can anyone solve this problem?

yermaw · 06-07-2006, 11:22 AM

Hi everyone, I'm new to this forum. I have a bit of a problem that I hope can be solved. I use AVG and it keeps reporting that I have been infected by a trojan horse and flagging up a .dll file in the system32 folder - sertgs.dll.

I've looked in the folder and this file doesnt appear to be in there and AVG doesnt appear to be able to do anything to solve the problem.

Now when I'm browsing the 'net sometimes if I type a URL into the address bar, I will be re-directed to a Google page which has some pre-defined seacrh for some kind of product. Im using XP and IE.

I use Ad-aware and Spybot which I run at least 2 or 3 times a week, I also have Spyware Blaster installed on my PC. I have also tried a couple of on-line scans which don't seem to spot anything.

Having tried all avenues using these various applications, I have decided to run HijackThis and post the log hoping that somebody may spot something in here.

Here it is:-

Logfile of HijackThis v1.99.1
Scan saved at 18:21:43, on 07/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\lssas.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\msthost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SK2690DM.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK2690DM.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [C-Media Speaker Configuration] F:\Sound\C-Media\WinXP\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094162382359
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/fil...ivePreQual.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{65AC7DBC-C91A-4491-AC50-E64E85AA3C38}: NameServer = 85.255.116.125,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA39CCB-5D01-44CE-9B8D-4F2CF4F6F68C}: NameServer = 85.255.116.125,85.255.112.109
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program Files\MATCO\DirmsService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - d:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Cheers

Hustler24 · 06-08-2006, 10:51 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

Hustler24 · 06-09-2006, 12:24 AM

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

DISABLE ANTISPYWARE PROTECTION

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

DISABLE AND DELETE SERVICES

Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - Network DDE Connections
Double-click on it to open the Properties dialog.
Under the General tab:
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, copy/paste NETDDEC Click on the OK button

Repeat the above steps for the service Netbios Helper Service.

------------------

DOWNLOADS

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

------------------

Please download Dr.Web CureIT

Alternate Download Site http://www.majorgeeks.com/Dr.Web_CureIT_d4783.html

-------------------

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop.

-------------------

SAFE MODE

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

------------------

KILL PROCESSES

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).

C:\WINDOWS\system32\lssas.exe < NOTE THE SPELLING

-------------------

ADD/REMOVE PROGRAMS

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint
Viewpoint Manager
Viewpoint Bar

-----------------

FIXES WITH HIJACK THIS

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{65AC7DBC-C91A-4491-AC50-E64E85AA3C38}: NameServer = 85.255.116.125,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA39CCB-5D01-44CE-9B8D-4F2CF4F6F68C}: NameServer = 85.255.116.125,85.255.112.109
O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe

Please remember to close all other windows, including browsers then click Fix checked.

FILE DELETIONS

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\ Viewpoint
C:\WINDOWS\system32\ hgqhp.exe
C:\WINDOWS\SYSTEM32\ sertgs.dll
C:\WINDOWS\system32\ altsvc.exe
C:\WINDOWS\system32\ service.exe
C:\WINDOWS\system32\ lssas.exe < NOT THE LEGITIMATE lsass.exe

CLEANUP!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK
Press the CleanUp! button to start the program. DO NOT reboot/logoff when prompted.

-------------------

DR WEB CURE IT!

Doubleclick the "drweb-cureit.exe" and click "OK" in the prompt window that will open.
Then click "start the express scan now". It will first make a quick scan of your system so let it clean what it finds and when it says "done" click on the Green Screwdriver-ActionsTab, Adware-Dialers-Riskware-Hacktools and use dropdown menu and select "Delete"
Click on the drive(s) you want to scan.
A red dot * will mark the selected drive(s) then hit the green arrow in lower right corner.
It will now scan your drive(s) so say YES to ALL.

Reboot your system in Normal Mode.

----------------------

FIX WAREOUT

Double-click the Fixwareout file that you downloaded earlier. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved as C:\fixwareoutreport.txt. Post it in your reply.

-----------------

ONLINE SCAN

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report here together with a new HiJackThis log, the log from DrWeb CureIt and C:\fixwareoutreport.txt.

yermaw · 06-09-2006, 08:44 AM

Thank you for taking time to look at my problem Hustler.

The following files which you instructed me to remove

C:\WINDOWS\system32\hgqhp.exe
C:\WINDOWS\SYSTEM32\sertgs.dll

were not in the system32 folder, yet when I ran DrWeb it found the sertgs.dll

here are my logs

HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 15:32:32, on 09/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
d:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\system32\SK2690DM.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK2690DM.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [C-Media Speaker Configuration] F:\Sound\C-Media\WinXP\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094162382359
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/fil...ivePreQual.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: sertgs - sertgs.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program Files\MATCO\DirmsService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - d:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Panda ActiveScan

Incident Status Location
Adware:adware/cws Not disinfected C:\Documents and Settings\John McKenzie\Favorites\Health
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\John McKenzie\Cookies\john mckenzie@apmebf[1].txt
Virus:Bck/IRCFlood.I Disinfected C:\WINDOWS\system32\setuphl.cmd

CureIt.log

Dr.Web(R) Scanner for Windows v4.33.2 (4.33.2.03283)
Copyright (c) Igor Daniloff, 1992-2006
Log generated on: 2006-06-09, 12:29:51 [JOHNSCOMPUTER][John McKenzie]
Command-line: "C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini

Engine version: 4.33 (4.33.3.06020)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 737 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crw43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 53 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cwr43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 745 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cwn43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cwn43301.cdb - 773 virus records
[Virus base] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 4867 virus records
Total virus records: 125071
Key file: C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cureit.key
License key number: 0000000010
Registered to: Dr.Web CureIt Project
License key activates: 2005-03-05
License key expires: 2007-03-05

Scan statistics

Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00

[Scan path] C:\WINDOWS\system32\smss.exe
[Scan path] C:\WINDOWS\system32\csrss.exe
[Scan path] C:\WINDOWS\system32\services.exe
[Scan path] C:\WINDOWS\system32\lsass.exe
[Scan path] C:\WINDOWS\system32\svchost.exe
[Scan path] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\_start.exe
[Scan path] C:\DOCUME~1\JOHNMC~1\LOCALS~1\Temp\RarSFX0\cureit.exe
[Scan path] C:\WINDOWS\system32\SK2690DM.EXE
[Scan path] C:\WINDOWS\system32\pctspk.exe
[Scan path] C:\WINDOWS\system32\VTPreset.exe
[Scan path] C:\WINDOWS\system32\RunDll32.exe
[Scan path] C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[Scan path] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
[Scan path] C:\WINDOWS\system32\NeroCheck.exe
[Scan path] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
[Scan path] C:\Program Files\Windows Defender\MSASCui.exe
[Scan path] C:\WINDOWS\system32\yaemu.exe
>C:\WINDOWS\system32\yaemu.exe infected with Trojan.DnsChange - incurable - moved

