Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Daily + Maybe More...


  • Please log in to reply
21 replies to this topic

#1 balniks

balniks

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 28 September 2007 - 04:58 PM

Having some major issues with my computer crashing and doing weird things...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:30 AM, on 9/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.BenQ.COM/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D0FD2AB-87E9-405D-AB65-872CEB154DF4} - c:\windows\system32\gpkcspi.dll
O2 - BHO: (no name) - {3C829FF6-7A2E-4861-81AC-AFEB7CE8E430} - c:\windows\system32\wdzinqka.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E25B79A-BF00-406C-998F-FC777DA2BE19} - C:\WINDOWS\System32\wmim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AuditMode] C:\sysprep\factory.exe -logon
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\System32\CSRSSU.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rsts] "C:\DOCUME~1\Harry\APPLIC~1\ASEMBL~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Policies\Explorer\Run: [{124311F5-063A-1033-0814-040402250001}] "C:\Program Files\Common Files\{124311F5-063A-1033-0814-040402250001}\Update.exe" mc-110-12-0000137
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O17 - HKLM\System\CCS\Services\Tcpip\..\{911F128C-1E50-4135-BFCC-A1D42A5828F0}: NameServer = 203.194.27.57 203.194.56.150
O20 - Winlogon Notify: djztgyjl - C:\WINDOWS\SYSTEM32\gpkcspi.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 8120 bytes




Thanks guys.

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 29 September 2007 - 10:46 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum balniks :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed.
Download\install one of the following freeware options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/


I also see no signs of a firewall,and you only have Service Pack 1 installed.
I suggest you download\install one of the following freeware firewalls from below:

Sygate Personal Firewall Free Edition:
http://www.filehippo.com/download_sygate_personal_firewall/

Zone Alarm Free:
http://download.zonelabs.com/bin/free/1001..._737_000_en.exe

Comodo Personal Firewall:
http://www.personalfirewall.comodo.com/

Outpost Firewall Free:
http://www.agnitum.com/products/outpostfree/index.php

You should read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/


Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Note:
If you have previously downloaded ComboFix,please delete that version and download it again from below.
Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 balniks

balniks
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 29 September 2007 - 11:24 PM

Hi and thanks a heap for helping out.

I removed a few older malware programs i had, spyhunter and prevx1. I've had to do a system restore after i deleted them and they are not operational but are still starting up on startup... which is a little frustrating. I downloaded the things you said, (firewall and antivirus, tho not running thru startup yet...) and did a combofix before a sdfix so if that makes any difference in the reports i'm not sure. I also had downloaded stopzilla before i posted my original hijack this, but for some reason now it won't open up... but i will look into this later.

SDfix:

SDFix: Version 1.107

Run by Harry on Sun 09/30/2007 at 02:08 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:


Finished!


--------------------------------------------------

ComboFix 07-09-30.5 - Harry 2007-09-30 13:47:41.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.316 [GMT 10:00]
Running from: C:\Documents and Settings\Harry\Local Settings\Temporary Internet Files\Content.IE5\Q13CLORE\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006
C:\Documents and Settings\Harry\Application Data\ASEMBL~1
C:\Documents and Settings\Harry\Application Data\ASEMBL~1\a?sembly\
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\WINDOWS\system32\drivers\jgvvlvma.sys
C:\WINDOWS\system32\drivers\mseygwdq.sys . . . . failed to delete
C:\WINDOWS\system32\gpkcspi.dll . . . . failed to delete
C:\WINDOWS\system32\gpkcspi.dll.bak . . . . failed to delete
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\kprof
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_FOPN
-------\LEGACY_GTTSQEPE
-------\LEGACY_POOF
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\LEGACY_ZMBUINEZ
-------\gttsqepe
-------\vspf
-------\vspf_hk
-------\zmbuinez


