0

Hi, I'm sorry to just join and ask, but this was the only place I could think of that could possibly help! I've got this strange trojan on my laptop and it's re-spawning everytime AVG moves it or heals it. It's a BackDoor.Generic11.ZNE and the file is c:\Windows\System32\hjgruimimnkj.dll. I'm running the process I can that are in the sticky, but I'm downloading them to a flash drive on this pc and running them on the laptop, so it's taking awhile (this connection is awful).

AVG will move the file, but it just pops back up or it'll abort AVG's healing ("Process aborted by user"). I've disconnected the laptop from the internet, no idea if that helps. Could system restore do anything? Searching for the file manually brings up nothing, but AVG is still showing it.

A google search for BackDoor.Generic11.ZNE brings up almost nothing, but the entries are all recently dated or foreign so I'm thinking this is a new one. I'll edit with those logs as soon as I can.

4
Contributors
11
Replies
12
Views
8 Years
Discussion Span
Last Post by Mustang94
0

Quick update if it helps: It's disabled the USB ports. They'll recognize for a second, the trojan starts a process, and they shut down.

It froze MalwareBytes completely, but I can see it's found infected files, 6 of them. Windows Malware kit didn't detect anything though. I tried to get the HijackThis Uninstall Log, but everytime I turn the internet connection back on, AVG goes crazy, showing the trojan either starting new processes or being accessed. Online scans won't run (saying I don't have permission).

System is a 32-bit Vista Ultimate if it helps. Really have no idea what to do. Another forum recommended running MalwareBytes, but whatever this is seems to be freezing it. I still can't find the file though. All hidden files are visible, but it isn't where AVG says it is.

0

same problem, resists removal by spybot s&d,
and avg, running vista home premium

0

Here's the log:

Process list saved on 10:52:19 PM, on 7/4/2009
Platform: WinNT 6.00.1905 SP1

[pid] [full path to filename] [file version] [company name]
3560 C:\Windows\system32\taskeng.exe 6.0.6001.18000 Microsoft Corporation
3764 C:\Windows\system32\Dwm.exe 6.0.6001.18000 Microsoft Corporation
4088 C:\Windows\Explorer.EXE 6.0.6001.18164 Microsoft Corporation
3272 C:\Program Files\Windows Defender\MSASCui.exe 1.1.1600.0 Microsoft Corporation
2612 C:\Windows\RtHDVCpl.exe 1.0.0.32 Realtek Semiconductor
836 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe 7.0.1.7 TOSHIBA CORPORATION
1920 C:\Program Files\Toshiba\Power Saver\TPwrMain.exe 1.0.0.1 TOSHIBA Corporation
3576 C:\Program Files\Toshiba\SmoothView\SmoothView.exe 3.0.0.5 TOSHIBA Corporation
3492 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe 2.0.0.22 Brother Industries, Ltd.
3732 C:\Windows\WindowsMobile\wmdc.exe 6.1.6965.0 Microsoft Corporation
3920 C:\Program Files\Zune\ZuneLauncher.exe 3.1.620.0 Microsoft Corporation
2140 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe 8.1.3.187 Adobe Systems Inc.
896 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 10.1.8.0 Synaptics, Inc.
2644 C:\Program Files\AVG\AVG8\avgtray.exe 8.5.0.354 AVG Technologies CZ, s.r.o.
2792 C:\Windows\system32\wbem\unsecapp.exe 6.0.6001.18000 Microsoft Corporation
2896 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe 2.0.0.2 TOSHIBA
3028 C:\Windows\ehome\ehtray.exe 6.0.6001.18000 Microsoft Corporation
2652 C:\Program Files\Brother\ControlCenter3\brccMCtl.exe 3.1.9.9 Brother Industries, Ltd.
3420 C:\Windows\ehome\ehmsas.exe 6.0.6001.18000 Microsoft Corporation
2720 C:\Windows\System32\rundll32.exe 6.0.6000.16386 Microsoft Corporation
852 C:\Program Files\Brother\Brmfcmon\BrMfimon.exe 2.0.0.2 Brother Industries, Ltd.
4028 C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe 7.0.1.7 TOSHIBA CORPORATION
2400 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe 10.1.8.0 Synaptics, Inc.
232 C:\Program Files\AVG\AVG8\avgcsrvx.exe 8.5.0.300 AVG Technologies CZ, s.r.o.
4180 C:\Users\****\Desktop\ibprocman\IBProcMan.exe 1.4.0.0 Soeperman Enterprises Ltd.

