Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
24 replies to this topic

#1 dcboston09

dcboston09

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 29 June 2009 - 03:11 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:58 AM, on 6/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dldocoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Dell 968 AIO Printer\dldomon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Dell 968 AIO Printer\memcard.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dave Cohne\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [dldomon.exe] "C:\Program Files\Dell 968 AIO Printer\dldomon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell 968 AIO Printer\memcard.exe"
O4 - HKLM\..\Run: [Dell 968 AIO Printer Fax Server] "C:\Program Files\Dell 968 AIO Printer\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: LivePerson Expert Messenger.lnk = C:\Program Files\LivePerson\Expert\LPExpertMessenger.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1226023012171
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dldoCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe
O23 - Service: dldo_device - - C:\WINDOWS\system32\dldocoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 11633 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:21 AM

Posted 29 June 2009 - 04:50 AM

Hello dcboston09,

Posted Image

Can you tell what problems you're having? :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 dcboston09

dcboston09
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 29 June 2009 - 10:47 AM

Thank you for your response. I seem to have some type of browser hijacker. Every time I do a search, and when I click on a link, it brings me to other web pages (in both Firefox and IE). I was also having problems with Firefox itself and Windows Live Mail. There was a warning every time I opened Firefox, but I have since deleted the program and downloaded it again and that problem seems to be fixed. Now when I open Windows Live Mail, it says "Sorry something unexpected happened, Windows live mail must close".

I have run combo fix three times, but it won't fix the problems.

Thanks,
Dave

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:21 AM

Posted 29 June 2009 - 03:37 PM

Hello,

Can you please post the original ComboFix report for me? :thumbup2: That will give me a better idea of what you're dealing with.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 dcboston09

dcboston09
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 29 June 2009 - 04:54 PM

Thanks Tea.

Here is the log:
_________________________________________________________________________________________________________________________________


ComboFix 09-06-28.01 - Dave Cohne 06/28/2009 23:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1631 [GMT -4:00]
Running from: c:\documents and settings\Dave Cohne\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[7] 2008-04-14 12:00 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[7] 2008-04-14 12:00 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\svchost.exe

[7] 2008-04-14 12:00 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[7] 2008-04-14 12:00 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\dllcache\user32.dll

[7] 2008-04-14 12:00 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[7] 2008-04-14 12:00 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\dllcache\ws2_32.dll

[7] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2009-05-13 05:10 915456 C0EB6850C8A02A154281749DC61FAF22 c:\windows\$hf_mig$\KB969897-IE8\SP3QFE\wininet.dll
[7] 2008-04-14 12:00 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ie7\wininet.dll
[7] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[7] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\ie8\wininet.dll
[7] 2009-03-08 08:34 914944 6CE32F7778061CCC5814D5E0F282D369 c:\windows\ie8updates\KB969897-IE8\wininet.dll
[-] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3gdr\wininet.dll
[-] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3qfe\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[7] 2009-05-13 05:15 915456 366C72AF6970DB7BB39AB0142BF09DB5 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3GDR\wininet.dll
[7] 2009-05-13 05:10 915456 C0EB6850C8A02A154281749DC61FAF22 c:\windows\SoftwareDistribution\Download\97fe76a20161cb86e78057600e7c82a0\SP3QFE\wininet.dll
[7] 2008-06-23 16:57 826368 8C13D4A7479FA0A026EDA8ABCE82C0ED c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2GDR\wininet.dll
[7] 2008-06-23 16:01 827904 C66402A06B83B036C195242C0C8CF83C c:\windows\SoftwareDistribution\Download\b4e75dba041bc21ee94fbcfa88cb49de\SP2QFE\wininet.dll
[7] 2009-05-13 05:15 915456 366C72AF6970DB7BB39AB0142BF09DB5 c:\windows\system32\wininet.dll
[7] 2009-05-13 05:15 915456 366C72AF6970DB7BB39AB0142BF09DB5 c:\windows\system32\dllcache\wininet.dll

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-14 12:00 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[7] 2008-04-14 12:00 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[7] 2008-04-14 12:00 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\winlogon.exe

[7] 2008-04-14 12:00 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\ndis.sys
[7] 2008-04-14 12:00 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2008-04-14 12:00 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\dllcache\ip6fw.sys
[7] 2008-04-14 12:00 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-14 12:00 2023936 7F653A89F6E89E3AE0D49830EECE35D4 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[7] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-14 12:00 2145280 40F8880122A030A7E9E1FEDEA833B33D c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 12:00 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[7] 2008-04-14 12:00 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\explorer.exe

[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 12:00 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[7] 2008-04-14 12:00 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[7] 2008-04-14 12:00 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\dllcache\lsass.exe

[7] 2008-04-14 12:00 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[7] 2008-04-14 12:00 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\ctfmon.exe

[7] 2008-04-14 12:00 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[7] 2008-04-14 12:00 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\dllcache\spoolsv.exe

[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[7] 2008-04-14 12:00 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[7] 2008-04-14 12:00 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\userinit.exe

