Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Compstu.dll infection detected

(New)
(!)

jcw002's Avatar
jcw002 jcw002 is offline
Member with 34 posts.
THREAD STARTER
 
Join Date: Jan 2004
Experience: Advanced
29-Jul-2008, 10:50 AM #1
Compstu.dll infection detected
Somewhere along the line, I have picked up a nasty I can't seem to get rid of. I'm running XP Pro with SP2. I have AVG running and up to date. Adaware 2008 is also up to date. I have also run CCleaner for both registry and program issues.

I get an AVG alert every time explorer starts and every time a new IE browser window opens.
I know compstu.dll is write protected in the registry and won't let me delete it. My latest HJT log is as follows:

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-28 14:37:47
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Program Files\avgwdsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
E:\Program Files\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
E:\Program Files\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\QBOOKSW\QBW32.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\WINDOWS\system32\WFXSNT40.EXE
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\WinFax\WFXSWTCH.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Documents and Settings\mike\Desktop\dss.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dumprep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers...meLeftPane.htm
O2 - BHO: (no name) - {E7C67BFD-11CD-4593-9F8B-AF0772F90CC2} - C:\WINDOWS\system32\compstu.dll
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...0C/wmv9dmo.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\Program Files\avgwdsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

I have seen where combofix is being used to clean this out, but I really don't know much about that app yet. If someone could help me out with this, I would be most appreciative.

Thanks in advance!
jcw002's Avatar
jcw002 jcw002 is offline
Member with 34 posts.
THREAD STARTER
 
Join Date: Jan 2004
Experience: Advanced
07-Aug-2008, 12:25 AM #2
Bump
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,094 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
07-Aug-2008, 04:16 AM #3
Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
jcw002's Avatar
jcw002 jcw002 is offline
Member with 34 posts.
THREAD STARTER
 
Join Date: Jan 2004
Experience: Advanced
07-Aug-2008, 03:17 PM #4
There's a lot more stuff in Doc's and settings than I realized...At any rateI had to attach the text file for the ComboFix log, the report was too long and alot of it got clipped off.

The Hijack Log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 4:14:57 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
E:\PROGRA~1\avgrsx.exe
E:\PROGRA~1\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WFXSNT40.exe
C:\Program Files\WinFax\WFXCTL32.exe
C:\Program Files\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
E:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {E7C67BFD-11CD-4593-9F8B-AF0772F90CC2} - C:\WINDOWS\System32\compstu.dll
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

I sure appreciate your help with this one. The constant virus warnings are more than a concern here. Thanks for your time and assistance!
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,094 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
08-Aug-2008, 08:47 AM #5
download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

This will create a zip file named something like [38]-Submit_2008-01-17@17.50.zip

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file on desktop created by combofix named something like [38]-Submit_2008-01-17@17.50.zip
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,094 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
08-Aug-2008, 02:29 PM #6
OK got the zip & passed on to the antivirus companies, that don't already detect it

next I would like to see what this finds

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from Kaspersky scan

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

You must use IE for the scan to work
jcw002's Avatar
jcw002 jcw002 is offline
Member with 34 posts.
THREAD STARTER
 
Join Date: Jan 2004
Experience: Advanced
08-Aug-2008, 02:36 PM #7
Derek,

The results of the ComboFix scan are as follows:

ComboFix 08-08-07.01 - mike 2008-08-08 14:47:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.198 [GMT -4:00]
Running from: C:\Documents and Settings\mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mike\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\compstu.dll
C:\WINDOWS\system32\drivers\jhekwedi.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZDYTXHQV
-------\Service_zdytxhqv