[Scan path] C:\WINDOWS\system32\ctfmon.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
[Scan path] C:\Documents and Settings\John McKenzie\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\WINDOWS\Explorer.exe
[Scan path] C:\WINDOWS\system32\mmsys.cpl
[Scan path] C:\WINDOWS\system32\icmui.dll
[Scan path] C:\WINDOWS\system32\rshx32.dll
[Scan path] C:\WINDOWS\system32\docprop.dll
[Scan path] C:\WINDOWS\system32\ntshrui.dll
[Scan path] C:\WINDOWS\System32\themeui.dll
[Scan path] C:\WINDOWS\system32\deskadp.dll
[Scan path] C:\WINDOWS\system32\deskmon.dll
[Scan path] C:\WINDOWS\system32\dssec.dll
[Scan path] C:\WINDOWS\system32\SlayerXP.dll
[Scan path] C:\WINDOWS\system32\shscrap.dll
[Scan path] C:\WINDOWS\system32\diskcopy.dll
[Scan path] C:\WINDOWS\system32\ntlanui2.dll
[Scan path] C:\WINDOWS\system32\printui.dll
[Scan path] C:\WINDOWS\system32\dskquoui.dll
[Scan path] C:\WINDOWS\system32\syncui.dll
[Scan path] C:\WINDOWS\System32\hticons.dll
[Scan path] C:\WINDOWS\system32\fontext.dll
[Scan path] C:\WINDOWS\system32\deskperf.dll
[Scan path] C:\WINDOWS\system32\cryptext.dll
[Scan path] C:\WINDOWS\system32\NETSHELL.dll
[Scan path] C:\WINDOWS\system32\wiashext.dll
[Scan path] C:\WINDOWS\System32\remotepg.dll
[Scan path] C:\WINDOWS\System32\wshext.dll
[Scan path] C:\Program Files\Common Files\system\ole db\oledb32.dll
[Scan path] C:\WINDOWS\System32\mstask.dll
[Scan path] C:\WINDOWS\system32\shdocvw.dll
[Scan path] C:\WINDOWS\System32\shmedia.dll
[Scan path] C:\WINDOWS\System32\browseui.dll
[Scan path] C:\WINDOWS\System32\sendmail.dll
[Scan path] C:\WINDOWS\System32\occache.dll
[Scan path] C:\WINDOWS\System32\webcheck.dll
[Scan path] C:\WINDOWS\System32\appwiz.cpl
[Scan path] C:\WINDOWS\System32\shimgvw.dll
[Scan path] C:\WINDOWS\System32\netplwiz.dll
[Scan path] C:\WINDOWS\System32\zipfldr.dll
[Scan path] C:\WINDOWS\System32\msieftp.dll
[Scan path] C:\WINDOWS\System32\docprop2.dll
[Scan path] C:\WINDOWS\System32\dsquery.dll
[Scan path] C:\WINDOWS\System32\dsuiext.dll
[Scan path] C:\WINDOWS\System32\mydocs.dll
[Scan path] C:\WINDOWS\System32\cscui.dll
[Scan path] C:\WINDOWS\msagent\agentpsh.dll
[Scan path] C:\WINDOWS\System32\dfsshlex.dll
[Scan path] C:\WINDOWS\System32\photowiz.dll
[Scan path] C:\WINDOWS\System32\mmcshext.dll
[Scan path] C:\WINDOWS\system32\cabview.dll
[Scan path] C:\Program Files\Outlook Express\wabfind.dll
[Scan path] C:\WINDOWS\system32\wmpshell.dll
[Scan path] C:\Program Files\WinRAR\rarext.dll
[Scan path] C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
[Scan path] C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
[Scan path] C:\Program Files\Real\RealOne Player\rpshell.dll
[Scan path] C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll
[Scan path] C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll
[Scan path] C:\Program Files\SmartFTP Client 2.0\smarthook.dll
[Scan path] C:\WINDOWS\System32\cdfview.dll
[Scan path] C:\WINDOWS\system32\wuaucpl.cpl
[Scan path] C:\WINDOWS\System32\twext.dll
[Scan path] C:\WINDOWS\System32\extmgr.dll
[Scan path] C:\WINDOWS\system32\Audiodev.dll
[Scan path] C:\Program Files\Grisoft\AVG Free\avgse.dll
[Scan path] C:\WINDOWS\system32\LinkDropHandler.dll
[Scan path] D:\Program Files\iTunes\iTunesMiniPlayer.dll
[Scan path] D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
[Scan path] D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
[Scan path] D:\Program Files\Microsoft Office\OFFICE11\msohev.dll
[Scan path] D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
[Scan path] C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
[Scan path] C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
[Scan path] C:\WINDOWS\system32\SHELL32.dll
[Scan path] C:\WINDOWS\System32\stobject.dll
[Scan path] C:\WINDOWS\system32\crypt32.dll
[Scan path] C:\WINDOWS\system32\cryptnet.dll
[Scan path] C:\WINDOWS\system32\cscdll.dll
[Scan path] C:\WINDOWS\system32\wlnotify.dll
[Scan path] C:\WINDOWS\system32\sclgntfy.dll
[Scan path] C:\WINDOWS\system32\sertgs.dll
>C:\WINDOWS\system32\sertgs.dll infected with BackDoor.Haxdoor.289 - will be cured after reboot