((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-30 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-30 13:13 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2007-09-30 13:13 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Prevx
2007-09-30 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-30 12:37 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Comodo
2007-09-30 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-09-30 11:35 <DIR> d-------- C:\Documents and Settings\Harry\.SunDownloadManager
2007-09-30 11:33 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-30 11:33 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-30 11:33 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-30 11:33 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-30 11:33 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-30 11:33 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-30 11:33 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-30 11:33 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-30 09:20 741,632 --a------ C:\WINDOWS\system32\jlasurxx.dat
2007-09-30 09:20 35,584 --a------ C:\WINDOWS\system32\yirmraoa.dat
2007-09-30 09:20 34,560 --a------ C:\WINDOWS\system32\joqkotjt.dat
2007-09-30 09:20 114,432 --a------ C:\WINDOWS\system32\ibzrautq.dat
2007-09-29 07:18 <DIR> d-------- C:\Program Files\Prevx1(2)
2007-09-29 07:18 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Prevx(2)
2007-09-29 07:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx(2)
2007-09-28 09:23 <DIR> d-------- C:\Program Files\STOPzilla!
2007-09-28 09:23 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-09-28 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-09-20 12:22 73,728 --a------ C:\WINDOWS\system32\kreiglqp.dll
2007-09-20 12:22 66,048 --a------ C:\WINDOWS\system32\wdzinqka.dll
2007-09-20 12:22 147,729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-09-20 12:22 125,440 --a------ C:\WINDOWS\system32\wfxgmmus.dll
2007-09-20 11:56 81,920 --a------ C:\WINDOWS\system32\gpkcspi.dll
2007-09-20 11:54 104,804 --a------ C:\WINDOWS\system32\wmim.dll
2007-09-20 11:49 17,664 C:\WINDOWS\system32\drivers\mseygwdq.sys
2007-09-20 11:35 15,872 --a------ C:\WINDOWS\system32\48ixkzcaai.exe
2007-09-19 11:30 225,280 -ra------ C:\WINDOWS\system32\SZBase5.dll
2007-09-13 16:36 311,296 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2007-09-13 16:36 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2007-09-13 16:35 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2007-09-13 16:35 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2007-09-13 16:35 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2007-09-13 16:34 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2007-09-13 16:34 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2007-09-13 16:34 700,416 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2007-09-13 16:34 200,704 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2007-09-07 09:07 <DIR> d-------- C:\Program Files\fdrlab
2007-09-07 08:45 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-09-05 12:27 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-05 07:51 <DIR> d-------- C:\Documents and Settings\TEMP\Incomplete
2007-09-03 14:45 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-22 06:34 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Apple Computer
2007-08-21 18:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-21 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-21 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-18 16:05 <DIR> d-------- C:\Program Files\QuickTime
2007-08-15 13:44 <DIR> d--hs---- C:\FOUND.005
2007-08-09 18:20 28,928 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2007-08-02 11:57 <DIR> d--hs---- C:\FOUND.004

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 11:50 2048 --a------ C:\WINDOWS\system32\drivers\9478CE57-ACFA-4681-976D-30931278AE49.cxv
2007-09-28 09:37 5120 --a------ C:\WINDOWS\system32\drivers\9511213A-87EE-42DA-B3AA-50BC9C968D4C.cxv
2002-11-18 17:20 30976 --a------ C:\WINDOWS\inf\GV3.SYS
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0FD2AB-87E9-405D-AB65-872CEB154DF4}]
2007-09-29 07:40 81920 --a------ c:\windows\system32\gpkcspi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C829FF6-7A2E-4861-81AC-AFEB7CE8E430}]
2007-09-28 08:29 66048 --a------ c:\windows\system32\wdzinqka.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E25B79A-BF00-406C-998F-FC777DA2BE19}]
2002-08-29 12:00 104804 --a------ C:\WINDOWS\System32\wmim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"AuditMode"="C:\sysprep\factory.exe" []
"Q-HotkeyMgr"="C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe" [2003-09-23 17:25]
"Ulead Memory Card Detector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe" [2003-05-14 19:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 13:59 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 18:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 18:44]
"QMusic"="C:\Program Files\BenQ\QMusic2\QMAgent.exe" [2003-10-23 14:32]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:21]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" []
"Q-MediaBar"="C:\Program Files\BenQ\Q-MediaBar\QBar.exe" []
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2006-06-28 16:38]
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" [2006-06-28 17:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-18 16:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Windows Update Client "="C:\WINDOWS\system32\wuclient.exe" []
"CSRSSU"="C:\WINDOWS\System32\CSRSSU.EXE" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"Rsts"="C:\DOCUME~1\Harry\APPLIC~1\ASEMBL~1\wuauclt.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-22 15:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-07-29 16:14:16]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]

C:\Documents and Settings\Harry\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-05-14 19:25:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-07-29 16:14:16]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SystemCheck2"= {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll [ ]

R0 gttsqepe;gttsqepe;C:\WINDOWS\System32\drivers\mseygwdq.sys
R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\System32\drivers\pxfsf.sys
R1 PrevxTdi;PREVX Tdi filter;C:\WINDOWS\System32\drivers\pxtdi.sys
R3 EMCR;EMCR;C:\WINDOWS\System32\DRIVERS\EMCR7SK.sys
R3 w70n51;Intel® PRO/Wireless 7100 Adapter Driver;C:\WINDOWS\System32\DRIVERS\w70n51.sys
S3 jbmhmr,dll;jbmhmr,dll;\??\C:\Program Files\BenQ\Q-HotkeyMgr\jbmhmr.dll
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 PrevxEmulator;PREVX Emulator Driver;C:\WINDOWS\System32\drivers\pxemu.sys
S3 PXRDDriver;PREVX Rootkitscan driver;\??\C:\WINDOWS\system32\drivers\pxrd.sys

*Newly Created Service* - GTTSQEPE
.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 21:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 13:50:26
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-30 13:51:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-30 13:51
.
--- E O F ---





-------------------------------------------------------------------------------

Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:58 PM, on 9/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.BenQ.COM/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D0FD2AB-87E9-405D-AB65-872CEB154DF4} - c:\windows\system32\gpkcspi.dll
O2 - BHO: (no name) - {3C829FF6-7A2E-4861-81AC-AFEB7CE8E430} - c:\windows\system32\wdzinqka.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E25B79A-BF00-406C-998F-FC777DA2BE19} - C:\WINDOWS\System32\wmim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AuditMode] C:\sysprep\factory.exe -logon
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\System32\CSRSSU.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rsts] "C:\DOCUME~1\Harry\APPLIC~1\ASEMBL~1\wuauclt.exe" -vt yazb
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O20 - Winlogon Notify: djztgyjl - C:\WINDOWS\SYSTEM32\gpkcspi.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx1\PXAgent.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 7808 bytes