((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-07-28 14:25 . 2008-07-28 14:25 <DIR> d----c--- C:\Deckard
2008-07-26 03:30 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-25 15:03 . 2008-08-07 16:12 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-07-25 14:54 . 2008-08-08 08:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Program Files\AVG
2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-07-25 14:54 . 2008-07-25 14:54 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-25 14:54 . 2008-07-25 14:54 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-25 14:53 . 2008-07-25 16:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-19 02:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-18 17:57 . 2008-07-21 09:44 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-07-18 17:54 . 2008-07-18 17:54 <DIR> d-------- C:\WINDOWS\provisioning
2008-07-18 17:33 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002655_.tmp
2008-07-18 17:32 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-18 11:33 . 2008-07-25 14:55 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-07-18 11:03 . 2004-08-04 00:56 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll
2008-07-18 11:00 . 2008-07-18 11:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-18 11:00 . 2008-07-18 17:46 <DIR> d-------- C:\WINDOWS\ehome
2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a--c--- C:\WINDOWS\system32\dllcache\compatui.dll
2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a------ C:\WINDOWS\system32\compatui.dll
2008-07-18 11:00 . 2004-08-03 23:08 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-07-18 11:00 . 2004-08-04 00:56 32,768 --------- C:\WINDOWS\system32\asr_pfu.exe
2008-07-18 11:00 . 2004-08-03 22:59 12,800 --------- C:\WINDOWS\system32\spiisupd.exe
2008-07-18 10:54 . 2004-08-04 00:56 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll
2008-07-18 10:49 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-07-18 09:45 . 2008-07-18 09:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-18 09:45 . 2008-07-18 09:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-07-18 09:44 . 2008-07-18 09:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 10:32 . 2008-07-12 10:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-08 14:13 --------- d-----w C:\Program Files\WinFax
2008-07-11 21:24 --------- d-----w C:\Documents and Settings\mike\Application Data\Lavasoft
2008-05-21 13:01 24,248 -c--a-w C:\Documents and Settings\mike\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-07_15.54.54.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-12-12 08:45 28160]
"AVG8_TRAY"="E:\PROGRA~1\avgtray.exe" [2008-07-25 14:54 1232152]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-03-01 07:55:18 972320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [1998-07-27 05:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Controller.LNK]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Controller.LNK
backup=C:\WINDOWS\pss\Controller.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2002-12-12 08:45 45568 C:\WINDOWS\system32\WFXSNT40.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-25 14:54]
R2 avg8wd;AVG Free8 WatchDog;E:\PROGRA~1\avgwdsvc.exe [2008-07-25 14:54]
R2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE [2000-09-29 00:58]
R2 XBaseMS-Service;XBaseMS-Service;C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe [2002-06-17 16:26]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 14:54:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
E:\Program Files\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-08 14:59:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-08 18:59:08
ComboFix2.txt 2008-08-07 19:56:38

Pre-Run: 1,538,125,824 bytes free
Post-Run: 1,484,484,608 bytes free

119 --- E O F --- 2008-03-13 12:15:33

The HJT log now looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 3:31:57 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
E:\PROGRA~1\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
E:\Program Files\avgrsx.exe
E:\Program Files\avgrsx.exe
E:\Program Files\firefox.exe
E:\Program Files\avgrsx.exe
E:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

Looks like we finally killed the compstu.dll. I really appreciate all your help. Please let me know if there is anything further we need. I uploaded the zip file to both the spykiller and bleepingcomputer sites, but did not get a link to copy. Only the home pages showed at both locations. If you need that file posted here, let me know.

THANKS!!!
jcw002's Avatar
jcw002 jcw002 is offline
Member with 34 posts.
THREAD STARTER
 
Join Date: Jan 2004
Experience: Advanced
08-Aug-2008, 05:01 PM #8
Derek,

Sorry for the delay. I have not had the opportunity to run the scan you requested with Kaspersky yet, however I will get to it. It will probably have to wait until Monday as other issues (weekend travel) are in store. I will be back Monday and will post the results of the scan you requested.

I thank you for your time and assistance...both are greatly appreciated!
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,094 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Aug-2008, 01:56 PM #9
Until I see the results of the Kaspersky scan I won't say whether you are clean or not so will wait for your next reply
jcw002's Avatar
jcw002 jcw002 is offline
Member with 34 posts.
THREAD STARTER
 
Join Date: Jan 2004
Experience: Advanced
11-Aug-2008, 11:05 AM #10
Derek,

The results of the Kaspersky scan are as follows:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 11, 2008 14:41:41
Records in database: 1082298
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
S:\

Scan statistics:
Files scanned: 36686
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 01:58:50


File name / Threat name / Threats count
C:\QooBox\Quarantine\catchme2008-08-08_145027.40.zip Infected: Rootkit.Win32.Agent.aap 1
C:\WINDOWS\system32\drivers\jhekwedi.sys Infected: Rootkit.Win32.Agent.iy 1

The selected area was scanned.


The HJT log is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 12:02:20 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\avgwdsvc.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
C:\Program Files\Messenger\msmsgs.exe
E:\PROGRA~1\avgrsx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\mike\Local Settings\temp\jkos-mike\binaries\ScanningProcess.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
E:\QBOOKSW\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
E:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=23100
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

Looks like we are getting closer! I really appreciate your assistance.
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,094 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
11-Aug-2008, 12:14 PM #11
Open Notepad and copy and paste the text in the code box below into it:



Code:
File::
C:\WINDOWS\system32\drivers\jhekwedi.sys
save the notepad file to your desktop & call it CFScript.txt

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.







This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
~Candy~'s Avatar
Retired Administrator with 103,708 posts.
 
Join Date: Jan 2001
Experience: Advanced
11-Aug-2008, 12:21 PM #12
Just an FYI, Derek, somewhere along the line, the poster reverted back to an older version of HJT.
dvk01's Avatar
dvk01   (Derek) dvk01 is online now dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 46,094 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
11-Aug-2008, 01:53 PM #13
Thanks Candy

I can see all I need to see in Combofix so we can get HJT updated again before we finish just in case
~Candy~'s Avatar
Retired Administrator with 103,708 posts.
 
