:39]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-07-21 02:33]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RecordNow!"="" []
    "NVIEW"="nview.dll,nViewLoadHook" []
    "Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-04-27 16:44]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-20 22:04]
    "Regscan"="C:\WINDOWS\System32\regscan.exe" [2003-10-31 16:05]

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06]
    Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-20 22:04:42]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
    HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip110\WZQKPICK.EXE [2007-02-28 16:34:39]

    [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
    Source= C:\Program Files\MSN Gaming Zone\xune.html
    FriendlyName=

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcseygzt]
    pcseygzt.dll --ah----- 2007-07-21 21:29 323584 C:\WINDOWS\system32\pcseygzt.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=


    Contents of the 'Scheduled Tasks' folder
    2006-08-08 00:33:52 C:\WINDOWS\tasks\Symantec NetDetect.job

    **************************************************************************

    catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-21 21:31:14
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-21 21:33:08 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-21 21:32
    C:\ComboFix2.txt ... 2007-07-21 18:28

    --- E O F ---
     
  8. british147

    british147 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    6
    I'm still getting error messages about a trojan.
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\system32\pcseygzt.dll
      C:\WINDOWS\system32\qwerty12.exe
      C:\WINDOWS\system32\b10FdUe
      C:\temp\0c2
      C:\temp\brr


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.
     
  10. british147

    british147 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    6
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/22/2007 at 11:43 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3272
    Trace Rules Database Version: 1283

    Scan type : Complete Scan
    Total Scan Time : 01:27:50

    Memory items scanned : 445
    Memory threats detected : 1
    Registry items scanned : 5676
    Registry threats detected : 18
    File items scanned : 89058
    File threats detected : 147

    Trojan.REGSCAN
    C:\WINDOWS\SYSTEM32\REGSCAN.EXE
    C:\WINDOWS\SYSTEM32\REGSCAN.EXE
    [Regscan] C:\WINDOWS\SYSTEM32\REGSCAN.EXE

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
    HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
    HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
    HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
    HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\PCSEYGZT.DLL
    HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
    HKU\S-1-5-21-596918897-4040977404-3606967878-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}
    C:\DOCUMENTS AND SETTINGS\DEFAULT USER\DESKTOP\AIMFIX_QUARANTINE\9205_GAH95ON6.EXE.BAK
    C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\AIMFIX_QUARANTINE\9205_GAH95ON6.EXE.BAK
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\HAMMER.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWS MEDIA PLAYER\QUSOXYCO83122.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\IA\COMMAND.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PCSEYGZT.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019881.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019907.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019925.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0021015.DLL
    C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\PCSEYGZT.DLL

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
    HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
    HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
    HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
    HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

    Adware.Tracking Cookie
    C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
    C:\Documents and Settings\Owner\Cookies\[email protected][1].txt

    Trojan.Windows Overlay Components/SysMon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallString

    Adware.MediaMotor
    C:\WINDOWS\Downloaded Program Files\amm06.inf
    C:\WINDOWS\mm06y.ini
    C:\WINDOWS\AMM06.OCX
    C:\WINDOWS\LASTGOOD\AMM06.OCX
    C:\WINDOWS\UNSTALL.EXE

    Trojan.Malware
    C:\asdf.txt

    Trojan.PestTrap
    HKU\S-1-5-21-596918897-4040977404-3606967878-1003\Software\SNO2

    Adware.IEPlugin
    C:\WINDOWS\lu.dat

    Adware.Media Access
    C:\Program Files\Media Access\Info.txt
    C:\Program Files\Media Access\MediaAccC.dll
    C:\Program Files\Media Access\MediaAccess.exe
    C:\Program Files\Media Access\MediaAccK.exe
    C:\Program Files\Media Access

    Adware.ConsumerAlertSystem
    C:\DIST13.EXE
    C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y03SUEJZ\DIST13[1].EXE
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\CAS2STUB\CAS2STUB.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\SYSTEM FILES\PLUGIN.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\SYSTEM FILES\SYSTEM.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019883.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019886.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019887.EXE

    Adware.SurfSideKick
    C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\X3HRT28M\SS1001[1].EXE
    C:\SS1001NEWER.EXE

    Trojan.Downloader-Gen/Doh
    C:\DOCUMENTS AND SETTINGS\DEFAULT USER\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\Y8U1ZP4S\DOHINST-103[1].0000