And here's an update:
I managed to get the USB ports to work, they've since crashed again. I now have access to Hijack This, SuperANTIspyware, ATF-Cleaner, and CCleaner on top of Windows Malicious Removal, MalwareBytes Malware Scanner, and an AVG Install file. After MalwareBytes crashed, I rebooted in Safe Mode, uninstalled AVG and ran MalwareBytes. It detected 6 (or 7?) items, a trojan (install.exe) and some tracking cookies. I let MalwareBytes fix it, rebooted and Windows loaded strangely. It loaded, but it couldn't find my desktop, the files were in the Desktop folder, but not on my desktop. I decide that's fine, USBs are working, and reinstall AVG. AVG detects file again (BTW: I had the spelling wrong if it helps, it's hjgruimimnbxbb.dll), I run ATF then SuperANTIspyware. It finds a new trojan (TSKMAN.exe), fixes it and reboots. Windows doesn't load. At all. Says it can't load, something's been changed. I go to Windows help site, and it can no longer verify my system in genuine. I had to manually power off, restart in Safe Mode. Got super frustrated and ran System Restore. "Disks failed" during restore and it loads up (desktop is back now, but all the icons are huge in normal mode). I run CCleaner 4 times. Removing EVERYTHING each time (both internet files and registry). Reboot. Ran Itty Bitty Process Manager and am at a roadblock again. AVG Resident Shield says file is still there. I am so frustrated now, nothing seems to be working.

This is like the Trojan of Doom, my system ran perfectly until last night. This all started from a zip file my sister sent me. It was an IP cloaking program, she unzipped it and said it worked. I installed, worked fine, but the file came with a keygen. I had the program before and used my serial number, but AVG said the keygen file was a threat and healed it, then Blue Screen happened, I rebooted, ran an AVG scan, everything checked out, then Resident Shield popped up with this trojan. I'm at a complete loss. I've had 3 viruses in 10 years of computing, so this is really foreign territory for me.

0

itty bitty is not showing anything bad. If you can run hijackthis, go to the misc tools section and open the process manager. Select the option to show dll's and then next to that click on the save icon.
Post that list back here please.
Do you know the full path (correctly spelled) of that file you noted? Post it here if you do.

0

This is long, sorry! But here's that log:
Process list saved on 11:36:45 PM, on 7/4/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)

[pid] [full path to filename] [file version] [company name]
3560 C:\Windows\system32\taskeng.exe 6.0.6001.18000 Microsoft Corporation
3764 C:\Windows\system32\Dwm.exe 6.0.6001.18000 Microsoft Corporation
4088 C:\Windows\Explorer.EXE 6.0.6001.18164 Microsoft Corporation
3272 C:\Program Files\Windows Defender\MSASCui.exe 1.1.1600.0 Microsoft Corporation
2612 C:\Windows\RtHDVCpl.exe 1.0.0.32 Realtek Semiconductor
836 C:\Program Files\Toshiba\ConfigFree\NDSTray.exe 7.0.1.7 TOSHIBA CORPORATION
1920 C:\Program Files\Toshiba\Power Saver\TPwrMain.exe 1.0.0.1 TOSHIBA Corporation
3576 C:\Program Files\Toshiba\SmoothView\SmoothView.exe 3.0.0.5 TOSHIBA Corporation
3492 C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe 2.0.0.22 Brother Industries, Ltd.
3732 C:\Windows\WindowsMobile\wmdc.exe 6.1.6965.0 Microsoft Corporation
3920 C:\Program Files\Zune\ZuneLauncher.exe 3.1.620.0 Microsoft Corporation
2140 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe 8.1.3.187 Adobe Systems Inc.
896 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe 10.1.8.0 Synaptics, Inc.
2644 C:\Program Files\AVG\AVG8\avgtray.exe 8.5.0.354 AVG Technologies CZ, s.r.o.
2792 C:\Windows\system32\wbem\unsecapp.exe 6.0.6001.18000 Microsoft Corporation
2896 C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe 2.0.0.2 TOSHIBA
3028 C:\Windows\ehome\ehtray.exe 6.0.6001.18000 Microsoft Corporation
2652 C:\Program Files\Brother\ControlCenter3\brccMCtl.exe 3.1.9.9 Brother Industries, Ltd.
3420 C:\Windows\ehome\ehmsas.exe 6.0.6001.18000 Microsoft Corporation
2720 C:\Windows\System32\rundll32.exe 6.0.6000.16386 Microsoft Corporation
852 C:\Program Files\Brother\Brmfcmon\BrMfimon.exe 2.0.0.2 Brother Industries, Ltd.
4028 C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe 7.0.1.7 TOSHIBA CORPORATION
2400 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe 10.1.8.0 Synaptics, Inc.
232 C:\Program Files\AVG\AVG8\avgcsrvx.exe 8.5.0.300 AVG Technologies CZ, s.r.o.
5000 C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe 6.0.6001.18000 Microsoft Corporation
4100 C:\Program Files\Internet Explorer\iexplore.exe 8.0.6001.18702 Microsoft Corporation
5952 C:\Program Files\Internet Explorer\iexplore.exe 8.0.6001.18702 Microsoft Corporation
4116 C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe 10.0.22.87 Adobe Systems, Inc.
5612 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.
4472 C:\Windows\system32\SearchFilterHost.exe 7.0.6001.16503 Microsoft Corporation