[7] 2008-04-14 12:00 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[7] 2008-04-14 12:00 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\dllcache\termsrv.dll

[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2008-04-14 12:00 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[7] 2008-04-14 12:00 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[7] 2008-04-14 12:00 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\dllcache\powrprof.dll

[7] 2008-04-14 12:00 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[7] 2008-04-14 12:00 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\dllcache\imm32.dll

[7] 2008-04-14 12:00 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
[7] 2008-04-14 12:00 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\dllcache\sfcfiles.dll

[7] 2008-04-14 12:00 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\appmgmts.dll
[7] 2008-04-14 12:00 167936 D8849F77C0B66226335A59D26CB4EDC6 c:\windows\system32\dllcache\appmgmts.dll

[7] 2008-04-14 12:00 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-07 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-04 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
"MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
"Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-27 518488]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

c:\documents and settings\Dave Cohne\Start Menu\Programs\Startup\
LivePerson Expert Messenger.lnk - c:\program files\LivePerson\Expert\LPExpertMessenger.exe [2008-9-3 7013376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-04 13:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server


R1 Start1Driver;Start1Driver; [x]
R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 99568]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-06-27 1003344]
R2 Start2Driver;Start2Driver; [x]
R3 DCamUSBSTK018;STK018 Camera;c:\windows\system32\DRIVERS\STK018W2.sys [2005-06-20 99476]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-27 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-05-04 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-04 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-05-04 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-05-04 298776]
S2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe [2007-10-05 595184]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-11-15 84992]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:00]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-682003330-1417001333-1003.job
- c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-07 20:31]

2009-06-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103470 -Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.11)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 00:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\hjgruicgwwqgod.sys 69632 bytes executable
c:\docume~1\DAVECO~1\LOCALS~1\Temp\hjgruixvbesmujom.tmp 343040 bytes executable
c:\windows\TEMP\5a89fd8b-4f2c-4d2f-a32a-5f0f4250e1f1.tmp 1325336 bytes
c:\windows\TEMP\e6b1187d-b05f-4110-a1ce-597518b400ad.tmp 16384 bytes executable
c:\windows\TEMP\hjgruicnbgktwvyn.tmp 93 bytes
c:\windows\TEMP\hjgruiqbccpyobte.tmp 93 bytes
c:\windows\TEMP\hjgruiuofnpiinrh.tmp 18944 bytes executable
c:\windows\TEMP\hjgruivmvksmjcti.tmp 18944 bytes executable
c:\windows\TEMP\hjgruiwvicuqsbcn.tmp 19456 bytes executable
c:\windows\system32\hjgruihjbfrujk.dat 93 bytes
c:\windows\system32\hjgruiobxmsjem.dll 18944 bytes executable
c:\windows\system32\hjgruiovrjomug.dll 44032 bytes executable
c:\windows\system32\hjgruisutuhbnb.dat 5560 bytes

scan completed successfully
hidden files: 13

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
"imagepath"="\systemroot\system32\drivers\hjgruicgwwqgod.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5748)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-29 0:12
ComboFix-quarantined-files.txt 2009-06-29 04:12
ComboFix2.txt 2009-01-18 23:53

Pre-Run: 419,832,643,584 bytes free
Post-Run: 420,647,780,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

250 --- E O F --- 2009-06-11 07:03

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:21 AM

Posted 29 June 2009 - 06:22 PM

Hello there,

You're welcome. :)

I see it, and I got it covered. :thumbup2:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\system32\drivers\hjgruicgwwqgod.sys
c:\docume~1\DAVECO~1\LOCALS~1\Temp\hjgruixvbesmujom.tmp
c:\windows\TEMP\5a89fd8b-4f2c-4d2f-a32a-5f0f4250e1f1.tmp
c:\windows\TEMP\e6b1187d-b05f-4110-a1ce-597518b400ad.tmp
c:\windows\TEMP\hjgruicnbgktwvyn.tmp
c:\windows\TEMP\hjgruiqbccpyobte.tmp
c:\windows\TEMP\hjgruiuofnpiinrh.tmp
c:\windows\TEMP\hjgruivmvksmjcti.tmp
c:\windows\TEMP\hjgruiwvicuqsbcn.tmp
c:\windows\system32\hjgruihjbfrujk.dat
c:\windows\system32\hjgruiobxmsjem.dll
c:\windows\system32\hjgruiovrjomug.dll
c:\windows\system32\hjgruisutuhbnb.dat

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]

Driver::
hjgruicgwwqgod


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 dcboston09

dcboston09
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 29 June 2009 - 09:19 PM

Tea,

Windows Live Mail now works, but I still have the browser hijacker. If I do a Google search, the first link I click on will work, but each new link I try to open diverts to some other site. Here are some of the domains they are being sent to, Overclick, Wackodoo, Searchfeed, Affordable Residential Community, Findetails.info, Advancehealthquotes.com etc...

Is this something HiJackThis can fix?