[Scan path] C:\WINDOWS\system32\WgaLogon.dll
[Scan path] C:\WINDOWS\System32\DRIVERS\ACPI.sys
[Scan path] C:\WINDOWS\system32\drivers\aec.sys
[Scan path] C:\WINDOWS\System32\drivers\afd.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\alcan5wn.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\alcaudsl.sys
[Scan path] C:\WINDOWS\System32\alg.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\amdk7.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\asyncmac.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\atapi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\atmarpc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\audstub.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Scan path] C:\WINDOWS\System32\Drivers\avg7core.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsw.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsxp.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[Scan path] C:\WINDOWS\System32\Drivers\avgtdi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\cdrom.sys
[Scan path] C:\WINDOWS\system32\cisvc.exe
[Scan path] C:\WINDOWS\system32\clipsrv.exe
[Scan path] C:\WINDOWS\system32\drivers\cmuda.sys
[Scan path] C:\WINDOWS\System32\dllhost.exe
[Scan path] C:\Program Files\MATCO\DirmsService.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\disk.sys
[Scan path] d:\Program Files\Executive Software\DiskeeperLite\DKService.exe
[Scan path] C:\WINDOWS\System32\dmadmin.exe
[Scan path] C:\WINDOWS\System32\drivers\dmboot.sys
[Scan path] C:\WINDOWS\system32\drivers\DMusic.sys
[Scan path] C:\WINDOWS\system32\drivers\drmkaud.sys
[Scan path] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\fdc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\fetnd5a.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\flpydisk.sys
[Scan path] C:\WINDOWS\system32\drivers\fltmgr.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ftdisk.sys
[Scan path] C:\WINDOWS\system32\Drivers\fwdrv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\gameenum.sys
[Scan path] C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\msgpc.sys
[Scan path] C:\WINDOWS\System32\Drivers\HTTP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\i8042prt.sys
[Scan path] C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\imapi.sys
[Scan path] C:\WINDOWS\System32\imapi.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\Intels51.sys
[Scan path] C:\WINDOWS\system32\drivers\ip6fw.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipinip.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipnat.sys
[Scan path] C:\Program Files\iPod\bin\iPodService.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\ipsec.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\irenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\isapnp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\kbdclass.sys
[Scan path] C:\WINDOWS\system32\drivers\kmixer.sys
[Scan path] C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
[Scan path] C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
[Scan path] C:\WINDOWS\System32\mnmsrvc.exe
[Scan path] C:\WINDOWS\system32\drivers\MODEMCSA.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mouclass.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mrxdav.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
[Scan path] C:\WINDOWS\System32\msdtc.exe
[Scan path] C:\WINDOWS\system32\msiexec.exe
[Scan path] C:\WINDOWS\system32\drivers\MSKSSRV.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPCLOCK.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPQM.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mssmbios.sys
[Scan path] C:\WINDOWS\system32\drivers\msmpu401.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndistapi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndisuio.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndiswan.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\netbios.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\netbt.sys
[Scan path] C:\WINDOWS\system32\netdde.exe
[Scan path] C:\WINDOWS\System32\Drivers\NETMDUSB.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\NMnt.sys
[Scan path] C:\WINDOWS\system32\drivers\npf.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys
[Scan path] C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
[Scan path] C:\WINDOWS\System32\DRIVERS\parport.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\pci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\pciide.sys
[Scan path] C:\Program Files\Kerio\Personal Firewall\persfw.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\raspptp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\processr.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\psched.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ptilink.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ptserial.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rasacd.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspppoe.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspti.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rdbss.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
[Scan path] C:\WINDOWS\system32\sessmgr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\redbook.sys
[Scan path] C:\WINDOWS\System32\Drivers\RootMdm.sys
[Scan path] C:\Program Files\WinPcap\rpcapd.exe
[Scan path] C:\WINDOWS\System32\locator.exe
[Scan path] C:\WINDOWS\System32\rsvp.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\s3gnbm.sys
[Scan path] C:\WINDOWS\System32\SCardSvr.exe
[Scan path] C:\WINDOWS\system32\drivers\scsiport.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\secdrv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\serenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\serial.sys
[Scan path] C:\WINDOWS\system32\sertgm.sys
C:\WINDOWS\system32\sertgm.sys infected with BackDoor.Haxdoor.292 - deleted

[Scan path] C:\WINDOWS\System32\DRIVERS\sisgrp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\SISAGPX.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\srvkp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\sisnic.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\Sk26902k.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\Sk2690nt.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS
[Scan path] C:\WINDOWS\system32\drivers\splitter.sys
[Scan path] C:\WINDOWS\system32\spoolsv.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\sr.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\srv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\swenum.sys
[Scan path] C:\WINDOWS\system32\drivers\swmidi.sys
[Scan path] C:\WINDOWS\system32\drivers\sysaudio.sys
[Scan path] C:\WINDOWS\system32\smlogsvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\tcpip.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\termdd.sys
[Scan path] C:\WINDOWS\system32\wdfmgr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\update.sys
[Scan path] C:\WINDOWS\System32\ups.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\usbehci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\usbhub.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\usbohci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\usbprint.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
[Scan path] C:\WINDOWS\System32\DRIVERS\usbuhci.sys
[Scan path] C:\WINDOWS\System32\drivers\vga.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\viaagp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\viaidexp.sys
[Scan path] C:\WINDOWS\System32\Drivers\VIAPFD.SYS
[Scan path] C:\WINDOWS\system32\drivers\viaudio.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\vmodem.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\vpctcom.sys
[Scan path] C:\WINDOWS\System32\vssvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\vvoice.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\wanarp.sys
[Scan path] C:\WINDOWS\system32\drivers\wdmaud.sys
[Scan path] C:\Program Files\Windows Defender\MsMpEng.exe
[Scan path] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

Scan statistics

Objects scanned: 260
Infected objects found: 3
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 1
Objects renamed: 0
Objects moved: 1
Objects ignored: 0
Scan speed: 649 Kb/s
Scan time: 00:01:12

[Scan path] C:\
C:\Documents and Settings\John McKenzie\ntuser.dat - read error
C:\Documents and Settings\John McKenzie\NTUSER~1.LOG - read error
>C:\Documents and Settings\John McKenzie\DoctorWeb\Quarantine\yaemu.exe infected with Trojan.DnsChange - incurable - moved
C:\Documents and Settings\John McKenzie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\John McKenzie\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\John McKenzie\Local Settings\Temporary Internet Files\Content.IE5\MSI73CSJ\search*.* - read error
C:\Documents and Settings\NetworkService\NTUSER.DAT - read error
C:\Documents and Settings\NetworkService\NTUSER~1.LOG - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Program Files\mIRC\mirc.exe is riskware program Program.mIRC.616 - deleted
>C:\Program Files\WinRAR\Dos.SFXC:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173787.exe is hacktool program Tool.SrvRunner - deleted
>>C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173788.exe infected with BackDoor.Servu.221 - deleted
C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173790.exe is riskware program Program.SrvAny - deleted
>C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173791.exe infected with Trojan.DnsChange - incurable - moved
C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173792.sys infected with BackDoor.Haxdoor.292 - deleted
C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173793.exe is riskware program Program.mIRC.616 - deleted
C:\WINDOWS\Downloaded Program Files\UWFX6_0001_N69M0603NetInstaller.exe infected with Trojan.Fakealert - deleted
C:\WINDOWS\system32\ms32.dll infected with IRC.Gajawa - deleted
>>C:\WINDOWS\system32\msthost.exe infected with BackDoor.IRC.based - deleted
C:\WINDOWS\system32\config\default - read error
C:\WINDOWS\system32\config\default.LOG - read error
C:\WINDOWS\system32\config\SAM - read error
C:\WINDOWS\system32\config\SAM.LOG - read error
C:\WINDOWS\system32\config\SECURITY - read error
C:\WINDOWS\system32\config\SECURITY.LOG - read error
C:\WINDOWS\system32\config\software - read error
C:\WINDOWS\system32\config\software.LOG - read error
C:\WINDOWS\system32\config\system - read error
C:\WINDOWS\system32\config\system.LOG - read error

