Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dropper.agent.dgo


  • This topic is locked This topic is locked
2 replies to this topic

#1 rojonick

rojonick

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 18 January 2008 - 03:12 PM

Recently got this Trojan. combofix and HJT logs below. Please help!:

ComboFix 08-01-18.5 - Rob 2008-01-18 13:51:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.562 [GMT -5:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Rob\Start Menu\MalwareCrush 3.7.lnk
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\ehome\ehtray .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\drvhanr.dll
C:\WINDOWS\system32\exttklay.dll
C:\WINDOWS\system32\jgxsaqlg.dllbox
C:\WINDOWS\system32\kjkmp.ini
C:\WINDOWS\system32\kjkmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\nnnkjge.dll
C:\WINDOWS\system32\pmkjk.dll
C:\WINDOWS\system32\pmkjk.exe
C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\yalkttxe.ini

<pre>
C:\WINDOWS\ehome\ehtray .exe ---> QooBox
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 13:49 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-18 13:49 . 2008-01-18 07:40 209 --a------ C:\Boot.bak
2008-01-18 13:48 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-18 12:40 . 2008-01-18 12:40 103,936 --a------ C:\WINDOWS\system32\drvhan.dll
2008-01-18 08:38 . 2008-01-18 09:48 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-18 07:43 . 2008-01-18 07:43 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Ahead
2008-01-18 06:29 . 2008-01-18 07:39 145,408 --a------ C:\WINDOWS\system32\msconfig .exe
2008-01-17 20:09 . 2008-01-16 18:59 158,208 --a------ C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-17 15:55 . 2008-01-18 07:46 4,678 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-17 12:27 . 2008-01-17 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-16 18:57 . 2008-01-16 18:57 103,424 --a------ C:\WINDOWS\system32\drvjal.dll
2008-01-16 13:15 . 2008-01-18 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-16 06:06 . 2008-01-16 06:06 163,904 --a------ C:\WINDOWS\system32\jgxsaqlg.dll
2008-01-12 16:52 . 2008-01-12 17:31 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\U3
2008-01-12 14:42 . 2008-01-18 06:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-12 14:41 . 2008-01-18 07:32 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-12 14:22 . 2008-01-15 17:16 <DIR> d-------- C:\Program Files\Linksys EasyLink Advisor
2008-01-12 01:06 . 2008-01-12 01:11 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\MailWasher
2007-12-29 18:35 . 2007-12-29 18:44 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PgcEdit
2007-12-29 17:28 . 2007-12-29 18:35 <DIR> d-------- C:\Program Files\PGCEdit
2007-12-24 11:52 . 2007-12-27 13:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-24 11:52 . 2007-12-24 11:52 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-24 11:50 . 2008-01-15 17:17 <DIR> d-------- C:\Program Files\QuickTime
2007-12-24 11:49 . 2007-12-24 11:49 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-24 11:49 . 2007-12-24 11:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-18 18:31 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-18 12:52 --------- d-----w C:\Program Files\Google
2008-01-18 12:44 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-18 12:41 --------- d-----w C:\Program Files\Nero
2008-01-16 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-16 18:15 --------- d-----w C:\Program Files\Lavasoft
2008-01-16 18:15 --------- d-----w C:\Documents and Settings\Rob\Application Data\Lavasoft
2008-01-15 22:17 --------- d-----w C:\Program Files\iTunes
2008-01-15 22:17 --------- d-----w C:\Program Files\dvd43
2008-01-15 22:16 --------- d-----w C:\Program Files\Dell Support
2008-01-12 22:19 --------- d-----w C:\Program Files\Finale 2006
2008-01-12 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\CA
2008-01-10 20:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
2007-12-28 22:35 --------- d-----w C:\Documents and Settings\Rob\Application Data\RipIt4Me
2007-12-28 16:22 --------- d-----w C:\Program Files\QUICKENW
2007-12-24 17:42 --------- d-----w C:\Program Files\FLV Player
2007-12-24 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-15 20:13 18,816 ----a-w C:\WINDOWS\system32\drivers\dvd43llh.sys
2007-12-12 22:56 --------- d-----w C:\Program Files\Freecorder
2007-11-27 19:49 --------- d-----w C:\Program Files\Listen Rhapsody
2007-11-13 08:09 2,293,712 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTITL.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSTEXT.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSTMP.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSPEC.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSSCRP.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSREH_.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSMET_.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRSCHOR.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\RPRS____.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\OPUSSE__.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\OPUSO___.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\OPUSNN__.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\OPUSFS__.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCSC_.FOT
2007-10-31 11:40 1,409 ----a-w C:\WINDOWS\Fonts\OPUSCS__.FOT
.
<pre>
----a-w		   460,288 2008-01-18 11:32:01  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   145,408 2008-01-18 12:39:28  C:\WINDOWS\system32\msconfig .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2007-12-12 17:57 1502232 --a------ C:\Program Files\Freecorder\tbFre0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1392B8D2-5C05-419F-A8F6-B9F15A596612}