Thanks again,
Dave

Here is the log from the last ComboFix run (I didn't ask me to reboot):

ComboFix 09-06-28.02 - Dave Cohne 06/29/2009 21:22.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2456 [GMT -4:00]
Running from: c:\documents and settings\Dave Cohne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave Cohne\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dave Cohne\Application Data\inst.exe
c:\windows\system32\ijwycowa.ini
c:\windows\system32\rlwspyir.ini
c:\windows\system32\ugpnvjab.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 00:33 . 2009-06-30 00:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-29 15:56 . 2009-06-29 15:56 -------- d-----w- c:\program files\Microsoft
2009-06-29 07:58 . 2009-06-29 17:59 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-29 07:58 . 2009-06-29 17:59 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-29 07:53 . 2009-06-29 08:04 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-29 07:53 . 2009-06-29 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-06-29 07:52 . 2009-06-29 07:52 -------- d-----w- c:\documents and settings\Dave Cohne\Local Settings\Application Data\Downloaded Installations
2009-06-29 07:34 . 2009-06-29 07:37 -------- d-----w- c:\program files\SpywareGuard
2009-06-29 06:34 . 2009-06-05 13:00 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-29 06:34 . 2009-06-05 13:00 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-06-29 06:34 . 2009-06-05 13:00 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-06-29 06:34 . 2009-06-05 13:00 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-29 06:34 . 2009-06-05 13:00 423424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-06-29 06:34 . 2009-06-05 13:00 486680 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-06-29 06:34 . 2009-06-05 13:00 310528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-06-29 06:34 . 2009-06-05 13:00 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-06-29 06:34 . 2009-06-05 13:00 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-06-29 06:34 . 2009-06-05 13:00 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-29 06:02 . 2009-06-30 01:14 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\MalwareRemovalBot
2009-06-29 05:45 . 2009-06-29 06:05 -------- d-----w- c:\program files\Spinach AntiSpyware
2009-06-29 05:38 . 2009-06-29 05:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 04:25 . 2009-06-29 04:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-29 04:06 . 2009-06-29 05:21 -------- dc----w- c:\windows\system32\dllcache\cache
2009-06-29 03:46 . 2009-06-29 03:47 -------- d-----w- C:\Combo-Fix
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-sh--w- c:\documents and settings\Dave Cohne\IECompatCache
2009-06-28 20:23 . 2009-06-28 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-06-28 20:22 . 2009-06-28 20:24 47360 ----a-w- c:\documents and settings\Dave Cohne\Application Data\pcouffin.sys
2009-06-28 20:22 . 2009-06-28 20:22 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-28 20:22 . 2009-06-28 20:24 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Vso
2009-06-28 20:15 . 2009-06-28 20:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-28 17:28 . 2009-06-28 17:28 -------- d-sh--w- c:\documents and settings\Dave Cohne\PrivacIE
2009-06-28 17:14 . 2009-06-28 17:14 -------- d-sh--w- c:\documents and settings\Dave Cohne\IETldCache
2009-06-28 16:56 . 2009-06-28 16:56 -------- d-----w- c:\windows\ie8updates
2009-06-28 16:54 . 2009-06-28 16:55 -------- dc-h--w- c:\windows\ie8
2009-06-28 16:53 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-28 16:53 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-28 16:53 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-27 01:10 . 2009-06-27 01:00 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-27 01:01 . 2009-06-27 01:00 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-27 00:59 . 2009-06-27 00:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 00:59 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 17:59 . 2009-06-29 07:58 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-29 17:59 . 2009-06-29 07:58 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-29 15:56 . 2008-11-15 20:31 -------- d-----w- c:\program files\Windows Live
2009-06-29 06:34 . 2008-11-07 01:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 06:34 . 2008-11-07 01:55 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 06:34 . 2008-11-07 01:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-28 20:32 . 2008-12-03 02:37 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Azureus
2009-06-27 01:00 . 2009-06-27 01:00 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-27 01:00 . 2009-06-27 01:00 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-27 00:59 . 2009-01-17 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-11 14:07 . 2008-11-06 23:28 48408 ----a-w- c:\documents and settings\Dave Cohne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 18:03 . 2009-03-27 15:02 -------- d-----w- c:\program files\MSECACHE
2009-05-22 00:01 . 2008-11-27 19:19 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-22 00:00 . 2008-11-27 19:19 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Corel
2009-05-21 23:34 . 2008-11-27 19:19 88 --sh--r- c:\windows\system32\A0AC65F014.sys
2009-05-20 06:07 . 2008-12-03 02:37 -------- d-----w- c:\program files\Vuze
2009-05-17 18:04 . 2009-05-16 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-16 23:11 . 2009-05-16 23:10 -------- d-----w- c:\program files\Yahoo!
2009-05-16 23:11 . 2009-05-16 23:11 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Yahoo!
2009-05-16 23:11 . 2009-05-16 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-13 19:32 . 2009-05-16 23:10 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-13 05:15 . 2008-04-14 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 07:54 . 2008-11-07 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-07 15:32 . 2008-04-14 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 22:02 . 2008-11-07 03:13 -------- d-----w- c:\program files\Google
2009-05-04 13:05 . 2008-11-07 01:55 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 12:26 . 2008-04-14 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_04.06.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 01:16 . 2009-06-30 01:16 16384 c:\windows\Temp\Perflib_Perfdata_220.dat
+ 2009-06-29 05:38 . 1996-01-12 22:00 24576 c:\windows\system32\STKIT432.DLL
+ 2009-02-06 22:52 . 2009-02-06 22:52 49504 c:\windows\system32\sirenacm.dll
- 2009-02-06 23:52 . 2009-02-06 23:52 49504 c:\windows\system32\sirenacm.dll
+ 2009-06-29 05:21 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-06-29 05:21 . 2008-04-14 12:00 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-06-29 05:21 . 2008-04-14 12:00 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-06-29 05:21 . 2008-04-14 12:00 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-06-29 05:21 . 2008-04-14 12:00 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-06-29 05:21 . 2008-04-14 12:00 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-06-29 05:21 . 2008-04-14 12:00 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-06-29 05:21 . 2008-04-14 12:00 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-06-29 05:21 . 2008-04-14 12:00 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-06-29 05:21 . 2008-04-14 12:00 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2008-11-06 23:26 . 2009-06-30 01:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-06 23:26 . 2009-06-28 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-06 23:26 . 2009-06-30 01:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-06 23:26 . 2009-06-28 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-06 23:26 . 2009-06-30 01:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-06 23:26 . 2009-06-28 20:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-29 15:56 . 2009-06-29 15:56 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
- 2009-03-07 03:51 . 2009-03-07 03:51 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-06-29 15:57 . 2009-06-29 15:57 58945 c:\windows\Installer\{63C1109E-D977-49ED-BCE3-D00D0BF187D6}\wlmail.exe
- 2009-03-07 03:52 . 2009-03-07 03:52 58945 c:\windows\Installer\{63C1109E-D977-49ED-BCE3-D00D0BF187D6}\wlmail.exe
- 2009-03-07 03:54 . 2009-03-07 03:54 80395 c:\windows\Installer\{0AAA9C97-74D4-47CE-B089-0B147EF3553C}\MsblIco.Exe
+ 2009-06-29 15:57 . 2009-06-29 15:57 80395 c:\windows\Installer\{0AAA9C97-74D4-47CE-B089-0B147EF3553C}\MsblIco.Exe
- 2007-11-07 06:19 . 2007-11-07 06:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
+ 2007-11-07 05:19 . 2007-11-07 05:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
- 2007-11-07 06:19 . 2007-11-07 06:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 05:19 . 2007-11-07 05:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 00:23 . 2007-11-07 00:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
- 2007-11-07 01:23 . 2007-11-07 01:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2009-06-29 05:21 . 2008-04-14 12:00 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-06-29 05:21 . 2009-05-13 05:15 915456 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-06-29 05:21 . 2008-04-14 12:00 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-06-29 05:21 . 2008-04-14 12:00 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-06-29 05:21 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-06-29 05:21 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-06-29 05:21 . 2008-04-14 12:00 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-06-29 05:21 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-06-29 05:21 . 2008-04-14 12:00 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-06-29 05:21 . 2008-04-14 12:00 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-06-28 20:15 . 2009-06-30 01:15 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2009-06-28 20:15 . 2009-06-28 20:14 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-06-29 05:21 . 2008-04-14 12:00 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-06-29 05:21 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-06-29 05:21 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-06-29 05:21 . 2008-04-14 12:00 1033728 c:\windows\system32\dllcache\cache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-07 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
"MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
"Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