DLLs loaded by process C:\Windows\system32\taskeng.exe:

[full path to filename] [file version] [company name]
C:\Windows\system32\ntdll.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\kernel32.dll 6.0.6001.18215 Microsoft Corporation
C:\Windows\system32\ADVAPI32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\RPCRT4.dll 6.0.6001.18247 Microsoft Corporation
C:\Windows\system32\USER32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\GDI32.dll 6.0.6001.18159 Microsoft Corporation
C:\Windows\system32\msvcrt.dll 7.0.6001.18000 Microsoft Corporation
C:\Windows\system32\SHELL32.dll 6.0.6001.18167 Microsoft Corporation
C:\Windows\system32\SHLWAPI.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\ole32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\OLEAUT32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\Secur32.dll 6.0.6001.18215 Microsoft Corporation
C:\Windows\system32\XmlLite.dll 1.2.1009.0 Microsoft Corporation
C:\Windows\system32\MPR.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\IMM32.DLL 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\MSCTF.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\LPK.DLL 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\USP10.dll 1.626.6001.18000 Microsoft Corporation
C:\Windows\system32\avgrsstx.dll 8.5.0.317 AVG Technologies CZ, s.r.o.
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdbaa5a083979cc\comctl32.dll 6.10.6001.18000 Microsoft Corporation
C:\Windows\system32\rsaenh.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\CLBCatQ.DLL 2001.12.6931.18000 Microsoft Corporation
C:\Windows\system32\tschannel.dll 6.0.6000.16386 Microsoft Corporation
C:\Windows\System32\HotStartUserAgent.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\slc.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\MsCtfMonitor.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\MSUTB.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\dwmapi.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\WTSAPI32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\PlaySndSrv.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\WINMM.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\OLEACC.dll 4.2.5406.0 Microsoft Corporation
C:\Windows\system32\uxtheme.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\wdmaud.drv 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\ksuser.dll 6.0.6000.16386 Microsoft Corporation
C:\Windows\system32\MMDevAPI.DLL 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\AVRT.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\SETUPAPI.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\WINTRUST.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\CRYPT32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\MSASN1.dll 6.0.6000.16386 Microsoft Corporation
C:\Windows\system32\USERENV.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\imagehlp.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\AUDIOSES.DLL 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\audioeng.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\PSAPI.DLL 6.0.6000.16386 Microsoft Corporation
C:\Windows\system32\msacm32.drv 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\MSACM32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\midimap.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\QAgent.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\fwpuclnt.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\QUtil.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\System32\wevtapi.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\WS2_32.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\NSI.dll 6.0.6001.18000 Microsoft Corporation
C:\Windows\system32\apphelp.dll 6.0.6001.18000 Microsoft Corporation


The file AVG is freaking out about is: C:\Windows\System32\hjgruimimnbbxb.dll
A new threat (by that name) pops up on Resident Shield everytime I do something. Like I opened notepad to type this and this is the entry on Resident Shield:
[File][Infection][Result]
C:\Windows\System32\hjgruimimnbbxb.dll --- Trojan horse BackDoor.Generic.ZNE --- Infected

Clicking on the entry brings up this:
Process name: C:\Windows\System32\notepad.exe
Process ID: 4140
Detected on open.