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= C:\Program Files\Freecorder\tbFre0.dll [2007-12-12 17:57 1502232]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\PROGRA~1\DELLSU~1\DSAgnt.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-18 06:39 15360]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [ ]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ ]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [ ]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [ ]
"CTHelper"="CTHELPER.EXE" [2004-03-11 15:50 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"WinGuard Pro"="C:\WINDOWS\system32\wgp.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ]
"EPSON Stylus Photo 820 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [ ]
"pdfw"="C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [ ]
"Winupdate Engine"="C:\WINDOWS\system32\wupeng.exe" [ ]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [ ]
"MSDrive"="C:\WINDOWS\system32\drvhan.dll" [2008-01-18 12:40 103936]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-10-10 18:42:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jgxsaqlg]
jgxsaqlg.dll 2008-01-16 06:06 163904 C:\WINDOWS\system32\jgxsaqlg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

R3 Angel;Angel MPEG Device;C:\WINDOWS\system32\DRIVERS\Angel.sys [2005-02-25 00:20]
S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-13 01:23:12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 13:57:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\drvhan.dll
.
Completion time: 2008-01-18 13:59:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-18 18:59:26
.
2008-01-09 14:51:32 --- E O F ---
HJT log
************************************************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:37 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFre0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinGuard Pro] C:\WINDOWS\system32\wgp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [pdfw] C:\Program Files\Amic Utilities\PDF Writer Pro\pdfwload.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvhan.dll,startup
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.listen.com
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194780107812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194780096390
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37380.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {DECCF968-C279-40E8-97CF-9FECCEFB0EDE} (INVC Participant Console 1.54) - http://www.intechnologies.net/in/clients/p...Participant.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...170/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: jgxsaqlg - C:\WINDOWS\SYSTEM32\jgxsaqlg.dll
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 9683 bytes

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:47 PM

Posted 19 January 2008 - 10:44 AM

Hi,

I see you have the Freecorder Toolbar installed. This is a Conduit/Effectivebrand toolbar and some of their toolbars are having a tracking/adware/spyware functionality. Some of their toolbars are fine to have though, but if you're not sure about this toolbar, it's better to uninstall it.
I also see you tried to uninstall McAfee previously - leaving you with NO Antivirus - so your system is wideopen for infection. But since you removed McAfee, I see it wasn't properly removed, so we'll have to delete some leftovers as well.. including some other orphaned startupentries since they were infected.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\drvhan.dll
C:\WINDOWS\system32\drvjal.dll
C:\WINDOWS\system32\jgxsaqlg.dll

Driver::
GoogleDesktopManager-010108-205858
mcupdmgr.exe
McTskshd.exe
McDetect.exe

RENV::
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINDOWS\system32\msconfig .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"=-
"EasyLinkAdvisor"=-
"WMPNSCFG"=-
"updateMgr"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
"IAAnotif"=-
"ATIPTA"=-
"CTSysVol"=-
"CTDVDDET"=-
"UpdReg"=-
"dla"=-
"ISUSPM Startup"=-
"ISUSScheduler"=-
"WinGuard Pro"=-
"TkBellExe"=-
"dvd43"=-
"EPSON Stylus Photo 820 Series"=-
"pdfw"=-
"Adobe Reader Speed Launcher"=-
"QuickTime Task"=-
"Winupdate Engine"=-
"mmtask"=-
"iTunesHelper"=-
"DVDLauncher"=-
"NeroFilterCheck"=-
"Google Desktop Search"=-
"MSDrive"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jgxsaqlg]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:47 PM

Posted 30 January 2008 - 08:09 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users