c:\documents and settings\Dave Cohne\Start Menu\Programs\Startup\
LivePerson Expert Messenger.lnk - c:\program files\LivePerson\Expert\LPExpertMessenger.exe [2008-9-3 7013376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 06:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/26/2009 9:01 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/6/2008 9:55 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/6/2008 9:55 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/6/2008 9:55 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/6/2008 9:55 PM 298776]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [11/6/2008 7:29 PM 84992]
S1 Start1Driver;Start1Driver; [x]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [10/5/2007 9:30 AM 99568]
S2 Start2Driver;Start2Driver; [x]
S3 DCamUSBSTK018;STK018 Camera;c:\windows\system32\drivers\STK018W2.sys [6/20/2005 2:08 PM 99476]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 16:39]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-682003330-1417001333-1003.job
- c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-07 20:31]

2009-06-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave Cohne\Application Data\Mozilla\Firefox\Profiles\fqgisx5i.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 21:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\hjgruicgwwqgod.sys 69632 bytes executable
c:\windows\TEMP\hjgruibvrwexnskq.tmp 18944 bytes executable
c:\windows\TEMP\hjgruipqkpsrnfac.tmp 93 bytes
c:\windows\system32\hjgruihjbfrujk.dat 93 bytes
c:\windows\system32\hjgruiobxmsjem.dll 18944 bytes executable
c:\windows\system32\hjgruiovrjomug.dll 44032 bytes executable
c:\windows\system32\hjgruisutuhbnb.dat 43761 bytes

scan completed successfully
hidden files: 7

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
"imagepath"="\systemroot\system32\drivers\hjgruicgwwqgod.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\hjgruicgwwqgod.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(828)
c:\windows\system32\WININET.dll
.
Completion time: 2009-06-30 21:29
ComboFix-quarantined-files.txt 2009-06-30 01:29
ComboFix2.txt 2009-06-29 17:31
ComboFix3.txt 2009-06-29 06:26
ComboFix4.txt 2009-06-29 05:23
ComboFix5.txt 2009-06-30 01:21