Thanks again. :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 30 September 2007 - 03:06 AM

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\wmim.dll
C:\WINDOWS\system32\gpkcspi.dll
C:\WINDOWS\system32\jlasurxx.dat
C:\WINDOWS\system32\yirmraoa.dat
C:\WINDOWS\system32\joqkotjt.dat
C:\WINDOWS\system32\ibzrautq.dat
C:\WINDOWS\system32\kreiglqp.dll
C:\WINDOWS\system32\wdzinqka.dll
C:\WINDOWS\system32\wfxgmmus.dll
C:\WINDOWS\system32\48ixkzcaai.exe
C:\WINDOWS\system32\drivers\mseygwdq.sys
C:\Program Files\Prevx1
C:\Program Files\Prevx1(2)
C:\Program Files\Enigma Software Group
C:\Documents and Settings\Harry\Application Data\Prevx
C:\Documents and Settings\All Users\Application Data\Prevx
C:\Documents and Settings\Harry\Application Data\Prevx(2)
C:\Documents and Settings\All Users\Application Data\Prevx(2)


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0FD2AB-87E9-405D-AB65-872CEB154DF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C829FF6-7A2E-4861-81AC-AFEB7CE8E430}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E25B79A-BF00-406C-998F-FC777DA2BE19}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CSRSSU"=-
"Rsts"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SystemCheck2"=-


Double click on Combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Also post a new Hijackthis log pleae.
Posted Image
Posted Image

#5 balniks

balniks
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 30 September 2007 - 07:22 AM

OTmoveit

File move failed. C:\WINDOWS\system32\wmim.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\gpkcspi.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\gpkcspi.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\jlasurxx.dat moved successfully.
C:\WINDOWS\system32\yirmraoa.dat moved successfully.
C:\WINDOWS\system32\joqkotjt.dat moved successfully.
C:\WINDOWS\system32\ibzrautq.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\kreiglqp.dll
C:\WINDOWS\system32\kreiglqp.dll NOT unregistered.
C:\WINDOWS\system32\kreiglqp.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\wdzinqka.dll
C:\WINDOWS\system32\wdzinqka.dll NOT unregistered.
C:\WINDOWS\system32\wdzinqka.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\wfxgmmus.dll
C:\WINDOWS\system32\wfxgmmus.dll NOT unregistered.
C:\WINDOWS\system32\wfxgmmus.dll moved successfully.
C:\WINDOWS\system32\48ixkzcaai.exe moved successfully.
File move failed. C:\WINDOWS\system32\drivers\mseygwdq.sys scheduled to be moved on reboot.
File/Folder C:\Program Files\Prevx1 not found.
File/Folder C:\Program Files\Prevx1(2) not found.
C:\Program Files\Enigma Software Group\SpyHunter moved successfully.
C:\Program Files\Enigma Software Group moved successfully.
File/Folder C:\Documents and Settings\Harry\Application Data\Prevx not found.
C:\Documents and Settings\All Users\Application Data\Prevx moved successfully.
File/Folder C:\Documents and Settings\Harry\Application Data\Prevx(2) not found.
C:\Documents and Settings\All Users\Application Data\Prevx(2) moved successfully.

Created on 09/30/2007 21:51:19



Combofix

ComboFix 07-09-30.9 - Harry 2007-09-30 22:10:58.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.302 [GMT 10:00]
Running from: C:\Documents and Settings\Harry\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\mseygwdq.sys . . . . failed to delete
C:\WINDOWS\system32\gpkcspi.dll . . . . failed to delete
C:\WINDOWS\system32\gpkcspi.dll.bak . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_GTTSQEPE
-------\LEGACY_ZMBUINEZ
-------\gttsqepe
-------\zmbuinez


((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))
.

2007-09-30 14:07 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-30 13:44 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-30 13:13 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2007-09-30 12:37 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Comodo
2007-09-30 12:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2007-09-30 11:35 <DIR> d-------- C:\Documents and Settings\Harry\.SunDownloadManager
2007-09-30 11:33 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-30 11:33 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-30 11:33 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-30 11:33 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-30 11:33 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-30 11:33 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-30 11:33 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-30 11:33 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-28 09:23 <DIR> d-------- C:\Program Files\STOPzilla!
2007-09-28 09:23 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-09-28 09:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-09-20 12:22 147,729 --a------ C:\WINDOWS\system32\libssl32.dll
2007-09-20 11:56 81,920 --a------ C:\WINDOWS\system32\gpkcspi.dll
2007-09-20 11:54 104,804 --a------ C:\WINDOWS\system32\wmim.dll
2007-09-20 11:49 17,664 C:\WINDOWS\system32\drivers\mseygwdq.sys
2007-09-19 11:30 225,280 -ra------ C:\WINDOWS\system32\SZBase5.dll
2007-09-13 16:36 311,296 -ra------ C:\WINDOWS\system32\IS3DBA5.dll
2007-09-13 16:36 126,976 -ra------ C:\WINDOWS\system32\IS3HTUI5.dll
2007-09-13 16:35 61,440 -ra------ C:\WINDOWS\system32\IS3Hks5.dll
2007-09-13 16:35 372,736 -ra------ C:\WINDOWS\system32\IS3UI5.dll
2007-09-13 16:35 23,040 -ra------ C:\WINDOWS\system32\IS3XDat5.dll
2007-09-13 16:34 94,208 -ra------ C:\WINDOWS\system32\IS3Inet5.dll
2007-09-13 16:34 90,112 -ra------ C:\WINDOWS\system32\IS3Svc5.dll
2007-09-13 16:34 700,416 -ra------ C:\WINDOWS\system32\IS3Base5.dll
2007-09-13 16:34 200,704 -ra------ C:\WINDOWS\system32\IS3Win325.dll
2007-09-07 09:07 <DIR> d-------- C:\Program Files\fdrlab
2007-09-07 08:45 66,048 --a------ C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-09-05 12:27 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-09-05 07:51 <DIR> d-------- C:\Documents and Settings\TEMP\Incomplete
2007-09-03 14:45 208,896 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-22 06:34 <DIR> d-------- C:\Documents and Settings\Harry\Application Data\Apple Computer
2007-08-21 18:16 <DIR> d-------- C:\Program Files\Apple Software Update
2007-08-21 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-21 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-18 16:05 <DIR> d-------- C:\Program Files\QuickTime
2007-08-15 13:44 <DIR> d--hs---- C:\FOUND.005
2007-08-09 18:20 28,928 -ra------ C:\WINDOWS\system32\drivers\SZKG.sys
2007-08-02 11:57 <DIR> d--hs---- C:\FOUND.004

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-28 11:50 2048 --a------ C:\WINDOWS\system32\drivers\9478CE57-ACFA-4681-976D-30931278AE49.cxv
2007-09-28 09:37 5120 --a------ C:\WINDOWS\system32\drivers\9511213A-87EE-42DA-B3AA-50BC9C968D4C.cxv
2002-11-18 17:20 30976 --a------ C:\WINDOWS\inf\GV3.SYS
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D0FD2AB-87E9-405D-AB65-872CEB154DF4}]
2007-09-29 07:40 81920 --a------ c:\windows\system32\gpkcspi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3C829FF6-7A2E-4861-81AC-AFEB7CE8E430}]
c:\windows\system32\wdzinqka.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9E25B79A-BF00-406C-998F-FC777DA2BE19}]
2002-08-29 12:00 104804 --a------ C:\WINDOWS\System32\wmim.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"AuditMode"="C:\sysprep\factory.exe" []
"Q-HotkeyMgr"="C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe" [2003-09-23 17:25]
"Ulead Memory Card Detector"="C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe" [2003-05-14 19:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-02-14 13:59 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 18:51]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 18:44]
"QMusic"="C:\Program Files\BenQ\QMusic2\QMAgent.exe" [2003-10-23 14:32]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-05-28 17:21]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" []
"Q-MediaBar"="C:\Program Files\BenQ\Q-MediaBar\QBar.exe" []
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" []
"SpyHunter"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-08-18 16:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Windows Update Client "="C:\WINDOWS\system32\wuclient.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-22 15:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
avast! Antivirus.lnk - C:\Program Files\Alwil Software\Avast4\ashAvast.exe [2007-09-30 11:33:07]
COMODO Firewall Pro.lnk - C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe [2007-09-30 11:13:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
avast! Antivirus.lnk - C:\Program Files\Alwil Software\Avast4\ashAvast.exe [2007-09-30 11:33:07]
COMODO Firewall Pro.lnk - C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe [2007-09-30 11:13:14]

R0 gttsqepe;gttsqepe;C:\WINDOWS\System32\drivers\mseygwdq.sys
R0 PrevxDriver;PREVX Kernel Mode Agent;C:\WINDOWS\System32\drivers\pxfsf.sys
R1 PrevxTdi;PREVX Tdi filter;C:\WINDOWS\System32\drivers\pxtdi.sys
R3 EMCR;EMCR;C:\WINDOWS\System32\DRIVERS\EMCR7SK.sys
R3 w70n51;Intel® PRO/Wireless 7100 Adapter Driver;C:\WINDOWS\System32\DRIVERS\w70n51.sys
S3 jbmhmr,dll;jbmhmr,dll;\??\C:\Program Files\BenQ\Q-HotkeyMgr\jbmhmr.dll
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys
S3 PrevxEmulator;PREVX Emulator Driver;C:\WINDOWS\System32\drivers\pxemu.sys
S3 PXRDDriver;PREVX Rootkitscan driver;\??\C:\WINDOWS\system32\drivers\pxrd.sys

*Newly Created Service* - GTTSQEPE
.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 21:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-30 22:13:35
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-30 22:14:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-30 22:14
C:\ComboFix2.txt ... 2007-09-30 13:51
.
--- E O F ---





Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:33 PM, on 9/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.BenQ.COM/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D0FD2AB-87E9-405D-AB65-872CEB154DF4} - c:\windows\system32\gpkcspi.dll
O2 - BHO: (no name) - {3C829FF6-7A2E-4861-81AC-AFEB7CE8E430} - c:\windows\system32\wdzinqka.dll (file missing)
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E25B79A-BF00-406C-998F-FC777DA2BE19} - C:\WINDOWS\System32\wmim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AuditMode] C:\sysprep\factory.exe -logon
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: avast! Antivirus.lnk = C:\Program Files\Alwil Software\Avast4\ashAvast.exe
O4 - Global Startup: COMODO Firewall Pro.lnk = C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