    Trojan.Unknown Origin
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO14.TMP
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO15.TMP
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO16.TMP
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO17.TMP
    C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\ICO19.TMP
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\{18A19~1\SERVICES.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\IA\KE.VBS.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\PF78.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\TELLER2.CHK.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013350.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019860.VBS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019882.VBS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019892.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019900.EXE
    C:\WINDOWS\TEMPF.TXT

    BearShare File Sharing Client
    C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE

    Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\QOOBOX\QUARANTINE\C\DOCUME~1\OWNER\APPLIC~1\WINANTISPYWARE2007FREEINSTALL[1].EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013381.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019905.EXE

    Trojan.WinSysBan
    C:\QOOBOX\QUARANTINE\C\KYBRDFG_7.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019856.EXE

    Trojan.CmdService
    C:\QOOBOX\QUARANTINE\C\MTE3NDI6ODOXNG.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\MTE3NDI6ODOXNGNEW.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019857.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019858.EXE

    Adware.Director
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\{18A19~1\UPDATE.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019893.EXE

    Trojan.ZQuest
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA120.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA196.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA249.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA3.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA313.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA327.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA649.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA774.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA855.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\TEFA970.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019867.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019868.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019869.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019870.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019871.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019872.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019873.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019874.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019875.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019876.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019877.DLL
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019878.DLL

    Adware.k8l
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN GAMING ZONE\XUNE.HTML.VIR

    Trojan.NetMon/DNSChange
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019884.EXE

    Trojan.Downloader-Gen/BasicMath
    C:\QOOBOX\QUARANTINE\C\WINDOWS\DLS0523PMW.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019898.EXE

    Adware.Adservs
    C:\QOOBOX\QUARANTINE\C\WINDOWS\IA\ASAPPSRV.DLL.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019880.DLL

    Trojan.Downloader-VisFX
    C:\QOOBOX\QUARANTINE\C\WINDOWS\OFFUN.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019899.EXE

    Adware.Vundo/Traff-2
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AFJBKNTS.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MBTSNRFD.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\PNWGMIXN.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QWBGYJEE.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019913.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019914.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019916.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019917.EXE

    Adware.SysMon
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\B5\Z53.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019897.EXE

    Trojan.Downloader-Gen/TStamp
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FIQEVANV.EXE.VIR
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OHKGHPLR.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019915.EXE

    Adware.SearchAssistant
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32BEZ6N4R21.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019902.EXE

    Unclassified.Unknown Origin/System
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32GHYNF.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019903.EXE

    Adware.ZenoSearch
    C:\QOOBOX\QUARANTINE\C\WINDOWS\TISKY009.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019909.EXE

    Trojan.ZQuest-Installer
    C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013257.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013346.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013380.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014412.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014428.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014446.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014460.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019908.EXE

    Adware.WebBuying Assistant-Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013233.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013241.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013242.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013334.EXE

    Adware.ClickSpring-Variant
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013328.EXE

    Adware.ClickSpring/Resident
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013348.DLL

    Adware.ClickSpring
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013349.EXE

    Adware.ClickSpring/Outer Info Network
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0013385.EXE

    Trojan.Downloader-Gen/RetAd
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0014465.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019611.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019630.EXE

    Trojan.Rootkit-TnCore
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019615.SYS
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019624.SYS

    Trojan.Freeprod
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019627.EXE

    Malware.SystemDoctor
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019634.EXE
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019635.EXE

    Trojan.Rootkit-TnCore/Installer
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019896.EXE

    Trojan.Downloader-Gen/HitItQuitIt
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP302\A0019924.DLL

    Adware.Mirar/NetNucleus
    C:\WINDOWS\MIRAR.EXE







    -------------------------------------------------------------------------------------
    here is the hijack this log:


    Logfile of HijackThis v1.99.1
    Scan saved at 10:47:52 PM, on 7/23/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip110\WZQKPICK.EXE
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osu.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus10.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip110\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: pcseygzt - pcseygzt.dll (file missing)
    O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe (file missing)
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: pcseygzt - pcseygzt.dll (file missing)

    Close all applications and browser windows before you click "fix checked".

    How is it running now? Any problems?
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/597151

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice