Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HackTool.GSQ / Explorer pop ups


  • Please log in to reply
1 reply to this topic

#1 Mary Saunders

Mary Saunders

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 11 August 2009 - 06:03 AM

Hi,

When the computer is connected to the internet, after varying amounts of time (anytime up to 5 mins), three empty internet explorer windows open and I am disconnected from the internet. If I am using explorer at the time I get the same problem, however if I am using Firefox three new firefox tabs open instead onto a google site in a foreign language (google busqueda i think), and again the internet is disconnected.

Usually before this happens I get the following 3 error screens appearing:

Firstly, I get a resident shield alert (from avg antivirus),with the title: Accessed file is unwanted / Potentially unwanted Program. Below this it gives:
File name: C:\WINNT\system32\drivers\srwsvc.sys
Threat name: Potentially harmful program HackTool.GSQ
Detected on open
At the bottom it gives:
Process name: C:\patch.exe
Process ID: 2432

As well as this an empty command box titled c:\patch.exe appears

I also get an error message from windows titled "patch.exe - Application error", in the box it says:
"The instruction at "0x00401257" referenced memory at "0x0000000c". The memory could not be "read". Click OK to terminate the program. Click on Cancel to debug the program.

A short while - anytime up to around 2 mins - after recieving these message, the explorer pop ups appear and the internet disconnects.

DDS (Ver_09-07-30.01) - NTFSx86
Run by User at 11:41:00.89 on Tue 11/08/2009
Internet Explorer: 6.0.2800.1106

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.consumerpulse.co.uk/
uWindow Title = Microsoft Internet Explorer provided by Wanadoo
uSearch Bar = hxxp://www.wanadoo.co.uk/iesearch/default.htm
mDefault_Page_URL = hxxp://www.wanadoo.co.uk
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: Taskman=c:\recycler\s-1-5-21-9747632932-0536966638-592690585-3638\mwau.exe
uWinlogon: Shell=explorer.exe,c:\recycler\s-1-5-21-9747632932-0536966638-592690585-3638\mwau.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: IMM Toolbar: {65dcb62d-0c89-467b-bcc3-b04fb0773d1e} - c:\program files\jaytown\imm toolbar\MarktMonitorShell.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll
uRun: [internat.exe] internat.exe
uRun: [Syncmgr] Syncmgr.exe
uRun: [Intel Physical Address Aventis 1.3] c:\winnt\wciactrl.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NielsenOnline] c:\program files\netratingsnetsight\netsight\NielsenOnline.exe
mRun: [Syncmgr] Syncmgr.exe
mRun: [Microsoft® System Manager] c:\winnt\system32\sysmgr.exe
mRun: [Microsoft Driver Setup] c:\winnt\sysmngsr322.exe
dRun: [internat.exe] internat.exe
dRun: [Syncmgr] Syncmgr.exe
dRun: [Intel Physical Address Aventis 1.3] c:\winnt\wciactrl.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [FlashPlayerUpdate] c:\winnt\system32\macromed\flash\FlashUtil9f.exe
mExplorerRun: [Microsoft Driver Setup] c:\winnt\sysmngsr322.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\winnt\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210326030036
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210326122529
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553534500} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: {981FE04C-04BC-4FE6-9426-6816A222DBC7} = 194.72.9.38 194.74.65.68
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ab79nw0t.default\
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\components\nsgkff30_meter5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScope42.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npArtistScopeDRM11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-08-11 11:39 158,720 a------- c:\winnt\system32\37.scr
2009-08-11 11:22 158,720 ---shr-- c:\winnt\sysmngsr322.exe
2009-08-11 09:30 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-08-11 09:29 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-08-11 09:29 18,456 a------- c:\winnt\system32\drivers\mbam.sys
2009-08-11 09:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-11 09:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 07:58 158,720 a------- c:\winnt\system32\36.scr
2009-08-11 07:50 81 a------- c:\winnt\system32\asr_arsui
2009-08-11 07:49 81 a------- c:\winnt\system32\asr_lbxva
2009-08-11 07:46 158,720 a------- c:\winnt\system32\06.scr
2009-08-11 07:38 158,720 a------- c:\winnt\system32\70.scr
2009-08-11 07:10 158,720 a------- c:\winnt\system32\08.scr
2009-08-11 07:05 158,720 a------- c:\winnt\system32\15.scr
2009-08-10 23:22 158,720 a------- c:\winnt\system32\87.scr
2009-08-10 23:21 158,720 a------- c:\winnt\system32\56.scr
2009-08-10 23:10 158,720 a------- c:\winnt\system32\84.scr
2009-08-10 23:01 158,720 a------- c:\winnt\system32\62.scr
2009-08-10 21:56 <DIR> --d-h--- c:\winnt\PIF
2009-08-10 20:43 158,720 a------- c:\winnt\system32\85.scr
2009-08-10 20:21 158,720 a------- c:\winnt\system32\14.scr
2009-08-10 20:03 158,720 a------- c:\winnt\system32\72.scr
2009-08-10 19:45 158,720 a------- c:\winnt\system32\55.scr
2009-08-10 19:28 158,720 a------- c:\winnt\system32\25.scr
2009-08-07 21:57 81 a------- c:\winnt\system32\asr_stwxn
2009-08-07 21:54 81 a------- c:\winnt\system32\asr_zrlun
2009-08-07 20:55 81 a------- c:\winnt\system32\asr_nolra
2009-08-07 20:46 81 a------- c:\winnt\system32\asr_xxvei
2009-08-06 12:01 81 a------- c:\winnt\system32\asr_sxvyz
2009-08-05 20:37 81 a------- c:\winnt\system32\asr_zsyih
2009-08-05 19:22 81 a------- c:\winnt\system32\asr_ycjqy
2009-08-05 19:09 81 a------- c:\winnt\system32\asr_hhcmb
2009-08-05 17:50 81 a------- c:\winnt\system32\asr_yithr
2009-08-05 17:42 81 a------- c:\winnt\system32\asr_lhygm
2009-08-05 17:31 81 a------- c:\winnt\system32\asr_eojpc
2009-08-04 12:08 1,112,288 a------- c:\winnt\system32\WdfCoInstaller01007.dll
2009-08-03 16:03 79 a------- c:\winnt\system32\asr_owqfn
2009-08-03 16:00 77 a------- c:\winnt\system32\asr_vybap
2009-08-03 15:48 79 a------- c:\winnt\system32\asr_cmemi
2009-08-03 15:30 79 a------- c:\winnt\system32\asr_ybinm
2009-08-03 15:23 79 a------- c:\winnt\system32\asr_efbjq
2009-08-03 14:52 79 a------- c:\winnt\system32\asr_bcrwg
2009-08-03 14:39 79 a------- c:\winnt\system32\asr_dilrt
2009-08-03 14:18 79 a------- c:\winnt\system32\asr_vcavu
2009-08-01 13:07 80 a------- c:\winnt\system32\asr_nglay