--
End of file - 7223 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 30 September 2007 - 07:36 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following text inside the quote box below:

Drivers to unload:
C:\WINDOWS\System32\drivers\mseygwdq.sys

Files to delete:
C:\WINDOWS\system32\wmim.dll
C:\WINDOWS\system32\gpkcspi.dll
C:\WINDOWS\system32\gpkcspi.dll.bak
C:\WINDOWS\System32\drivers\mseygwdq.sys

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.
Posted Image
Posted Image

#7 balniks

balniks
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 30 September 2007 - 04:12 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jekpltlg

*******************

Script file located at: \??\C:\euhelrqs.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open registry key \Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\System32\drivers\mseygwdq.sys for deletion
Unload of driver C:\WINDOWS\System32\drivers\mseygwdq.sys failed!

Could not process line:
C:\WINDOWS\System32\drivers\mseygwdq.sys
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\wmim.dll for deletion
Deletion of file C:\WINDOWS\system32\wmim.dll failed!

Could not process line:
C:\WINDOWS\system32\wmim.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\gpkcspi.dll for deletion
Deletion of file C:\WINDOWS\system32\gpkcspi.dll failed!

Could not process line:
C:\WINDOWS\system32\gpkcspi.dll
Status: 0xc0000022



Could not open file C:\WINDOWS\system32\gpkcspi.dll.bak for deletion
Deletion of file C:\WINDOWS\system32\gpkcspi.dll.bak failed!

Could not process line:
C:\WINDOWS\system32\gpkcspi.dll.bak
Status: 0xc0000022



Could not open file C:\WINDOWS\System32\drivers\mseygwdq.sys for deletion
Deletion of file C:\WINDOWS\System32\drivers\mseygwdq.sys failed!

Could not process line:
C:\WINDOWS\System32\drivers\mseygwdq.sys
Status: 0xc0000022


Completed script processing.

*******************

Finished! Terminate.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 01 October 2007 - 09:40 AM

Please run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Post the Activescan report in your next reply.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.


Please download F-Secure BlackLight Beta:
https://europe.f-secure.com/exclude/blacklight/fsbl.exe
Save it to your Desktop.
Double-click blbeta.exe to run the program.
Accept the licence agreement.
Then click 'Scan'.
A list of all items found will be created.
The list can be found on your desktop,named fsbl.xxxxxxx.log (xxxxxxx are numbers).
Please post the log created by BlackLight in your next reply.
Posted Image
Posted Image

#9 balniks

balniks
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 02 October 2007 - 10:48 PM

Couldn't do the blacklight scan as it said the evaluation period had finished...


Activescan



Incident Status Location

Virus:Trj/Clicker.AGD Disinfected C:\WINDOWS\SYSTEM32\gpkcspi.dll.bak
Dialer:Dialer.Gen Not disinfected C:\WINDOWS\switchagreement.txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Harry\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Harry\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Harry\Desktop\ComboFix.exe[nircmd.cfexe]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Harry\Cookies\harry@stats.drivecleaner[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Harry\Cookies\harry@i.screensavers[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Harry\Cookies\harry@adopt.hbmediapro[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Harry\Cookies\harry@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Harry\Cookies\harry@www.advnt01[1].txt
Spyware:Cookie/TargetSaver Not disinfected C:\Documents and Settings\Harry\Cookies\harry@targetsaver[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Harry\Cookies\harry@www.drivecleaner[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Harry\Cookies\harry@www.systemdoctor[1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Harry\Cookies\harry@systemdoctor[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Harry\Cookies\harry@drivecleaner[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Harry\Cookies\harry@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Harry\Cookies\harry@burstnet[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Harry\Cookies\harry@com[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Harry\Cookies\harry@cgi-bin[3].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Harry\Cookies\harry@go[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Harry\Cookies\harry@image.checkmystats.com[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Harry\Cookies\harry@server.iad.liveperson[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Harry\Cookies\harry@2o7[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Harry\Cookies\harry@toplist[1].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\Harry\Cookies\harry@outster[2].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Harry\Cookies\harry@revenue[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Harry\Cookies\harry@cgi-bin[6].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Harry\Cookies\harry@112.2o7[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Harry\Cookies\harry@cgi-bin[7].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Harry\Cookies\harry@atwola[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Harry\Cookies\harry@ccbill[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Harry\Cookies\harry@overture[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Harry\Cookies\harry@kmpads[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Harry\Cookies\harry@searchportal.information[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Harry\Cookies\harry@xiti[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Harry\Cookies\harry@serving-sys[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Harry\Cookies\harry@kinghost[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Harry\Cookies\harry@casalemedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Harry\Cookies\harry@bs.serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Harry\Cookies\harry@statcounter[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Harry\Cookies\harry@ad.yieldmanager[1].txt
Adware:Adware/CWS.Aboutblank Not disinfected C:\Recycled\Q330995.EXE
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\APPS\Process.exe
Virus:Generic Malware Disinfected C:\QOOBOX\Quarantine\C\Program Files\Common Files\Companion Wizard\compwiz.exe.vir

