Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt And Combofix Logs


  • Please log in to reply
6 replies to this topic

#1 twardnw

twardnw

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:05:29 PM

Posted 10 August 2007 - 08:43 PM

I usually have a pretty good track record removing spyware/malware/viri/foistware from my clients computer. But this one is just killing me. It's got WinAvx, and I can't get rid of it, nor does SpyBot have an update for it's removal (yet). Here is the HJT and ComboFix logs from this computer, any help given is greatly appreciated.


Begin HJT Log -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:31 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\Wendy Anderson\Local Settings\Temporary Internet Files\Content.IE5\QL70O6OH\4byte4remote01[1].exe
C:\DOCUME~1\WENDYA~1\LOCALS~1\Temp\7zS33.tmp\winvnc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11custreg?clid=1033
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickBooksDB] C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe -n QB_OFFICE2_16 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10160) -ti 0 -ec simple -ct- -qi -qw -oe DBStartup.log -tl 120 -u -y
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170028414633
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum133.txt
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7330 bytes

End HJT log ----------------------------------------


Begin ComboFix log-------------------------------------

ComboFix 07-08-09.3 - "Wendy Anderson" 2007-08-10 15:13:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1420 [GMT -7:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\WENDYA~1\STARTM~1\Programs\Startup.\system.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\WinAvXX.exe


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-09 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-03 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 09:25 <DIR> d-------- C:\Program Files\CCleaner
2007-08-02 09:12 <DIR> d-------- C:\WINDOWS\pss
2007-08-02 08:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-01 09:49 37,376 --a------ C:\WINDOWS\system32\vtr133.dll
2007-07-19 15:31 <DIR> d-------- C:\Program Files\WebSudokuDeluxe
2007-07-18 14:31 <DIR> d-------- C:\Program Files\Netflix


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 14:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 14:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 14:36]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-01 07:55]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 07:59]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickBooksDB"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" [2005-10-20 10:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 07:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

C:\Documents and Settings\Wendy Anderson\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 08:33:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 12:21:00]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2006-02-07 10:49:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum133.txt

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wendy Anderson^Start Menu^Programs^Startup^system.exe]
path=C:\Documents and Settings\Wendy Anderson\Start Menu\Programs\Startup\system.exe
backup=C:\WINDOWS\pss\system.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAVX]
C:\WINDOWS\system32\WinAvXX.exe

R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S3 SQTECH905C;Dual Camera;C:\WINDOWS\system32\Drivers\Capt905c.sys
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE


Contents of the 'Scheduled Tasks' folder
2007-08-10 08:42:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 15:14:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 15:14:41
C:\ComboFix-quarantined-files.txt ... 2007-08-10 15:14
C:\ComboFix2.txt ... 2007-08-03 15:36

--- E O F ---

End ComboFix log ------------------------------------------


Thanks for your help with this.

-Tyler-

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 11 August 2007 - 03:03 AM

I would like to take a look at this log for you and will get back to you as soon as I can.

Thank You.

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 11 August 2007 - 09:26 AM

Hello twardnw

Copy and Paste this post into a new text document or print it for reference

Step 1

Can you please disable your Real-time when doing this or any fix on your system

To Disable AVG Anti-Spyware Guard

To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

To Disable Windows Defender

Open Windows Defender
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.


Step 2

Re-open HijackThis and select "Do a System Scan only" and place a checkmark in the boxes before the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum133.txt

Close any Explorer windows which may be open and click the "Fix Checked" button.


Double-click on My Computer, Double-click on Local Disk and navigate to then Right Click on and Delete the following Bold entries if present:

C:\WINDOWS\system32\hrum133.txt
C:\WINDOWS\system32\vtr133.dll


Step 3

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Step 4

Please re-scan with HijackThis and ComboFix and post both logs back to me

Thank you.

#4 twardnw

twardnw
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:05:29 PM

Posted 11 August 2007 - 05:28 PM

Thanks for the reply, I won't have access to this computer till monday, but I will do this then.