Scan statistics

Objects scanned: 104051
Infected objects found: 7
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 3
Hacktool programs found: 1
Objects cured: 0
Objects deleted: 9
Objects renamed: 0
Objects moved: 2
Objects ignored: 0
Scan speed: 602 Kb/s
Scan time: 01:28:58

Dr Web Report

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal

Hustler24 · 06-10-2006, 01:49 AM

DOWNLOADS

Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

--------------------

Download the ISTBar Removal Tool and run it.

---------------------

SAFE MODE

Reboot into Safe Mode following the instructions given earlier.

---------------------

FIXES WITH HIJACK THIS

Fix the following lines with HJT, making sure all other windows are closed:

O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109
O20 - Winlogon Notify: sertgs - sertgs.dll (file missing)

--------------------

FILE DELETIONS

Please locate and delete the following files/folders:

C:\Documents and Settings\John McKenzie\DoctorWeb\Quarantine\ yaemu.exe

---------------------

DELETE COOKIES

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies.

----------------------

ONLINE SCAN

Reboot into Normal mode.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------

UPDATE JAVA

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
Under "Temporary Internet Files", click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
- Downloaded Applications
- Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

-------------------------

Post the Kaspersky log and a new HJT log

How is the system performing now?

yermaw · 06-10-2006, 11:43 AM

Both CWShredder and the ISTBar Removal Tool found nothing

when I ran HijackThis, the following entry which you advised me to remove wasnt in the log

O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 15:25:03, on 10/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK2690DM.EXE
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [C-Media Speaker Configuration] F:\Sound\C-Media\WinXP\Setup.exe /SPEAKER
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094162382359
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/fil...ivePreQual.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program Files\MATCO\DirmsService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - d:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, June 10, 2006 5:37:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 10/06/2006
Kaspersky Anti-Virus database records: 199716
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 100162
Number of viruses found: 3
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 02:00:34

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173794.dll Infected: Backdoor.IRC.Zapchast skipped
C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173795.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173828.cmd Infected: Backdoor.IRC.Zapchast skipped
C:\WINDOWS\system32\qos.dll Infected: Backdoor.IRC.Zapchast skipped
D:\exefiles2\ccsetup122.zip/ccsetup122.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\exefiles2\ccsetup122.zip/ccsetup122.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\exefiles2\ccsetup122.zip/ccsetup122.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\exefiles2\ccsetup122.zip ZIP: infected - 3 skipped

Scan process completed.

AVG doesnt appear to be alerting me to anything now, however I still get re-directed to certain pages when typing in url's inyo the address bar.

I had another look at my installed programs using Add/Remove programs in control planel. There is an entry in there which is called WildTangent web driver which I cant remove, even in safe mode.

Could this be causing any problems?

Hustler24 · 06-11-2006, 02:57 AM

We'll have a look at the add/remove list and see if we can remove anything spywere/adware related. WildTangent is one program but there may be others.

Your HJT log is clean now so we'll have to look at other avenues.

-----------------

FILE DELETIONS

Reboot into Safe Mode and delete the following file:

C:\WINDOWS\system32\ qos.dll

------------------

DOWNLOADS

Reboot normally.

Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

------------------

Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.

--------------

Download GMER Rootkit Scanner from here.

Unzip it to your Desktop and double-click gmer.exe

Run the program and select the Rootkit tab. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button and post the log in this thread.

----------------

CREATE UNINSTALL LIST

Open Hijack This
Click on the "Configure" button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"

---------------

So post the Silent Runners log and the StartDreck log in your reply along with the HJT uninstall list and the GMER log.

yermaw · 06-11-2006, 01:58 PM

Silent Runners

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Hot Key Kbd 2690 Daemon" = "SK2690DM.EXE" ["Silitek Corporation"]
"PCTVOICE" = "pctspk.exe" ["PCtel, Inc."]
"VTPreset" = "VTPreset.exe" ["S3 Graphics, Inc."]
"C-Media Speaker Configuration" = "F:\Sound\C-Media\WinXP\Setup.exe /SPEAKER" [file not found]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"EPSON Stylus C44 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"" ["SEIKO EPSON CORPORATION"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{08E74C67-99A6-45C7-94DA-A397A8FD8082}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PopupManager Class"
\InProcServer32\(Default) = "C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKCU...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities\sdshelex.dll" ["TuneUp Software GmbH"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{83D96563-DB11-42DF-92F9-32CE7BA54ED8}" = "Altova Shortcut Drop Handler"
-> {HKLM...CLSID} = "Altova Shortcut Drop Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\LinkDropHandler.dll" ["Altova GmbH"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Camouflage\(Default) = "{29557489-990B-11D4-9413-004095490AD4}"
-> {HKLM...CLSID} = "CamouflageShell.ShellExt"
\InProcServer32\(Default) = "C:\Program Files\Camouflage\CamShell.dll" ["Twisted Pear Productions"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Default executables:
--------------------

HKLM\Software\Classes\.hta\(Default) = (value not set)

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\John McKenzie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Startup items in "John McKenzie" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]

Enabled Scheduled Tasks:
------------------------

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{2222EF56-F49E-4D07-A14E-8D2B08766958}\
"ButtonText" = "Edit with Altova X&MLSpy"
"MenuText" = "Edit with Altova X&MLSpy"
"Script" = "C:\Program Files\Altova\XMLSpy2005\spy.htm" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.wanadoo.co.uk