------------------

F-Secure


Scanning Report
Wednesday, October 03, 2007 11:01:39 - 13:27:26
Computer name: BENQ-NQZJBOVA6Q
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\

Result: 107 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan-Downloader.Win32.Small.ahv (virus)
C:\WINDOWS\system32\inivedll.dll (Renamed & Submitted)
Trojan-Dropper.Win32.Agent.bzw (virus)
C:\WINDOWS\system32\kreiglqp.dll.bak (Renamed & Submitted)
Trojan-Dropper.Win32.Small.xu (virus)
C:\Recycled\Q330995.exe (Renamed & Submitted)
W32/BHO.QG (virus)
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\kreiglqp.dll (Submitted)
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\wdzinqka.dll (Submitted)
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\wfxgmmus.dll (Submitted)
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\48ixkzcaai.exe (Submitted)
C:\System Volume Information\_restore{F79F10E8-B97F-46A6-8565-DECFDF7F4916}\RP521\A0110899.DLL (Submitted)
C:\System Volume Information\_restore{F79F10E8-B97F-46A6-8565-DECFDF7F4916}\RP521\A0110911.DLL (Submitted)
C:\WINDOWS\system32\wmim.dll (Submitted)
C:\WINDOWS\system32\wmim.1 (Submitted)
C:\WINDOWS\system32\pmxpo.bak (Submitted)
C:\WINDOWS\system32\gpkcspi.dll (Submitted)
C:\WINDOWS\system32\wfxgmmus.dll.bak (Submitted)
C:\WINDOWS\system32\joqkotjt.dll.bak (Submitted)
C:\WINDOWS\system32\jlasurxx.dll.bak
C:\WINDOWS\system32\yirmraoa.dll.bak
C:\WINDOWS\system32\gpkcspi.dll.bak (Submitted)
W32/Malware.AXAF (virus)
C:\System Volume Information\_restore{F79F10E8-B97F-46A6-8565-DECFDF7F4916}\RP521\A0110891.msi\stream 138\patchjre.exe
C:\System Volume Information\_restore{F79F10E8-B97F-46A6-8565-DECFDF7F4916}\RP520\A0110785.msi\stream 138\patchjre.exe
C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_02.b06\patchjre.exe (Submitted)
C:\Documents and Settings\Harry\Application Data\Sun\Java\jre1.6.0_02\jre1.6.0_02.msi\stream 138\patchjre.exe

Statistics
Scanned:
Files: 125422
System: 3818
Not scanned: 175
Actions:
Disinfected: 1
Renamed: 3
Deleted: 0
None: 103
Submitted: 17
Files not scanned:
Ս*x芁GEFILE.SYS
C:\_OTMOVEIT\MOVEDFILES\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\PREVX(2)\LOCAL.DAT
C:\_OTMOVEIT\MOVEDFILES\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\PREVX\LOCAL.DAT
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 7.0\ULEAD.DAT\U32BASE.CFG
C:\DOCUMENTS AND SETTINGS\HARRY\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\HARRY\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\HARRY\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\DESKTOP SEARCH\APPLICATIONS\RSAPP\PROJECTS\MYINDEX\BUILD\INDEXER\CIFILES\CIFLFFFD.001
C:\DOCUMENTS AND SETTINGS\HARRY\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\DESKTOP SEARCH\APPLICATIONS\RSAPP\PROJECTS\MYINDEX\BUILD\INDEXER\CIFILES\CIFLFFFD.002
C:\DOCUMENTS AND SETTINGS\HARRY\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\Documents and Settings\Harry\Local Settings\Temporary Internet Files\Content.IE5\9RFJLX8E\search[1].asp\search[1]
C:\Documents and Settings\Harry\Local Settings\Temporary Internet Files\Content.IE5\9RFJLX8E\aimapi[1].js\aimapi[1]
C:\DOCUMENTS AND SETTINGS\HARRY\LOCAL SETTINGS\HISTORY\HISTORY.IE5\MSHIST012005100320051004\INDEX.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\STOPZILLA!\ZILLA5.LOG
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit41.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Central.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchCameUp.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit42.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit43.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchCameUp1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit44.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit45.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchCameUp2.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit46.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit47.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSlawSearch.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit48.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit49.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\ 큝

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-02
F-Secure AVP: 7.0.171, 2007-10-03
F-Secure Orion: 1.2.37, 2007-10-03
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0596-150-72
F-Secure Pegasus: 1.19.0, 2007-09-01
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 03 October 2007 - 08:35 AM

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.