This happens everytime I do anything, so there will be 20-30, all the same entry on Resident Shield, but different info when I click on them. So I highlight the entry and click "Remove all unhealed infections". It acts like it's going to delete/move it, then it pops up:
Not all infections can be healed
Process interrupted by user.

For each entry. So I click 'Remove threat as Power User' and it moves them, then at least 5 more spawn, and the process (on clicking on them) is whatever I'm doing at the time. Like AVG.
The 2 confusing ones are:

Process Name: C:\Windows\System32\dllhost.exe
Process ID: 5680 and

and

Process Name: C:\Windows\System32\consent.exe
Process ID: 5456

consent.exe always spawn first, either when AVG first boots up or when they're all moved out and they re-spawn.

0

Download Avenger by Swandog and unzip it to your Desktop.

Note: This program must be run from an account with Administrator privileges.


[*]Open the Avenger folder and double click Avenger.exe to launch the programme.
[*]Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\Windows\System32\hjgruimimnbbxb.dll
  • Note: the above code was created specifically for this user. If you are not this user, do

NOT follow these directions as they could damage the workings of your system.


[*]Ensure the following:

  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.

[*]Press the Execute key.
[*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
[*]Post the log back here please. (it can also be found at C:\avenger.txt)


==


Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Here's the Avenger Log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not delete file "C:\Windows\System32\hjgruimimnbbxb.dll"
Deletion of file "C:\Windows\System32\hjgruimimnbbxb.dll" failed!
Status: 0xc0000156


Completed script processing.

*******************

Finished! Terminate.


And the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:14 PM, on 7/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [DSKEY] C:\Windows\System32\DsKey.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\Windows\System32\IcdSptSv.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: Task Manager Lite - Unknown owner - C:\Windows\System32\TSKMAN.exe (file missing)
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\Windows\System32\Drivers\WTSRV.EXE

--
End of file - 11303 bytes


AVG still says the file is there. I had task manager opened and occasionally it'll start those consent.exe/dll.exe process again, they'll show up for a split second, then Resident Shield pops up. However, I have turned off Resident Shield for every scan I've done, and they can't find it. Microsoft, SuperAntiSpyware, AVG, MalwareBytes.

I know you didn't ask fo this, but I just looked at the MalwareBytes log and there are these entries for infected files. It kinda looks like it deleted my ability to system restore.

Scan 1
Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\Windows\System32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.
C:\install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Scan 2

Files Infected:
c:\Users\****\AppData\Local\Temp\nypibqvemw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Users\****\AppData\Local\Temp\SetupSearch.exe (Trojan.TDSS) -> Quarantined and deleted successfully.

Scan 3

Files Infected:
c:\Users\****\AppData\Local\Temp\nypibqvemw.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Users\****\AppData\Local\Temp\SetupSearch.exe (Trojan.TDSS) -> Quarantined and deleted successfully.

Edit
A new one just popped up on Resident Shield, C:\Windows\Temp\hjgruiqvayluoijv.tmp. Again, a manual search brings up nothing, but AVG needs me to reboot to remove it.

0

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Do nothing other than the above.

0

Thank you so much for all your help, but I ended up giving up and wiping my computer completely and reinstalling my OS from my discs. I left my computer unattended for 2 hours and ended up with over 800 entries on ResidentShield as the file (C:\Windows\System32\hjgruimimnbbxb.dll) kept trying to get consent to do something.

Sorry I couldn't keep going to find a solution to this for others, but again, thanks for helping!

0

I too have fought this and I have won.

Using msconfig, safemode, command prompt to remove some and then Trojan Remover ( http://www.simplysup.com/ ) which I was unsure of at first, last thing I want to do is load another rogue program - but it works great for this.

I had also loaded spybot before Trojan Remover and already had malwarebytes on the computer. Had to run Trojan Remover a couple of times.

Then I ran spybot and malwarebytes. I am now doing a full scan with avg - I think I have clean computer again.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.