Missing lines (compared with English-language version):
[Strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Application Data/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Diskeeper, Diskeeper, ""d:\Program Files\Executive Software\DiskeeperLite\DKService.exe"" ["Executive Software International, Inc."]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
Kerio Personal Firewall, PersFw, ""C:\Program Files\Kerio\Personal Firewall\persfw.exe"" ["Kerio Technologies"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 251 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 63 seconds.
---------- (total run time: 377 seconds)

GMER

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-11 20:47:19
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.10 ----

SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwClose
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateFile
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcess
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateProcessEx
SSDT \SystemRoot\system32\Drivers\fwdrv.sys ZwCreateSection

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}
File D:\System Volume Information\MountPointManagerRemoteDatabase
File D:\System Volume Information\tracking.log
File D:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log
File E:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}
File I:\System Volume Information\MountPointManagerRemoteDatabase
File I:\System Volume Information\tracking.log
File I:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}
File J:\System Volume Information\MountPointManagerRemoteDatabase
File J:\System Volume Information\tracking.log
File J:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}
File K:\System Volume Information\MountPointManagerRemoteDatabase
File K:\System Volume Information\tracking.log
File K:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}

---- EOF - GMER 1.0.10 ----

StartDreck

StartDreck (build 2.1.7 public stable) - 2006-06-11 @ 20:08:59 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as John McKenzie at JOHNSCOMPUTER

»Registry
»Run Keys
»Current User
»Run
*ctfmon.exe=C:\WINDOWS\system32\ctfmon.exe
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
*ALUAlert=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
*AVG7_Run=C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
»RunOnce
»Local Machine
»Run
*Hot Key Kbd 2690 Daemon=SK2690DM.EXE
*PCTVOICE=pctspk.exe
*VTPreset=VTPreset.exe
*C-Media Speaker Configuration=F:\Sound\C-Media\WinXP\Setup.exe /SPEAKER
*Cmaudio=RunDll32 cmicnfg.cpl,CMICtrlWnd
*SpeedTouch USB Diagnostics="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
*AVG7_CC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
*AVG7_EMC=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
*EPSON Stylus C44 Series=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
*NeroFilterCheck=C:\WINDOWS\system32\NeroCheck.exe
*SunJavaUpdateSched=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
*Windows Defender="C:\Program Files\Windows Defender\MSASCui.exe" -hide
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+512=\SystemRoot\System32\smss.exe
+584=\??\C:\WINDOWS\system32\csrss.exe
+608=\??\C:\WINDOWS\system32\winlogon.exe
+652=C:\WINDOWS\system32\services.exe
+664=C:\WINDOWS\system32\lsass.exe
+808=C:\WINDOWS\system32\svchost.exe
+852=C:\WINDOWS\system32\svchost.exe
+888=C:\Program Files\Windows Defender\MsMpEng.exe
+932=C:\WINDOWS\System32\svchost.exe
+1032=C:\WINDOWS\System32\svchost.exe
+1088=C:\WINDOWS\System32\svchost.exe
+1192=C:\WINDOWS\system32\spoolsv.exe
+1308=C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
+1324=C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
+1400=d:\Program Files\Executive Software\DiskeeperLite\DKService.exe
+1432=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
+1464=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+1504=C:\Program Files\Kerio\Personal Firewall\persfw.exe
+1736=C:\WINDOWS\system32\wdfmgr.exe
+1960=C:\WINDOWS\Explorer.EXE
+556=C:\WINDOWS\system32\SK2690DM.EXE
+776=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
+960=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
+984=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
+1000=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
+1132=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
+1108=C:\Program Files\Windows Defender\MSASCui.exe
+1240=C:\WINDOWS\system32\ctfmon.exe
+1664=C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
+2052=C:\WINDOWS\system32\wuauclt.exe
+2816=C:\Documents and Settings\John McKenzie\Desktop\StartDreck\StartDreck.exe
»Application specific

HJT Uninstall List

Ad-Aware SE Personal
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
Altova XMLSpy 2005 Home Edition
Anti-Leech Plugin for Internet Explorer
AOL Instant Messenger
AVG Free Edition
BHA B's Recorder GOLD 5.09
BitTornado 0.3.7
BlueJ 2.0.0
Camouflage
CCleaner (remove only)
CD Stomper 32 bit
CleanUp!
C-Media 3D Audio
dBpowerAMP FLAC Codec
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
dBpowerAMP Real Audio Codec
dBpowerAMP Shorten Codec
dBpowerAMP WMA V9 Codec
DC++ (remove only)
DirMS-S
Diskeeper Lite
DivX
DivX Player
DVD Decrypter (Remove Only)
EPSON Printer Software
FeedReader
FileMerlin
Generic 1.3 CMOS USB Camera
HijackThis 1.99.1
HSP56 MR Drivers
HTML-Kit
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Kaspersky On-line Scanner
Kerio Personal Firewall 2.1.5
LeaguePad
Macromedia Extension Manager
Macromedia Flash Player 8
Micro Trivial Pursuit
Microsoft Data Access Components KB870669
Microsoft DirectX Transform optional components
Microsoft Office Professional Edition 2003
Microsoft Web Publishing Wizard 1.53
Microsoft XML Parser and SDK
mIRC
Mozilla Firefox (1.0.6)
MSN Messenger 7.5
Nero Suite
OpenMG Limited Patch 3.1-02-10-22-01
OpenMG Limited Patch 3.1-02-10-22-02
OpenMG Limited Patch 3.1-02-12-04-01
OpenMG Secure Module 3.1
Opera
Panda ActiveScan
PCI Audio Applications
Picture Package
Popup Manager (remove only)
PowerDVD
PrintFolder 1.2
ProSavageDDR and Utilities
QuickTime
RealPlayer
S3Display
S3Gamma2
S3Info2
S3Overlay
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SELECT SSADM Workbench Single User
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
SmartFTP
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SonicStage 1.5.06
Sony USB Driver
SoulSeek 157 test 8
SoulSeek Client 156c
SpeedTouch USB Software
Spybot - Search & Destroy 1.2
SpywareBlaster v3.2
TMPGEnc DVD Author 1.5
Touch Manager (PS/2 Internet Compact Keyboard)
TuneUp Utilities 2003
Ulead GIF Animator 5 ESD
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Wanadoo Connection Kit v1.5
WildTangent Web Driver
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinMX
WinPcap 3.1 beta3
WinRAR archiver
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger with BT Communicator

Hustler24 · 06-12-2006, 02:28 AM

DOWNLOADS

Please download the new version of Firefox from here.