2009-08-01 12:37 80 a------- c:\winnt\system32\asr_yaeni
2009-07-31 20:05 79 a------- c:\winnt\system32\asr_kxfur
2009-07-31 19:54 79 a------- c:\winnt\system32\asr_rrgbt
2009-07-31 19:27 79 a------- c:\winnt\system32\asr_upkdn
2009-07-31 18:46 78 a------- c:\winnt\system32\asr_qlizg
2009-07-31 18:15 78 a------- c:\winnt\system32\asr_tkxrd
2009-07-31 18:05 78 a------- c:\winnt\system32\asr_ylhju
2009-07-31 16:13 80 a------- c:\winnt\system32\asr_rnajr
2009-07-31 15:52 0 a------- c:\winnt\system32\asr_28876.exe
2009-07-31 15:52 78 a------- c:\winnt\system32\asr_glath
2009-07-31 15:12 80 a------- c:\winnt\system32\asr_ymjdm
2009-07-31 13:51 80 a------- c:\winnt\system32\asr_bjllz
2009-07-31 13:37 80 a------- c:\winnt\system32\asr_dqcmu
2009-07-31 13:13 80 a------- c:\winnt\system32\asr_nqbpl
2009-07-31 13:10 80 a------- c:\winnt\system32\asr_tcoxd
2009-07-31 13:07 80 a------- c:\winnt\system32\asr_tqgdz
2009-07-31 13:05 80 a------- c:\winnt\system32\asr_txttl
2009-07-31 12:59 80 a------- c:\winnt\system32\asr_ivrwl
2009-07-31 12:58 80 a------- c:\winnt\system32\asr_kibqg
2009-07-30 14:14 80 a------- c:\winnt\system32\asr_bacvy
2009-07-30 13:57 80 a------- c:\winnt\system32\asr_cthbc
2009-07-30 13:49 80 a------- c:\winnt\system32\asr_shhkx
2009-07-30 13:38 80 a------- c:\winnt\system32\asr_reevi
2009-07-30 12:28 80 a------- c:\winnt\system32\asr_frwnv
2009-07-29 11:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-29 11:45 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-29 11:45 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-07-29 11:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-29 11:22 0 a------- C:\load32.exe
2009-07-28 18:57 139,776 a------- C:\pp2.exe
2009-07-28 18:43 79,872 a------- C:\patch.exe
2009-07-27 11:59 79 a------- c:\winnt\system32\asr_cprlu
2009-07-27 11:40 79 a------- c:\winnt\system32\asr_mkerj
2009-07-27 11:05 79 a------- c:\winnt\system32\asr_ygsqn
2009-07-25 14:29 79 a------- c:\winnt\system32\asr_svhwo
2009-07-25 14:28 79 a------- c:\winnt\system32\asr_xcqkh
2009-07-25 13:34 79 a------- c:\winnt\system32\asr_qxnww
2009-07-25 12:56 79 a------- c:\winnt\system32\asr_gphmq
2009-07-22 12:35 79 a------- c:\winnt\system32\asr_aodrt
2009-07-21 21:09 55,296 a------- c:\winnt\system32\33.scr
2009-07-21 09:24 79 a------- c:\winnt\system32\asr_vhcst
2009-07-20 19:55 79 a------- c:\winnt\system32\asr_xffvc
2009-07-20 19:52 79 a------- c:\winnt\system32\asr_duwkg
2009-07-20 11:06 24,318 a------- c:\winnt\system32\e_dd01re.wat
2009-07-20 11:06 12,094 a------- c:\winnt\EPISME04.SWB
2009-07-20 11:06 10,942 a------- c:\winnt\EPISME01.SWB
2009-07-20 11:06 10,046 a------- c:\winnt\EPISME03.SWB
2009-07-20 11:06 9,918 a------- c:\winnt\EPISME02.SWB
2009-07-20 11:06 9,662 a------- c:\winnt\EPISME00.SWB
2009-07-20 11:06 9,534 a------- c:\winnt\EPISME08.SWB
2009-07-20 11:06 9,406 a------- c:\winnt\EPISME07.SWB
2009-07-20 11:06 9,406 a------- c:\winnt\EPISME05.SWB
2009-07-20 11:06 9,278 a------- c:\winnt\EPISME09.SWB
2009-07-20 11:06 9,150 a------- c:\winnt\EPISME06.SWB
2009-07-19 20:40 0 a------- C:\bcrypt.html
2009-07-19 17:43 79 a------- c:\winnt\system32\asr_mbybx
2009-07-19 16:52 79 a------- c:\winnt\system32\asr_lpwxj
2009-07-19 16:21 79 a------- c:\winnt\system32\asr_qlzwl
2009-07-19 15:38 79 a------- c:\winnt\system32\asr_ekfti
2009-07-19 15:30 79 a------- c:\winnt\system32\asr_foyjk
2009-07-19 15:02 79 a------- c:\winnt\system32\asr_xwefl
2009-07-15 17:16 79 a------- c:\winnt\system32\asr_rasxg
2009-07-15 16:14 79 a------- c:\winnt\system32\asr_tqiqe
2009-07-15 15:08 79 a------- c:\winnt\system32\asr_vhbql
2009-07-14 20:27 79 a------- c:\winnt\system32\asr_ydwsv
2009-07-14 18:14 79 a------- c:\winnt\system32\asr_ewocx
2009-07-14 17:24 79 a------- c:\winnt\system32\asr_ecppu
2009-07-14 17:22 79 a------- c:\winnt\system32\asr_yrtfb
2009-07-14 15:46 79 a------- c:\winnt\system32\asr_yeaaj
2009-07-14 00:07 79 a------- c:\winnt\system32\asr_dwtzd
2009-07-13 23:13 79 a------- c:\winnt\system32\asr_ujaur

==================== Find3M ====================

2009-07-25 11:35 335,752 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-07-22 17:42 1,636 a------- c:\winnt\system32\d3d9caps.dat
2009-06-24 08:22 11,952 a------- c:\winnt\system32\avgrsstx.dll
2008-05-09 10:04 21,952 ----h--- c:\program files\folder.htt
2008-05-09 10:04 271 ----h--- c:\program files\desktop.ini
2001-05-08 13:00 32,528 a------- c:\winnt\inf\wbfirdma.sys

============= FINISH: 11:41:54.36 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:31 AM

Posted 22 August 2009 - 07:13 PM

Hi Mary Saunders,

Sorry for delay, no shortage of posters. Your log is several days old, if you still need help simply reply to my post and we will see what we can do.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users