Pre-Run: 420,580,126,720 bytes free
Post-Run: 420,564,434,944 bytes free

282 --- E O F --- 2009-06-11 07:03

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:21 AM

Posted 29 June 2009 - 09:38 PM

Hello,

Yes, we'll get it. For some reason not all the files deleted. Let's try again:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::
File::
c:\windows\system32\drivers\hjgruicgwwqgod.sys
c:\windows\TEMP\hjgruibvrwexnskq.tmp
c:\windows\TEMP\hjgruipqkpsrnfac.tmp
c:\windows\system32\hjgruihjbfrujk.dat
c:\windows\system32\hjgruiobxmsjem.dll
c:\windows\system32\hjgruiovrjomug.dll
c:\windows\system32\hjgruisutuhbnb.dat

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]

Driver::
hjgruicgwwqgod


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 dcboston09

dcboston09
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 29 June 2009 - 10:11 PM

I'm am still getting my links diverted.

When I ran ComboFix, it asked me if I wanted to update to the newer version and I said yes. Would that have canceled out the text you had me add in? If so, should I try it again with that text?

Thanks,
Dave

Here is the log from the latest ComboFix run:

ComboFix 09-06-29.02 - Dave Cohne 06/29/2009 22:57.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2551 [GMT -4:00]
Running from: c:\documents and settings\Dave Cohne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave Cohne\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