--------------------

Download haxfix.exeand save it to your desktop.

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with options:

1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

Select option 1. Make logfile by typing 1 and then pressing "Enter"
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
Copy the contents of that logfile and paste it into this thread.

----------------------

Which sites are you being redirected to and what URLs are you being redirected from?

yermaw · 06-12-2006, 07:57 AM

ok AVG is now flagging up a file called qz.dll in the system32 folder so I have used AVG to delete it.

To be honest, I cant relly remember what urls they were, it just seems to happen on random ones. I am usually re-directed to a search on google for a certain product, or some porn site!

I downloaded and HaxFix, but it is finding nothing.

Hustler24 · 06-12-2006, 08:02 AM

Did you produce the log first?

If you try to run the fix without producing a log first, nothing will be found. The fix needs files that the tool creates when the log is produced.

yermaw · 06-12-2006, 08:04 AM

oops sorry, I dont think i did that! will run it again now

yermaw · 06-12-2006, 08:07 AM

ok here it is

HAXFIX logfile - by Marckie
--------------
version 2.44
12/06/2006 15

33.58

checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
no matching notify keys found

checking for matching services....
matching services found
Aspi32
sertgs
sertgm

checking for matching safeboot services....
matching safeboot services found
sertgs.sys
sertgm.sys

Hustler24 · 06-12-2006, 03:23 PM

Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 3. Run manual fix by typing 3 and then pressing "Enter"

This message will appear:

Quote:

echo Insert the haxdoorkey,
and then press Enter:

Type the following: sertgs
When this is a valid choice, the key will be added to delete.
There is the possibility to add a new key: Yes (type Y) or No (type N).

Followed by this message:

Haxdoorkey sertgs added to delete.

Do you want to add a new haxdoorkey?

Press Y for YES and repeat the above for sertgm
When you have entered the last haxdoorkey, type N for No and press "Enter"
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of the logfile together with a new HijackThis log.

yermaw · 06-13-2006, 03:10 AM

OK I've ran the manual fix and for both sertgs and sertgm its saying Haxdoor has not been added - no haxdoor key found.

Hustler24 · 06-13-2006, 01:57 PM

Open this folder C:\Program Files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing "Enter"

If an infection is found, you'll get a message to close all other open windows.

Close all open windows except the red dos window from haxfix and then press "Enter"
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
Post the contents of that logfile along with a new HijackThis log.

yermaw · 06-14-2006, 08:00 AM

Autofix is reporting no haxdoor key found aswell.

Hustler24 · 06-14-2006, 10:46 AM

Download RegSearch. Extract the cotents of the ZIP file and double-click RegSearch.exe to run the program.

Type sertgs into the top search box and click OK

When the tool has finished searching, Notepad will open with some text in it. Copy and paste the text here.

----------------

Repeat the process for sertgm. So you should get 2 logs. Post them both here please.

yermaw · 06-14-2006, 11:02 AM

sertgs

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 14/06/2006 17:51:09 for strings:
; 'sertgs'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sertgs.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sertgs.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS\0000]
"Service"="sertgs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs\Enum]
"0"="Root\\LEGACY_SERTGS\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\sertgs.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\sertgs.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGS\0000]
"Service"="sertgs"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgs]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgs\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sertgs.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sertgs.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS\0000]
"Service"="sertgs"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs\Enum]
"0"="Root\\LEGACY_SERTGS\\0000"

; End Of The Log...

sertgm

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 14/06/2006 17:59:09 for strings:
; 'sertgm'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sertgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sertgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000]
"Service"="sertgm"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm]
; Contents of value:
; \??\c:\windows\system32\sertgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm\Enum]
"0"="Root\\LEGACY_SERTGM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs]
; Contents of value:
; \??\c:\windows\system32\sertgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\sertgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\sertgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM\0000]
"Service"="sertgm"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgm]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgm]
; Contents of value:
; \??\c:\windows\system32\sertgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgm\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgs]
; Contents of value:
; \??\c:\windows\system32\sertgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sertgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sertgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000]
"Service"="sertgm"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm]
; Contents of value:
; \??\c:\windows\system32\sertgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm\Enum]
"0"="Root\\LEGACY_SERTGM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs]
; Contents of value:
; \??\c:\windows\system32\sertgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00

; End Of The Log...

Hustler24 · 06-15-2006, 12:26 AM

Please download the attached ZIP file. Double-click the reg file inside. The system will ask whether you would like to merge the contents with the registry. Click 'Yes'. This will remove malware entries from the registry.

-----------------

Run another scan at Kaspersky and post the log it produces with a new HJT log.

-----------------

How is the system performing now?

06-07-2006, 11:22 AM	#1 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	can anyone solve this problem? Hi everyone, I'm new to this forum. I have a bit of a problem that I hope can be solved. I use AVG and it keeps reporting that I have been infected by a trojan horse and flagging up a .dll file in the system32 folder - sertgs.dll. I've looked in the folder and this file doesnt appear to be in there and AVG doesnt appear to be able to do anything to solve the problem. Now when I'm browsing the 'net sometimes if I type a URL into the address bar, I will be re-directed to a Google page which has some pre-defined seacrh for some kind of product. Im using XP and IE. I use Ad-aware and Spybot which I run at least 2 or 3 times a week, I also have Spyware Blaster installed on my PC. I have also tried a couple of on-line scans which don't seem to spot anything. Having tried all avenues using these various applications, I have decided to run HijackThis and post the log hoping that somebody may spot something in here. Here it is:- Logfile of HijackThis v1.99.1 Scan saved at 18:21:43, on 07/06/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe d:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\altsvc.exe C:\WINDOWS\system32\service.exe C:\WINDOWS\system32\lssas.exe C:\Program Files\Kerio\Personal Firewall\persfw.exe C:\WINDOWS\system32\msthost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\SK2690DM.EXE C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file) O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK2690DM.EXE O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [C-Media Speaker Configuration] F:\Sound\C-Media\WinXP\Setup.exe /SPEAKER O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094162382359 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/fil...ivePreQual.cab O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{65AC7DBC-C91A-4491-AC50-E64E85AA3C38}: NameServer = 85.255.116.125,85.255.112.109 O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109 O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA39CCB-5D01-44CE-9B8D-4F2CF4F6F68C}: NameServer = 85.255.116.125,85.255.112.109 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program Files\MATCO\DirmsService.exe O23 - Service: Diskeeper - Executive Software International, Inc. - d:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Cheers