#5 twardnw

twardnw
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:05:29 PM

Posted 13 August 2007 - 11:27 AM

Not too sure what happened, but only the entry for 'O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum133.txt' was found by HJT. And neither of the files you asked me to delete were anywhere to be found.

Nonetheless, here's the logs as requested.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:33 AM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\Wendy Anderson\Local Settings\Temporary Internet Files\Content.IE5\ON9L0K8N\4byte4remote01[1].exe
C:\DOCUME~1\WENDYA~1\LOCALS~1\Temp\7zS9A.tmp\winvnc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11custreg?clid=1033
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickBooksDB] C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe -n QB_OFFICE2_16 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10160) -ti 0 -ec simple -ct- -qi -qw -oe DBStartup.log -tl 120 -u -y
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1170028414633
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6937 bytes





ComboFix 07-08-09.3 - "Wendy Anderson" 2007-08-13 9:21:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1413 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-09 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-03 15:32 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-02 09:25 <DIR> d-------- C:\Program Files\CCleaner
2007-08-02 09:12 <DIR> d-------- C:\WINDOWS\pss
2007-08-02 08:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-19 15:31 <DIR> d-------- C:\Program Files\WebSudokuDeluxe
2007-07-18 14:31 <DIR> d-------- C:\Program Files\Netflix


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-16 08:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 08:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 08:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 08:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 08:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 08:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 14:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 14:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 14:36]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-02-01 07:55]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 07:59]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickBooksDB"="C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe" [2005-10-20 10:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 07:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"WinAVX"=C:\WINDOWS\system32\WinAvXX.exe

C:\Documents and Settings\Wendy Anderson\Start Menu\Programs\Startup\
Event Reminder.lnk - C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE [1998-06-06 08:33:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-01-22 12:21:00]
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe [2006-02-07 10:49:34]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wendy Anderson^Start Menu^Programs^Startup^system.exe]
path=C:\Documents and Settings\Wendy Anderson\Start Menu\Programs\Startup\system.exe
backup=C:\WINDOWS\pss\system.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAVX]
C:\WINDOWS\system32\WinAvXX.exe

R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver;C:\WINDOWS\system32\DRIVERS\PRISMA02.sys
R3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310v.sys
S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM
S3 SQTECH905C;Dual Camera;C:\WINDOWS\system32\Drivers\Capt905c.sys
S4 PRISMSVC;PRISMSVC;C:\WINDOWS\system32\PRISMSVC.EXE


Contents of the 'Scheduled Tasks' folder
2007-08-13 08:41:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 09:21:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 9:22:17
C:\ComboFix-quarantined-files.txt ... 2007-08-13 09:22
C:\ComboFix2.txt ... 2007-08-10 15:14
C:\ComboFix3.txt ... 2007-08-03 15:36

--- E O F ---

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 14 August 2007 - 01:17 PM

Hello twardnw

Copy and Paste this post into a new text document or print it for reference

Step 1

Please keep your real-time protection disabled during this fix.....

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WinAVX"=-
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wendy Anderson^Start Menu^Programs^Startup^system.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAVX]


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file CFScript.txt and Save the file to your Desktop

Drag the file you just created CFScript and drop it on the main ComboFix.exe icon
Please wait for ComboFix to finish running

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash.


Step 2

Now please use Internet Explorer and run this online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases


Click OK
Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.


Step 3

After you have completed the above, please provide:
  • the CFScript report
  • a new HijackThis log
  • the Kaspersky log
  • and please let me know how this system is running

Thank you

#7 twardnw

twardnw
  • Topic Starter

  • Members
  • 259 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:05:29 PM

Posted 17 August 2007 - 02:11 AM

I apologize for the delay on my part, I have had an extremely busy week. I will follow the latest instructions in the morning, as soon as I have access to that machine. Thanks again for your help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users