2009-06-30 02:21 . 2009-06-30 02:21 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Malwarebytes
2009-06-30 02:21 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 02:21 . 2009-06-30 02:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 02:21 . 2009-06-30 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-30 02:21 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-30 00:33 . 2009-06-30 00:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-29 15:56 . 2009-06-29 15:56 -------- d-----w- c:\program files\Microsoft
2009-06-29 07:58 . 2009-06-29 17:59 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-29 07:58 . 2009-06-29 17:59 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-29 07:53 . 2009-06-29 08:04 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-29 07:53 . 2009-06-29 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-06-29 07:52 . 2009-06-29 07:52 -------- d-----w- c:\documents and settings\Dave Cohne\Local Settings\Application Data\Downloaded Installations
2009-06-29 07:34 . 2009-06-29 07:37 -------- d-----w- c:\program files\SpywareGuard
2009-06-29 06:34 . 2009-06-05 13:00 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-29 06:34 . 2009-06-05 13:00 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-06-29 06:34 . 2009-06-05 13:00 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-06-29 06:34 . 2009-06-05 13:00 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-29 06:34 . 2009-06-05 13:00 423424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-06-29 06:34 . 2009-06-05 13:00 486680 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-06-29 06:34 . 2009-06-05 13:00 310528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-06-29 06:34 . 2009-06-05 13:00 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-06-29 06:34 . 2009-06-05 13:00 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-06-29 06:34 . 2009-06-05 13:00 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-29 06:02 . 2009-06-30 01:14 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\MalwareRemovalBot
2009-06-29 05:45 . 2009-06-29 06:05 -------- d-----w- c:\program files\Spinach AntiSpyware
2009-06-29 05:38 . 2009-06-29 05:44 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 04:25 . 2009-06-29 04:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-29 03:46 . 2009-06-29 03:47 -------- d-----w- C:\Combo-Fix
2009-06-29 02:15 . 2009-06-29 02:15 -------- d-sh--w- c:\documents and settings\Dave Cohne\IECompatCache
2009-06-28 20:23 . 2009-06-28 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-06-28 20:22 . 2009-06-28 20:24 47360 ----a-w- c:\documents and settings\Dave Cohne\Application Data\pcouffin.sys
2009-06-28 20:22 . 2009-06-28 20:22 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-28 20:22 . 2009-06-28 20:24 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Vso
2009-06-28 20:15 . 2009-06-28 20:15 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-28 17:28 . 2009-06-28 17:28 -------- d-sh--w- c:\documents and settings\Dave Cohne\PrivacIE
2009-06-28 17:14 . 2009-06-28 17:14 -------- d-sh--w- c:\documents and settings\Dave Cohne\IETldCache
2009-06-28 16:56 . 2009-06-28 16:56 -------- d-----w- c:\windows\ie8updates
2009-06-28 16:54 . 2009-06-28 16:55 -------- dc-h--w- c:\windows\ie8
2009-06-28 16:53 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-28 16:53 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-28 16:53 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-27 01:10 . 2009-06-27 01:00 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-27 01:01 . 2009-06-27 01:00 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-27 00:59 . 2009-06-27 00:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 00:59 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 17:59 . 2009-06-29 07:58 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-29 17:59 . 2009-06-29 07:58 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-29 15:56 . 2008-11-15 20:31 -------- d-----w- c:\program files\Windows Live
2009-06-29 06:34 . 2008-11-07 01:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-29 06:34 . 2008-11-07 01:55 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 06:34 . 2008-11-07 01:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-28 20:32 . 2008-12-03 02:37 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Azureus
2009-06-27 01:00 . 2009-06-27 01:00 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-27 01:00 . 2009-06-27 01:00 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-27 00:59 . 2009-01-17 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-11 14:07 . 2008-11-06 23:28 48408 ----a-w- c:\documents and settings\Dave Cohne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-10 18:03 . 2009-03-27 15:02 -------- d-----w- c:\program files\MSECACHE
2009-05-22 00:01 . 2008-11-27 19:19 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-22 00:00 . 2008-11-27 19:19 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Corel
2009-05-21 23:34 . 2008-11-27 19:19 88 --sh--r- c:\windows\system32\A0AC65F014.sys
2009-05-20 06:07 . 2008-12-03 02:37 -------- d-----w- c:\program files\Vuze
2009-05-17 18:04 . 2009-05-16 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-05-16 23:11 . 2009-05-16 23:10 -------- d-----w- c:\program files\Yahoo!
2009-05-16 23:11 . 2009-05-16 23:11 -------- d-----w- c:\documents and settings\Dave Cohne\Application Data\Yahoo!
2009-05-16 23:11 . 2009-05-16 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-05-13 19:32 . 2009-05-16 23:10 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-05-13 05:15 . 2008-04-14 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 07:54 . 2008-11-07 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-05-07 15:32 . 2008-04-14 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 22:02 . 2008-11-07 03:13 -------- d-----w- c:\program files\Google
2009-05-04 13:05 . 2008-11-07 01:55 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-17 12:26 . 2008-04-14 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-04-14 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-29_04.06.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-30 02:56 . 2009-06-30 02:56 16384 c:\windows\Temp\Perflib_Perfdata_230.dat
+ 2009-06-29 05:38 . 1996-01-12 22:00 24576 c:\windows\system32\STKIT432.DLL
+ 2009-02-06 22:52 . 2009-02-06 22:52 49504 c:\windows\system32\sirenacm.dll
- 2009-02-06 23:52 . 2009-02-06 23:52 49504 c:\windows\system32\sirenacm.dll
- 2008-11-06 23:26 . 2009-06-28 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-06 23:26 . 2009-06-30 02:55 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-06 23:26 . 2009-06-30 02:55 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-06 23:26 . 2009-06-28 20:14 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-06 23:26 . 2009-06-30 02:55 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-06 23:26 . 2009-06-28 20:14 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-07 03:51 . 2009-03-07 03:51 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
+ 2009-06-29 15:56 . 2009-06-29 15:56 62304 c:\windows\Installer\{F6BD194C-4190-4D73-B1B1-C48C99921BFE}\IconWlc.exe
- 2009-03-07 03:52 . 2009-03-07 03:52 58945 c:\windows\Installer\{63C1109E-D977-49ED-BCE3-D00D0BF187D6}\wlmail.exe
+ 2009-06-29 15:57 . 2009-06-29 15:57 58945 c:\windows\Installer\{63C1109E-D977-49ED-BCE3-D00D0BF187D6}\wlmail.exe
+ 2009-06-29 15:57 . 2009-06-29 15:57 80395 c:\windows\Installer\{0AAA9C97-74D4-47CE-B089-0B147EF3553C}\MsblIco.Exe
- 2009-03-07 03:54 . 2009-03-07 03:54 80395 c:\windows\Installer\{0AAA9C97-74D4-47CE-B089-0B147EF3553C}\MsblIco.Exe
- 2007-11-07 06:19 . 2007-11-07 06:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
+ 2007-11-07 05:19 . 2007-11-07 05:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
+ 2007-11-07 05:19 . 2007-11-07 05:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
- 2007-11-07 06:19 . 2007-11-07 06:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 00:23 . 2007-11-07 00:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
- 2007-11-07 01:23 . 2007-11-07 01:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
- 2009-06-28 20:15 . 2009-06-28 20:14 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-06-28 20:15 . 2009-06-30 02:55 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-07 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
"MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
"Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

c:\documents and settings\Dave Cohne\Start Menu\Programs\Startup\
LivePerson Expert Messenger.lnk - c:\program files\LivePerson\Expert\LPExpertMessenger.exe [2008-9-3 7013376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 06:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/26/2009 9:01 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/6/2008 9:55 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/6/2008 9:55 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/6/2008 9:55 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/6/2008 9:55 PM 298776]
R2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe -service --> c:\windows\system32\dldocoms.exe -service [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1029456]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [11/6/2008 7:29 PM 84992]
S1 Start1Driver;Start1Driver; [x]
S2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dldoserv.exe [10/5/2007 9:30 AM 99568]
S2 Start2Driver;Start2Driver; [x]
S3 DCamUSBSTK018;STK018 Camera;c:\windows\system32\drivers\STK018W2.sys [6/20/2005 2:08 PM 99476]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 16:39]

