Monkey D. Luffy

Really no offense to the original guy who was helping me, I thank him very much for his assitance, but I need immediate help with this problem. Family computer it might be, it has very important (business files) on it and reformatting is not viable. And i need to fix this as soon as possible, and it's been 4 days.

You still with me, sir sjpritch25?, unfortunately it doesn't seem like our schedules sync. I await your return patiently, however, and I continue to do my own digging out of manic fear. Of course. I'm darn sure it was fixed before but as soon as I opened IE it got slow and returned. I've installed Avira Antivir and have the guard on now. Nothing's getting back on here once I've nuked it from this point on. I'm 99% sure the files causing this are the hidden hjgruixeyoayxy files in the registry and the windows directory. I mean, even combofix detects several "hjgruixeyoayxy" files in /system32 and /windows, even a .sys file, that are very obviously nasties, but it doesn't do anything about them. And I have absolutely no idea how to make one of those drag-and-drop text documents for it to do so. I swear, when I get clean again I'm installing every single antivir and malware remover out there..

Sorry for so many posts by me, but I ran ComboFix and attached my log. yeah, I know. I'm told (like everyone else) never to run ComboFix unless asked, but I got really desperate, and it worked for me in the past. I think it fixed my problem completely. log.txt log.txt

I ran RootkitRevealer and found two suspicious entries: HKLM\SYSTEM\ControlSet001\Services\hjgruixeyoayxy 6/29/2009 8:38 PM 0 bytes Hidden from Windows API. HKLM\SYSTEM\ControlSet003\Services\hjgruixeyoayxy 6/29/2009 8:38 PM 0 bytes Hidden from Windows API. No clue what to do with them though

I ran the kaspersky online scanner and found nothing. Should I just reformat? I really really don't want to, but this thing seems invincible.

There's the gmer log. gmer.txt gmer.txt

Full MBAM scan came up with nothing. Starting to get slightly aggrivated and slightly worried.

Again, I speak too soon. Massive apologies. Logs attached. DDS.txt Attach.txt DDS.txt Attach.txt

Malwarebytes' Anti-Malware 1.38 Database version: 2347 Windows 5.1.2600 Service Pack 1 6/28/2009 11:19:52 PM mbam-log-2009-06-28 (23-19-52).txt Scan type: Quick Scan Objects scanned: 102321 Time elapsed: 14 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I removed stuff earlier though: Malwarebytes' Anti-Malware 1.38 Database version: 2347 Windows 5.1.2600 Service Pack 1 6/28/2009 8:38:16 PM mbam-log-2009-06-28 (20-38-16).txt Scan type: Quick Scan Objects scanned: 102091 Time elapsed: 15 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 2 Files Infected: 6 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17487034 (Rogue.Multiple.H) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\All Users\Application Data\17487034 (Rogue.Multiple.H) -> Quarantined and deleted successfully. c:\documents and settings\Owner\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully. Files Infected: c:\documents and settings\all users\application data\17487034\17487034.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully. c:\documents and settings\all users\application data\17487034\17487034.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully. c:\documents and settings\all users\application data\17487034\pc17487034cnf (Rogue.Multiple.H) -> Quarantined and deleted successfully. c:\documents and settings\all users\application data\17487034\pc17487034ins (Rogue.Multiple.H) -> Quarantined and deleted successfully. c:\documents and settings\Owner\start menu\Programs\system security\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully. c:\documents and settings\Owner\Desktop\System Security 2009.lnk (Rogue.SystemSecurity) -> Quarantined and deleted successfully. Sorry, but the DDS program isn't running. I've waited for well over 10 minutes and it does nothing. There is absolutely nothing on my computer that should be blocking it, and having double checked I can confirm there is nothing.

Nevermind, bro's. I spoke too soon. It's back. I've already used a full scan in Spybot to destroy it once 2 days ago (which admittedly deleted 2 trojans and some infected files and folders), but they weren't present this time. So Agh. GooredFix v1.92 by jpshortstuff Log created at 22:43 on 28/06/2009 running Option #1 (Owner) Firefox version 2.0.0.20 (en-US) =====Suspect Goored Entries===== =====Dumping Registry Values===== [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Plugins"="C:\Program Files\Mozilla Firefox3\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions] "Components"="C:\Program Files\Mozilla Firefox3\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions] "Plugins"="C:\Program Files\Mozilla Firefox\plugins" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions] "Components"="C:\Program Files\Mozilla Firefox\components" [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Err...you can lock this thread guys, I fixed it. Full scan with Spybot destroyed it, but Spybot kept crashing before, hence my hastiness in posting this here. Oddly enough it only removed tracking cookies, but the problem is gone. Can tracking cookies really screw around with your search engines and redirect them? Huh.

I ran CWShredder and even though it found one instance of CWS.MSConfig, removing did not fix my problem.

The Hijacker is both affecting IE and Firefox. It seems to do absolutely nothing except make links clicked on Google redirect to some ridiculous crap 90% of the time. I'm absoltuely stumped as to what's causing it, or what it is. I've ran MBAM's quick scan twice and found nothing, in the middle of a Full Scan right now. Here's my latest HTJ log, which i've removed some stuff from already (::1 localhost in HOSTS) for example Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:22:47 AM, on 6/28/2009 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\HP\KBD\KBD.EXE C:\windows\system\hpsysdrv.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\NEXXTECH ULTIMATE\Mouse\Nmoumain.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\ZVolume Pro\ZVolume.exe C:\Program Files\WiFiConnector\NintendoWFCReg.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Aime\aim.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Keyboard Mouse Tool\mouse32a.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NewmentechMouse] C:\Program Files\NEXXTECH ULTIMATE\Mouse\Nmoumain.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto O4 - HKCU\..\Run: [ZVolume] C:\Program Files\ZVolume Pro\ZVolume.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-21-2695072642-2241937895-2317538923-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Administrator') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user') O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user') O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe O8 - Extra context menu item: Save Flash By FlashFavorite - res://C:\PROGRA~1\FLASHF~1\FFCom.dll/IeMenu.htm O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aime\aim.exe O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O10 - Unknown file in Winsock LSP: xfire_lsp_10406.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1245748206421 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1245748162046 O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -- End of file - 8234 bytes

Negative, for signs of infection. Everything's all good here. Thank you very much for your help and advice, sir.

Malwarebytes' Anti-Malware 1.37 Database version: 2259 Windows 5.1.2600 Service Pack 1 6/10/2009 9:41:46 PM mbam-log-2009-06-10 (21-41-46).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 325897 Time elapsed: 2 hour(s), 10 minute(s), 4 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) There you go.