Please download Rootchk.exe and save to your desktop:
Important:- Temporarily disable any real-time monitoring programs (see note below).
Disconnect from the Internet.
Double-click on rootchk.exe to run the program.
A command prompt window will open as the scan begins and then close.
When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
Copy and paste the contents of the log into your next reply.
Re-enable active protection on any program you temporarily disabled.
Note:
To avoid false positives,it is important that you temporarily disable ZoneAlarm Pro firewall,or any other security program that protects your registry (Spybot's Teatimer,Ad-Aware's Adwatch, Prevx, etc) before running the rootchk scan.
Click on this link to see a list of other programs that should be disabled.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#11 balniks

balniks
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 03 October 2007 - 08:12 PM

KASPERSKY ONLINE SCANNER REPORT
Thursday, October 04, 2007 10:59:56 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 4/10/2007
Kaspersky Anti-Virus database records: 400965


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 42959
Number of viruses found 3
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 00:28:10

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\kreiglqp.dll.0ak Infected: Trojan-Dropper.Win32.Agent.bzw skipped

C:\WINDOWS\system32\inivedll.0ll Infected: Trojan-Downloader.Win32.Small.ahv skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\ModemLog_Agere Systems AC'97 Modem.txt Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{F45465D9-1010-4572-B25D-F6D6F0E6227B}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\Download\8aba0967f899f346d112e436c1f1b5c7\BITD.tmp Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\STOPzilla!\Targets.Db Object is locked skipped

C:\Documents and Settings\All Users\Application Data\STOPzilla!\userdata.db Object is locked skipped

C:\Documents and Settings\All Users\Application Data\STOPzilla!\zilla5.log Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\Harry\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows Live Contacts\pestilent_eyegouger@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Application Data\Microsoft\Windows Live Contacts\pestilent_eyegouger@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Application Data\SITEguard\siteguard.db Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Temp\~DF2D40.tmp Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Temp\~DFDA1A.tmp Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Temp\~DFDA21.tmp Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Temp\~DF408A.tmp Object is locked skipped

C:\Documents and Settings\Harry\Local Settings\Temp\~DF4093.tmp Object is locked skipped

C:\Documents and Settings\Harry\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Harry\ntuser.dat Object is locked skipped

C:\System Volume Information\_restore{F79F10E8-B97F-46A6-8565-DECFDF7F4916}\RP570\change.log Object is locked skipped

C:\Recycled\Q330995.0xe Infected: Trojan-Dropper.Win32.Small.xu skipped

Scan process completed.

-----------------------------------------------------------


********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Thu 10/04/2007 11:02:37.52

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 11:02:38
Windows 5.1.2600 Service Pack 1
scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:58 AM, on 10/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.BenQ.COM/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {1D0FD2AB-87E9-405D-AB65-872CEB154DF4} - c:\windows\system32\gpkcspi.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E25B79A-BF00-406C-998F-FC777DA2BE19} - C:\WINDOWS\System32\wmim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [AuditMode] C:\sysprep\factory.exe -logon
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: COMODO Firewall Pro.lnk = C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: djztgyjl - C:\WINDOWS\SYSTEM32\gpkcspi.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8105 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 04 October 2007 - 04:54 AM

Turn off System Restore until further notice please:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.
Restart your pc.

Copy and paste the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktopPosted Image
You'll see a black screen flash,thats normal.

@echo off
sc stop PREVXAgent
sc delete PREVXAgent

Restart your pc.


Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\kreiglqp.dll.0ak
C:\WINDOWS\system32\inivedll.0ll
C:\Recycled\Q330995.0xe


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [PrevxOne] C:\Program Files\Prevx1\PXConsole.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe (file missing)



Download and scan with the free 15 day trial of Counterspy V2
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into your next reply.


Download/install the free trial version of Kaspersky Anti-Virus 7.0:
http://www.kaspersky.com/trials

Update Kaspersky's virus definitions and run a full system virus scan.

Post a new Hijackthis log into your next reply.

Edited by RichieUK, 04 October 2007 - 04:55 AM.

Posted Image
Posted Image

#13 balniks

balniks
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 06 October 2007 - 03:53 AM

Moveit:
C:\WINDOWS\system32\kreiglqp.dll.0ak moved successfully.
C:\WINDOWS\system32\inivedll.0ll moved successfully.
C:\Recycled\Q330995.0xe moved successfully.

Created on 10/05/2007 08:22:43

-----------------------------------------------

Counterspy

Scan History Details
Start Date: 10/6/2007 2:30:05 AM
End Date: 10/6/2007 3:00:09 AM
Total Time: 30 Min 4 Sec
Detected security risks

Cookie: BS.Serving-Sys Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@bs.serving-sys[1].txt
c:\documents and settings\harry\cookies\harry@serving-sys[1].txt


Cookie: BurstNet.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@burstnet[1].txt


Cookie: CGI-Bin Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@cgi-bin[2].txt
c:\documents and settings\harry\cookies\harry@cgi-bin[3].txt
c:\documents and settings\harry\cookies\harry@cgi-bin[4].txt
c:\documents and settings\harry\cookies\harry@cgi-bin[5].txt
c:\documents and settings\harry\cookies\harry@cgi-bin[6].txt
c:\documents and settings\harry\cookies\harry@cgi-bin[7].txt
c:\documents and settings\harry\cookies\harry@cgi-bin[8].txt
c:\documents and settings\harry\cookies\harry@cgi-bin[9].txt


Cookie: Com.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@com[1].txt


Cookie: FastClick.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@fastclick[2].txt


Cookie: GeoCities Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@geocities[2].txt


Cookie: Hotbar Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@ad.yieldmanager[2].txt
c:\documents and settings\harry\cookies\harry@adopt.hbmediapro[2].txt
c:\documents and settings\harry\cookies\harry@lycos[1].txt


