0

Hi,
Computer seems to be going slower. I did a Trojan remover scan and got rid of a few things, and then did Malwarebytes, and removed a few things. HiJack This shows 2 new things that I cannot remove, both have the "tjgdenn.dll" in it.
Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:00 AM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {339A8F60-24AF-46E6-8940-D048F485C97E} - c:\windows\system32\tjgdenn.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O20 - Winlogon Notify: zromlaro - C:\WINDOWS\SYSTEM32\tjgdenn.dll
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 1456 bytes


will check back before work, and then after work.
As always thanks for your help.
George

2
Contributors
6
Replies
7
Views
8 Years
Discussion Span
Last Post by crunchie
0

What have you already fixed with hijackthis? Open hijackthis and go to the backups section. Select all entries and then select 'restore.'
Reboot your machine and rescan with hijackthis and post the log.

Posting the MBA-M log works for me too.

0

What have you already fixed with hijackthis? Open hijackthis and go to the backups section. Select all entries and then select 'restore.'
Reboot your machine and rescan with hijackthis and post the log.

Posting the MBA-M log works for me too.

where is the backup section? or the MBA-M log? will try to locate.
when I left for work this morning, I left Vipre antivirus running on a full, deep system scan.........thanks
george

0

here's the Malwarebytes logfile from today:

Malwarebytes' Anti-Malware 1.36
Database version: 2056
Windows 5.1.2600 Service Pack 2

4/30/2009 6:10:42 AM
mbam-log-2009-04-30 (06-10-42).txt

Scan type: Quick Scan
Objects scanned: 116224
Time elapsed: 6 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.


and here is the latest HijackThis one after running Vipre antivirus, and rebooting and doing the Microsft antispyware program:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:16:31 PM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {339A8F60-24AF-46E6-8940-D048F485C97E} - c:\windows\system32\tjgdenn.dll
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O20 - Winlogon Notify: zromlaro - C:\WINDOWS\SYSTEM32\tjgdenn.dll
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

--
End of file - 1505 bytes

0

As soon as you start hijackthis there are a list of options. The 'View the list of backups' is the third one down.

I suggest you change all your online passwords too.

0

I had ComboFix so ran a scan-here's the results for this. Do you still want me to restrore today's HiJackThis stuff and post?

ComboFix 09-04-30.02 - George 04/30/2009 16:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.528 [GMT -5:00]
Running from: c:\documents and settings\George.GEORGE-6JXTPIR4\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dl32.exe
c:\windows\system32\kixslvgl.dll . . . . failed to delete
c:\windows\system32\tjgdenn.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Legacy_VQFVHDHQ
-------\Service_vqfvhdhq


((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 )))))))))))))))))))))))))))))))
.

2009-04-30 14:27 . 2009-04-30 14:27 -------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\qpwwpmjf
2009-04-30 14:27 . 2009-04-30 14:27 -------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Local Settings\Application Data\qpwwpmjf
2009-04-30 14:19 . 2009-04-30 14:19 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY.000\Application Data\qpwwpmjf
2009-04-30 14:19 . 2009-04-30 14:19 -------- d-----w c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\qpwwpmjf
2009-04-30 10:43 . 2009-04-30 10:43 558080 ----a-w c:\windows\system32\sdra64.exe.vir
2009-04-30 10:41 . 2009-04-30 10:41 14336 ----a-w c:\windows\ld08.exe.vir
2009-04-27 01:24 . 2009-03-05 04:30 69936 ----a-w c:\windows\system32\drivers\sbapifs.sys
2009-04-27 01:24 . 2008-09-12 14:38 13360 ----a-w c:\windows\system32\drivers\sbaphd.sys
2009-04-27 00:48 . 2009-04-27 00:48 -------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Sunbelt Software
2009-04-27 00:21 . 2009-04-27 00:21 -------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\Sunbelt
2009-04-27 00:19 . 2008-10-09 14:48 202928 ----a-w c:\windows\system32\drivers\sbtis.sys
2009-04-21 21:07 . 2009-04-30 10:27 -------- d-----w c:\documents and settings\George.GEORGE-6JXTPIR4\Application Data\DVD Flick