06-09-2006, 12:24 AM	#3 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Hello and welcome to TSF Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. DISABLE ANTISPYWARE PROTECTION Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. DISABLE AND DELETE SERVICES Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - Network DDE Connections Double-click on it to open the Properties dialog. Under the General tab: Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, copy/paste NETDDEC Click on the OK button Repeat the above steps for the service Netbios Helper Service. ------------------ DOWNLOADS Download and install CleanUp! but do not run it yet. WARNING Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. ------------------ Please download Dr.Web CureIT Alternate Download Site http://www.majorgeeks.com/Dr.Web_CureIT_d4783.html ------------------- Please download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://www.bleepingcomputer.com/file...Fixwareout.exe Save it to your desktop. ------------------- SAFE MODE Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ------------------ KILL PROCESSES Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time). C:\WINDOWS\system32\lssas.exe < NOTE THE SPELLING ------------------- ADD/REMOVE PROGRAMS Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Viewpoint Viewpoint Manager Viewpoint Bar ----------------- FIXES WITH HIJACK THIS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (make sure you do not miss any) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{65AC7DBC-C91A-4491-AC50-E64E85AA3C38}: NameServer = 85.255.116.125,85.255.112.109 O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109 O17 - HKLM\System\CCS\Services\Tcpip\..\{ECA39CCB-5D01-44CE-9B8D-4F2CF4F6F68C}: NameServer = 85.255.116.125,85.255.112.109 O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe *Please remember to close all other windows, including browsers then click Fix checked.* FILE DELETIONS Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\ Viewpoint C:\WINDOWS\system32\ hgqhp.exe C:\WINDOWS\SYSTEM32\ sertgs.dll C:\WINDOWS\system32\ altsvc.exe C:\WINDOWS\system32\ service.exe C:\WINDOWS\system32\ lssas.exe < NOT THE LEGITIMATE lsass.exe CLEANUP! Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK Press the CleanUp!* button to start the program. DO NOT reboot/logoff when prompted. ------------------- DR WEB CURE IT! Doubleclick the "drweb-cureit.exe" and click "OK" in the prompt window that will open. Then click "start the express scan now". It will first make a quick scan of your system so let it clean what it finds and when it says "done" click on the Green Screwdriver-ActionsTab, Adware-Dialers-Riskware-Hacktools and use dropdown menu and select "Delete" Click on the drive(s) you want to scan. A red dot * will mark the selected drive(s) then hit the green arrow in lower right corner. It will now scan your drive(s) so say YES to ALL. Reboot your system in Normal Mode. ---------------------- FIX WAREOUT Double-click the Fixwareout file that you downloaded earlier. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal. Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved as C:\fixwareoutreport.txt. Post it in your reply. ----------------- ONLINE SCAN Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report here together with a new HiJackThis log, the log from DrWeb CureIt and C:\fixwareoutreport.txt. Last edited by Hustler24; 06-09-2006 at 12:29 AM.

06-10-2006, 01:49 AM	#5 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	DOWNLOADS Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. -------------------- Download the ISTBar Removal Tool and run it. --------------------- SAFE MODE Reboot into Safe Mode following the instructions given earlier. --------------------- FIXES WITH HIJACK THIS Fix the following lines with HJT, making sure all other windows are closed: O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109 O20 - Winlogon Notify: sertgs - sertgs.dll (file missing) -------------------- FILE DELETIONS Please locate and delete the following files/folders: C:\Documents and Settings\John McKenzie\DoctorWeb\Quarantine\ yaemu.exe --------------------- DELETE COOKIES Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies. ---------------------- ONLINE SCAN Reboot into Normal mode. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------- UPDATE JAVA Updating Java and Clearing Cache Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. It will say *"Java Plug-in"* under the icon. If it is not visible, click on *'Switch to Classic View'* in the left pane of the Control Panel or *'Other Control Panel Options'* Please find the Update button or tab in the Java Control Panel. Update your Java then reboot. If you are unable to update you can manually update by going here: http://www.java.com/en/download/manual.jsp After the reboot, go back into the Control Panel and double-click the Java Icon. Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using. Under "Temporary Internet Files", click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. ------------------------- Post the Kaspersky log and a new HJT log How is the system performing now?

06-11-2006, 02:57 AM	#7 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	We'll have a look at the add/remove list and see if we can remove anything spywere/adware related. WildTangent is one program but there may be others. Your HJT log is clean now so we'll have to look at other avenues. ----------------- FILE DELETIONS Reboot into Safe Mode and delete the following file: C:\WINDOWS\system32\ qos.dll ------------------ DOWNLOADS Reboot normally. Download StartDreck Unzip to its own folder and start the program: Press 'Config' Press 'Unmark All' Check the following boxes only: Registry -> Run Keys System/drivers> Running processes Press 'Ok' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. ------------------ Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete. When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply. -------------- Download GMER Rootkit Scanner from here. Unzip it to your Desktop and double-click gmer.exe Run the program and select the Rootkit tab. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button and post the log in this thread. ---------------- CREATE UNINSTALL LIST Open Hijack This Click on the "Configure" button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" --------------- So post the Silent Runners log and the StartDreck log in your reply along with the HJT uninstall list and the GMER log.

06-12-2006, 02:28 AM	#9 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	DOWNLOADS Please download the new version of Firefox from here. -------------------- Download haxfix.exeand save it to your desktop. Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix) Checkmark "Create a desktop icon" Click "Next" When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed Click "Finish" A red "dos window" (dos box) will open with options: 1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option 1. Make logfile by typing 1 and then pressing "Enter" Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt) Copy the contents of that logfile and paste it into this thread. ---------------------- Which sites are you being redirected to and what URLs are you being redirected from? Last edited by Hustler24; 06-12-2006 at 02:29 AM.

06-08-2006, 10:51 AM	#2 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible. You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply. Please be patient with me during this time.