2009-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-682003330-1417001333-1003.job
- c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-07 20:31]

2009-06-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave Cohne\Application Data\Mozilla\Firefox\Profiles\fqgisx5i.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 23:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\hjgruicgwwqgod.sys 69632 bytes executable
c:\windows\system32\hjgruicrvjqqft.dll 19456 bytes executable
c:\windows\system32\hjgruiecxnseti.dat 400 bytes
c:\windows\system32\hjgruihjbfrujk.dat 93 bytes
c:\windows\system32\hjgruimjlexxae.dll 44032 bytes executable
c:\windows\system32\hjgruimqwmuqae.dat 315 bytes
c:\windows\system32\hjgruiobxmsjem.dll 18944 bytes executable
c:\windows\system32\hjgruiovrjomug.dll 44032 bytes executable
c:\windows\system32\hjgruisutuhbnb.dat 43761 bytes

scan completed successfully
hidden files: 9

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
"imagepath"="\systemroot\system32\drivers\hjgruicgwwqgod.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\hjgruicgwwqgod.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-30 23:05
ComboFix-quarantined-files.txt 2009-06-30 03:05
ComboFix2.txt 2009-06-30 01:29
ComboFix3.txt 2009-06-29 17:31
ComboFix4.txt 2009-06-29 06:26
ComboFix5.txt 2009-06-30 02:45

Pre-Run: 420,567,678,976 bytes free
Post-Run: 420,559,208,448 bytes free

264 --- E O F --- 2009-06-11 07:03

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:21 AM

Posted 29 June 2009 - 10:42 PM

Yes, it might. Let's do this:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Now grab a fresh copy :

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Go ahead and run it and post the report. There is new malware showing up in each log you post, so I want to have the latest when I make the next script for you to use.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 dcboston09

dcboston09
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 29 June 2009 - 11:25 PM

Here is the latest log. Thanks.

ComboFix 09-06-29.04 - Dave Cohne 06/30/2009 0:02.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2484 [GMT -4:00]
Running from: c:\documents and settings\Dave Cohne\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-07 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
"MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
"Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

c:\documents and settings\Dave Cohne\Start Menu\Programs\Startup\
LivePerson Expert Messenger.lnk - c:\program files\LivePerson\Expert\LPExpertMessenger.exe [2008-9-3 7013376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 06:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server


R1 Start1Driver;Start1Driver; [x]
R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 99568]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-06-29 1029456]
R2 Start2Driver;Start2Driver; [x]
R3 DCamUSBSTK018;STK018 Camera;c:\windows\system32\DRIVERS\STK018W2.sys [2005-06-20 99476]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-27 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-06-29 327688]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-04 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-06-29 906520]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-06-29 298776]
S2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe [2007-10-05 595184]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-11-15 84992]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 16:39]

2009-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-682003330-1417001333-1003.job
- c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-07 20:31]

2009-06-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave Cohne\Application Data\Mozilla\Firefox\Profiles\fqgisx5i.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 00:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\hjgruicgwwqgod.sys 69632 bytes executable
c:\windows\TEMP\hjgruicetyecbvpe.tmp 18944 bytes executable
c:\windows\TEMP\hjgruiumhpapuqtc.tmp 93 bytes
c:\windows\system32\hjgruicjlogflr.dll 18944 bytes executable
c:\windows\system32\hjgruicrvjqqft.dll 19456 bytes executable
c:\windows\system32\hjgruiecxnseti.dat 400 bytes
c:\windows\system32\hjgruihjbfrujk.dat 93 bytes
c:\windows\system32\hjgruimjlexxae.dll 44032 bytes executable
c:\windows\system32\hjgruimqwmuqae.dat 13043 bytes
c:\windows\system32\hjgruiobxmsjem.dll 18944 bytes executable
c:\windows\system32\hjgruiovrjomug.dll 44032 bytes executable
c:\windows\system32\hjgruisioyyfdg.dll 44032 bytes executable
c:\windows\system32\hjgruisutuhbnb.dat 43761 bytes
c:\windows\system32\hjgruivhcfytwf.dat 93 bytes

scan completed successfully
hidden files: 14

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
"imagepath"="\systemroot\system32\drivers\hjgruicgwwqgod.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3884)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-30 0:21
ComboFix-quarantined-files.txt 2009-06-30 04:20
ComboFix2.txt 2009-06-30 03:05

Pre-Run: 420,574,924,800 bytes free
Post-Run: 420,564,066,304 bytes free

155 --- E O F --- 2009-06-11 07:03

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:21 AM

Posted 29 June 2009 - 11:32 PM

Hello,

Okay then, let's try this again. :thumbup2:

Make sure you're offline then disable all your protective programs, AdWatch, AVG, etc.......