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 21:30 . 2006-02-28 12:00 143872 ----a-w c:\windows\system32\kixslvgl.dll
2009-04-30 21:29 . 2006-02-28 12:00 103424 ----a-w c:\windows\system32\vlmzoiu.dll
2009-04-28 22:45 . 2008-05-26 22:18 -------- d-----w c:\program files\Trojan Remover
2009-04-27 03:02 . 2007-07-31 01:19 -------- d-----w c:\program files\CCleaner
2009-04-21 21:05 . 2009-01-15 02:21 -------- d-----w c:\program files\DVD Flick
2009-04-18 17:59 . 2008-07-27 21:48 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-14 12:37 . 2008-11-09 05:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 20:32 . 2008-11-09 05:00 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2008-11-09 05:00 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-27 23:02 . 2009-03-14 15:16 -------- d-----w c:\program files\Coupons
2009-03-17 18:26 . 2009-03-17 18:26 65320 ----a-w c:\windows\system32\sbbd.exe
2009-03-16 12:24 . 2007-09-28 14:26 16992 ----a-w c:\documents and settings\George.GEORGE-6JXTPIR4\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-08 12:58 . 2009-03-08 12:52 -------- d-----w c:\program files\Windows Media Connect 2
2009-03-07 21:46 . 2009-03-07 21:46 -------- d-----w c:\program files\Matrox Graphics Inc
2009-03-07 19:07 . 2008-12-05 04:06 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-25 13:37 . 2001-08-23 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-02-25 13:32 . 2007-09-20 23:10 22748 ----a-w c:\windows\system32\emptyregdb.dat
2009-02-25 11:12 . 2009-02-23 22:02 81984 ----a-w c:\windows\system32\bdod.bin
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 19:00 . 2009-03-07 21:44 273920 ----a-w c:\windows\system32\MtxCIP2.dll
2009-02-06 18:19 . 2004-09-14 14:36 350592 ----a-w c:\windows\system32\drivers\g400dhm.sys
2009-02-06 18:19 . 2004-09-14 14:35 2399872 ----a-w c:\windows\system32\g400dhd.dll
2008-10-27 15:37 . 2008-10-27 15:37 699488 ----a-w c:\program files\JUN2007_d3dx10_34_x86.cab
2008-10-27 15:36 . 2008-10-27 15:36 526160 ----a-w c:\program files\DXSETUP.exe
2008-02-04 17:02 . 2008-02-15 14:29 228207 ----a-w c:\program files\address book.WAB
2008-02-03 18:48 . 2007-11-27 23:50 54784 --sha-w c:\program files\Thumbs.db
2007-08-01 21:12 . 2007-08-01 21:12 1156096 ----a-w c:\program files\iview400_setup.exe
2009-01-02 00:01 . 2009-01-02 00:01 23 --sha-w c:\windows\system32\afdbbfcaebd_z.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{339A8F60-24AF-46E6-8940-D048F485C97E}]
2006-02-28 12:00 103424 ----a-w c:\windows\system32\tjgdenn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-03-17 955688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\DRIVERS\StarPortLite.sys [2008-08-20 93544]
R1 streamm;streamm; [x]
R3 Arrakis3;Arrakis3; [x]
R3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]
R3 SBRE;SBRE;c:\windows\System32\drivers\SBREdrv.sys [2008-10-22 92464]
R3 UtilNT;UtilNT;c:\windows\system32\drivers\UtilNT.sys [2000-04-17 5533]
R4 FreeAgentGoNext Service;Seagate Service;h:\sync\FreeAgentService.exe [2008-07-30 161064]
R4 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2009-02-06 1263872]
R4 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2009-02-06 344832]
S0 avgntmgr;avgntmgr;c:\windows\SYSTEM32\DRIVERS\avgntmgr.sys [2008-01-21 22336]
S0 fcftuqal;fcftuqal;c:\windows\system32\drivers\fcftuqal.sys [2006-02-28 23424]
S1 avgntdd;avgntdd;c:\windows\system32\DRIVERS\avgntdd.sys [2008-05-09 45376]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-09-12 13360]
S1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-10-09 202928]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [2009-03-17 894248]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-03-05 69936]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://excite.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 16:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\tjgdenn.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 0 bytes hidden from API

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(148)
c:\program files\Sunbelt Software\VIPRE\oehook.dll
.
Completion time: 2009-04-30 16:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 21:40
ComboFix2.txt 2008-12-05 03:53

Pre-Run: 14,932,271,104 bytes free
Post-Run: 14,997,532,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

146 --- E O F --- 2009-03-14 00:24

0

Well that really good, but not what I asked you to do.

Sorry, but I do not have time for ppl who come for help and then do their own thing.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.