IST.ISTbar Hijacker more information...
Details: ISTbar is an Internet Explorer Hijacker, which modifies your homepages and searches without a user's consent using an Internet Explorer toolbar.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN


Cookie: Zedo Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@zedo[1].txt


Cookie: TribalFusion.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@tribalfusion[2].txt


Cookie: WWW.frenchcum.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@www.frenchcum[1].txt


Cookie: cookie.monster Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@cookie.monster[1].txt


Cookie: casalemedia.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@casalemedia[1].txt


Cookie: RegNow Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@www.regnow[2].txt


Cookie: DriveCleaner Cookie (General) more information...
Status: Deleted

Cookies detected
c:\documents and settings\harry\cookies\harry@drivecleaner[2].txt

--------------------------------

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:02 PM, on 10/6/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4count.com/?a=2&b=r4
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://WWW.BenQ.COM/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {1D0FD2AB-87E9-405D-AB65-872CEB154DF4} - c:\windows\system32\gpkcspi.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E25B79A-BF00-406C-998F-FC777DA2BE19} - C:\WINDOWS\System32\wmim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [AuditMode] C:\sysprep\factory.exe -logon
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: COMODO Firewall Pro.lnk = C:\Documents and Settings\Harry\Desktop\Comodo\Firewall\cpf.exe
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?7a081e68fa8a485984b2a1297a4149e
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://WWW.BenQ.COM/
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: djztgyjl - C:\WINDOWS\SYSTEM32\gpkcspi.dll
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - C:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8329 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 06 October 2007 - 05:15 AM

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.


Download/unzip 'unDLL' by ESET to your desktop:
http://www.nod32.it/tools/undll.zip
Double click on the 'UNDLL' icon on your desktopPosted Image
Click on the 'Select infected DLL' button.
In the 'Select infected dynamic library' window,navigate to and double click on:
C:\WINDOWS\System32\wmim.dll
Then follow the prompts.
When its finished click on 'Click here to view log'.
The log in the form of a text file can also be found on your desktop 'undll-........'.
Copy and paste the entire contents of that log into your next reply.

Then do the same with:
C:\WINDOWS\SYSTEM32\gpkcspi.dll

Copy and paste both logs in your next reply.
Posted Image
Posted Image

#15 balniks

balniks
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:58 PM

Posted 06 October 2007 - 05:10 PM

10/07/2007 07:37:35 [SysLog]: UnDLL engine 1.0.0.2 initialized
10/07/2007 07:37:35 [SysLog]: OS: 5.1 build 2600 (Service Pack 1)
10/07/2007 07:39:18 [Action]: + Searching for infected threads...
10/07/2007 07:40:04 [Action]: Deleting file [C:\WINDOWS\system32\wmim.dll] - deferred at next reboot
10/07/2007 07:40:06 [Action]: + Searching in AppInit_DLLs...
10/07/2007 07:40:06 [Action]: Writing AppInit_DLLs in the Registry: [Nothing]
10/07/2007 07:40:06 [Action]: + Searching in Winlogon Notify...
10/07/2007 07:40:06 [Action]: + Searching in Browser Helper Objects...
10/07/2007 07:40:06 [Action]: System Reboot





10/07/2007 08:00:02 [SysLog]: UnDLL engine 1.0.0.2 initialized
10/07/2007 08:00:02 [SysLog]: OS: 5.1 build 2600 (Service Pack 1)
10/07/2007 08:00:52 [Action]: + Searching for infected threads...
10/07/2007 08:00:53 [Action]: Suspending thread [1916] in process [C:\WINDOWS\system32\winlogon.exe] - module [C:\WINDOWS\system32\gpkcspi.dll]
10/07/2007 08:00:53 [Action]: Suspending thread [1920] in process [C:\WINDOWS\system32\winlogon.exe] - module [C:\WINDOWS\system32\gpkcspi.dll]
10/07/2007 08:00:53 [Action]: Suspending thread [1924] in process [C:\WINDOWS\system32\winlogon.exe] - module [C:\WINDOWS\system32\gpkcspi.dll]
10/07/2007 08:01:01 [Action]: Suspending thread [2476] in process [C:\WINDOWS\Explorer.EXE] - module [c:\windows\system32\gpkcspi.dll]
10/07/2007 08:01:01 [Action]: Suspending thread [2480] in process [C:\WINDOWS\Explorer.EXE] - module [c:\windows\system32\gpkcspi.dll]
10/07/2007 08:01:01 [Action]: Suspending thread [2484] in process [C:\WINDOWS\Explorer.EXE] - module [c:\windows\system32\gpkcspi.dll]
10/07/2007 08:01:17 [Action]: Deleting file [C:\WINDOWS\system32\gpkcspi.dll] - deferred at next reboot
10/07/2007 08:01:19 [Action]: + Searching in AppInit_DLLs...
10/07/2007 08:01:19 [Action]: Writing AppInit_DLLs in the Registry: [Nothing]
10/07/2007 08:01:19 [Action]: + Searching in Winlogon Notify...
10/07/2007 08:01:19 [Action]: + Searching in Browser Helper Objects...
10/07/2007 08:01:19 [Action]: System Reboot




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users