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

Folder::
c:\documents and settings\Dave Cohne\Application Data\MalwareRemovalBot

File::
c:\windows\system32\drivers\hjgruicgwwqgod.sys
c:\windows\TEMP\hjgruicetyecbvpe.tmp
c:\windows\TEMP\hjgruiumhpapuqtc.tmp
c:\windows\system32\hjgruicjlogflr.dll
c:\windows\system32\hjgruicrvjqqft.dll
c:\windows\system32\hjgruiecxnseti.dat
c:\windows\system32\hjgruihjbfrujk.dat
c:\windows\system32\hjgruimjlexxae.dll
c:\windows\system32\hjgruimqwmuqae.dat
c:\windows\system32\hjgruiobxmsjem.dll
c:\windows\system32\hjgruiovrjomug.dll
c:\windows\system32\hjgruisioyyfdg.dll
c:\windows\system32\hjgruisutuhbnb.dat
c:\windows\system32\hjgruivhcfytwf.dat

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]

Driver::
hjgruicgwwqgod


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea

Edited by teacup61, 29 June 2009 - 11:33 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 dcboston09

dcboston09
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 30 June 2009 - 12:00 AM

Here is the latest log. Thanks.

ComboFix 09-06-29.04 - Dave Cohne 06/30/2009 0:45.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2279 [GMT -4:00]
Running from: c:\documents and settings\Dave Cohne\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dave Cohne\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2009-06-30_04.15.51 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-17 139264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-07 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-07 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-13 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-29 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-07 136600]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"dldomon.exe"="c:\program files\Dell 968 AIO Printer\dldomon.exe" [2007-10-05 455920]
"MemoryCardManager"="c:\program files\Dell 968 AIO Printer\memcard.exe" [2007-10-05 410864]
"Dell 968 AIO Printer Fax Server"="c:\program files\Dell 968 AIO Printer\fm3032.exe" [2007-10-05 312560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-29 520024]
"Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-03-21 478800]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

c:\documents and settings\Dave Cohne\Start Menu\Programs\Startup\
LivePerson Expert Messenger.lnk - c:\program files\LivePerson\Expert\LPExpertMessenger.exe [2008-9-3 7013376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-29 06:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dldocoms.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldomon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldopswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldotime.exe"=
"c:\\Program Files\\Dell 968 AIO Printer\\dldoaiox.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\dldojswx.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server


R1 Start1Driver;Start1Driver; [x]
R2 dldoCATSCustConnectService;dldoCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\dldoserv.exe [2007-10-05 99568]
R2 Start2Driver;Start2Driver; [x]
R3 DCamUSBSTK018;STK018 Camera;c:\windows\system32\DRIVERS\STK018W2.sys [2005-06-20 99476]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-06-29 1029456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-27 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-06-29 327688]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-05-04 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-06-29 906520]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-06-29 298776]
S2 dldo_device;dldo_device;c:\windows\system32\dldocoms.exe [2007-10-05 595184]
S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-11-15 84992]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 16:39]

2009-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-682003330-1417001333-1003.job
- c:\documents and settings\Dave Cohne\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-07 20:31]

2009-06-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dave Cohne\Application Data\Mozilla\Firefox\Profiles\fqgisx5i.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 00:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\hjgruicgwwqgod.sys 69632 bytes executable
c:\windows\system32\hjgruicjlogflr.dll 18944 bytes executable
c:\windows\system32\hjgruicrvjqqft.dll 19456 bytes executable
c:\windows\system32\hjgruiecxnseti.dat 400 bytes
c:\windows\system32\hjgruihjbfrujk.dat 93 bytes
c:\windows\system32\hjgruimjlexxae.dll 44032 bytes executable
c:\windows\system32\hjgruimqwmuqae.dat 13043 bytes
c:\windows\system32\hjgruimttitues.dat 402 bytes
c:\windows\system32\hjgruinbjouqxt.dll 19456 bytes executable
c:\windows\system32\hjgruiobxmsjem.dll 18944 bytes executable
c:\windows\system32\hjgruiovrjomug.dll 44032 bytes executable
c:\windows\system32\hjgruiritnvrxn.dll 44032 bytes executable
c:\windows\system32\hjgruisioyyfdg.dll 44032 bytes executable
c:\windows\system32\hjgruisutuhbnb.dat 43761 bytes
c:\windows\system32\hjgruivhcfytwf.dat 93 bytes

scan completed successfully
hidden files: 15

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
"imagepath"="\systemroot\system32\drivers\hjgruicgwwqgod.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruitxslbppk]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\hjgruicgwwqgod.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-06-30 0:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 04:58
ComboFix2.txt 2009-06-30 04:21
ComboFix3.txt 2009-06-30 03:05

Pre-Run: 420,573,601,792 bytes free
Post-Run: 420,561,846,272 bytes free

188 --- E O F --- 2009-06-11 07:03

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:21 AM

Posted 30 June 2009 - 12:05 AM

Did you copy everything in the quote box and use Notepad? :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 dcboston09

dcboston09
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 30 June 2009 - 12:06 AM

Yes, I did. Should I try it again?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users