Join Date: Jan 2001
Experience: Advanced
11-Aug-2008, 01:57 PM #14
You're welcome
jcw002's Avatar
jcw002 jcw002 is offline
Member with 34 posts.
THREAD STARTER
 
Join Date: Jan 2004
Experience: Advanced
11-Aug-2008, 03:21 PM #15
Derek,

Finished with the latest run of ComboFix moments ago. The log is as follows:

ComboFix 08-08-10.05 - mike 2008-08-11 16:08:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.186 [GMT -4:00]
Running from: C:\Documents and Settings\mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mike\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\drivers\jhekwedi.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\jhekwedi.sys

.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.

2008-08-11 09:38 . 2008-08-11 09:38 <DIR> d-------- C:\WINDOWS\Sun
2008-08-11 09:37 . 2008-08-11 09:37 <DIR> d-------- C:\Program Files\Sun
2008-08-11 09:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-11 09:34 . 2008-08-11 09:37 <DIR> d-------- C:\Program Files\Java
2008-08-11 09:33 . 2008-08-11 09:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-08 15:22 . 2008-08-08 15:22 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-28 14:25 . 2008-07-28 14:25 <DIR> d----c--- C:\Deckard
2008-07-26 03:30 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-07-25 15:03 . 2008-08-08 15:23 <DIR> d--h-c--- C:\$AVG8.VAULT$
2008-07-25 14:54 . 2008-08-08 08:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Program Files\AVG
2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-07-25 14:54 . 2008-07-25 14:54 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-25 14:54 . 2008-07-25 14:54 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-25 14:53 . 2008-07-25 16:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-07-19 02:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-19 02:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-18 17:57 . 2008-07-21 09:44 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-07-18 17:54 . 2008-07-18 17:54 <DIR> d-------- C:\WINDOWS\provisioning
2008-07-18 17:33 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002655_.tmp
2008-07-18 17:32 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-18 11:33 . 2008-07-25 14:55 <DIR> d----c--- C:\Documents and Settings\Administrator
2008-07-18 11:03 . 2004-08-04 00:56 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll
2008-07-18 11:00 . 2008-07-18 11:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-18 11:00 . 2008-07-18 17:46 <DIR> d-------- C:\WINDOWS\ehome
2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a--c--- C:\WINDOWS\system32\dllcache\compatui.dll
2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a------ C:\WINDOWS\system32\compatui.dll
2008-07-18 11:00 . 2004-08-03 23:08 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-07-18 11:00 . 2004-08-04 00:56 32,768 --------- C:\WINDOWS\system32\asr_pfu.exe
2008-07-18 11:00 . 2004-08-03 22:59 12,800 --------- C:\WINDOWS\system32\spiisupd.exe
2008-07-18 10:54 . 2004-08-04 00:56 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll
2008-07-18 10:49 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-07-18 09:45 . 2008-07-18 09:45 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-18 09:45 . 2008-07-18 09:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-07-18 09:44 . 2008-07-18 09:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-12 10:32 . 2008-07-12 10:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-11 17:05 --------- d-----w C:\Program Files\WinFax
2008-07-11 21:24 --------- d-----w C:\Documents and Settings\mike\Application Data\Lavasoft
2008-05-21 13:01 24,248 -c--a-w C:\Documents and Settings\mike\Application Data\GDIPFONTCACHEV1.DAT
2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-07_15.54.54.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-08-08 19:57:09 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-12-12 08:45 28160]
"AVG8_TRAY"="E:\PROGRA~1\avgtray.exe" [2008-07-25 14:54 1232152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-03-01 07:55:18 972320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [1998-07-27 05:54 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Controller.LNK]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Controller.LNK
backup=C:\WINDOWS\pss\Controller.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2002-12-12 08:45 45568 C:\WINDOWS\system32\WFXSNT40.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"E:\\Program Files\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-25 14:54]
R2 avg8wd;AVG Free8 WatchDog;E:\PROGRA~1\avgwdsvc.exe [2008-07-25 14:54]
R2 XBaseMS-Service;XBaseMS-Service;C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe [2002-06-17 16:26]
S2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE [2000-09-29 00:58]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 16:10:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-11 16:14:06
ComboFix-quarantined-files.txt 2008-08-11 20:14:01
ComboFix2.txt 2008-08-08 18:59:21
ComboFix3.txt 2008-08-07 19:56:38

Pre-Run: 1,924,456,448 bytes free
Post-Run: 1,992,724,480 bytes free

121 --- E O F --- 2008-03-13 12:15:33


Please advise on my next step.

Thank you for your time and assistance!
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑

Content Relevant URLs by vBSEO 3.3.2