06-10-2006, 11:43 AM	#6 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	Both CWShredder and the ISTBar Removal Tool found nothing when I ran HijackThis, the following entry which you advised me to remove wasnt in the log O17 - HKLM\System\CCS\Services\Tcpip\..\{D8B1E676-E53E-492C-A5C4-240B3368DF39}: NameServer = 85.255.116.125 85.255.112.109 HijackThis Log Logfile of HijackThis v1.99.1 Scan saved at 15:25:03, on 10/06/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\hijackthis\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.8P.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: (no name) - {8B68564D-53FD-4293-B80C-993A9F3988EE} - (no file) O4 - HKLM\..\Run: [Hot Key Kbd 2690 Daemon] SK2690DM.EXE O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [VTPreset] VTPreset.exe O4 - HKLM\..\Run: [C-Media Speaker Configuration] F:\Sound\C-Media\WinXP\Setup.exe /SPEAKER O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2005\spy.htm O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2005\spy.htm O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1094162382359 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/fil...ivePreQual.cab O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup161.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...74/mcfscan.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: DirMS_Defragmentation - Unknown owner - C:\Program Files\MATCO\DirmsService.exe O23 - Service: Diskeeper - Executive Software International, Inc. - d:\Program Files\Executive Software\DiskeeperLite\DKService.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) Kaspersky log ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Saturday, June 10, 2006 5:37:00 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 10/06/2006 Kaspersky Anti-Virus database records: 199716 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ I:\ J:\ K:\ Scan Statistics: Total number of scanned objects: 100162 Number of viruses found: 3 Number of infected objects: 8 Number of suspicious objects: 0 Duration of the scan process: 02:00:34 Infected Object Name / Virus Name / Last Action C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173794.dll Infected: Backdoor.IRC.Zapchast skipped C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173795.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped C:\System Volume Information\_restore{4BCD7FEA-E71B-45EB-8BA0-963757A9039D}\RP464\A0173828.cmd Infected: Backdoor.IRC.Zapchast skipped C:\WINDOWS\system32\qos.dll Infected: Backdoor.IRC.Zapchast skipped D:\exefiles2\ccsetup122.zip/ccsetup122.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped D:\exefiles2\ccsetup122.zip/ccsetup122.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped D:\exefiles2\ccsetup122.zip/ccsetup122.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped D:\exefiles2\ccsetup122.zip ZIP: infected - 3 skipped Scan process completed. AVG doesnt appear to be alerting me to anything now, however I still get re-directed to certain pages when typing in url's inyo the address bar. I had another look at my installed programs using Add/Remove programs in control planel. There is an entry in there which is called WildTangent web driver which I cant remove, even in safe mode. Could this be causing any problems?

06-12-2006, 07:57 AM	#10 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	ok AVG is now flagging up a file called qz.dll in the system32 folder so I have used AVG to delete it. To be honest, I cant relly remember what urls they were, it just seems to happen on random ones. I am usually re-directed to a search on google for a certain product, or some porn site! I downloaded and HaxFix, but it is finding nothing. Last edited by yermaw; 06-12-2006 at 07:59 AM.

06-12-2006, 08:02 AM	#11 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Did you produce the log first? If you try to run the fix without producing a log first, nothing will be found. The fix needs files that the tool creates when the log is produced.

06-12-2006, 08:04 AM	#12 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	oops sorry, I dont think i did that! will run it again now

06-12-2006, 08:07 AM	#13 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	ok here it is HAXFIX logfile - by Marckie -------------- version 2.44 12/06/2006 1533.58 checking for a3d files.... a3d files found ps.a3d checking for matching notify keys.... no matching notify keys found checking for matching services.... matching services found Aspi32 sertgs sertgm checking for matching safeboot services.... matching safeboot services found sertgs.sys sertgm.sys

06-13-2006, 03:10 AM	#15 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	OK I've ran the manual fix and for both sertgs and sertgm its saying Haxdoor has not been added - no haxdoor key found.

06-13-2006, 01:57 PM	#16 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Open this folder C:\Program Files\haxfix and double click on fix.bat (or double click on fix.bat desktop icon) Close all other open windows since this step requires a reboot Select option 2. Run auto fix by typing 2 and then pressing "Enter" If an infection is found, you'll get a message to close all other open windows. Close all open windows except the red dos window from haxfix and then press "Enter" The computer will reboot After reboot a logfile will open > (c:\haxfix.txt) Post the contents of that logfile along with a new HijackThis log. __________________ Last edited by Hustler24; 06-13-2006 at 01:59 PM.

06-14-2006, 08:00 AM	#17 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	Autofix is reporting no haxdoor key found aswell.

06-14-2006, 10:46 AM	#18 (permalink)
Hustler24 Analyst, Security Team Join Date: Mar 2005 Posts: 890 OS: Windows XP Home	Download RegSearch. Extract the cotents of the ZIP file and double-click RegSearch.exe to run the program. Type sertgs into the top search box and click OK When the tool has finished searching, Notepad will open with some text in it. Copy and paste the text here. ---------------- Repeat the process for sertgm. So you should get 2 logs. Post them both here please. __________________

06-14-2006, 11:02 AM	#19 (permalink)
yermaw Registered User Join Date: Jun 2006 Posts: 16 OS: XP	sertgs REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 14/06/2006 17:51:09 for strings: ; 'sertgs' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sertgs.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sertgs.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS\0000] "Service"="sertgs" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGS\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs\Enum] "0"="Root\\LEGACY_SERTGS\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\sertgs.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\sertgs.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGS] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGS\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGS\0000] "Service"="sertgs" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgs] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgs\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sertgs.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sertgs.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS\0000] "Service"="sertgs" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGS\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs\Enum] "0"="Root\\LEGACY_SERTGS\\0000" ; End Of The Log... sertgm REGEDIT4 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.1.0 ; Results at 14/06/2006 17:59:09 for strings: ; 'sertgm' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\sertgm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\sertgm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000] "Service"="sertgm" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SERTGM\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm] ; Contents of value: ; \??\c:\windows\system32\sertgm.sys "ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\ 6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgm\Enum] "0"="Root\\LEGACY_SERTGM\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sertgs] ; Contents of value: ; \??\c:\windows\system32\sertgm.sys "ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\ 6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\sertgm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\sertgm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM\0000] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM\0000] "Service"="sertgm" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SERTGM\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgm] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgm] ; Contents of value: ; \??\c:\windows\system32\sertgm.sys "ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\ 6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgm\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sertgs] ; Contents of value: ; \??\c:\windows\system32\sertgm.sys "ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\ 6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sertgm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sertgm.sys] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000] "Service"="sertgm" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000\LogConf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SERTGM\0000\Control] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm] ; Contents of value: ; \??\c:\windows\system32\sertgm.sys "ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\ 6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgm\Enum] "0"="Root\\LEGACY_SERTGM\\0000" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sertgs] ; Contents of value: ; \??\c:\windows\system32\sertgm.sys "ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\ 6d,33,32,5c,73,65,72,74,67,6d,2e,73,79,73,00 ; End Of The Log...