1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Compstu.dll infection detected

Discussion in 'Virus & Other Malware Removal' started by jcw002, Jul 29, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. jcw002

    jcw002 Thread Starter

    Joined:
    Jan 15, 2004
    Messages:
    34
    Somewhere along the line, I have picked up a nasty I can't seem to get rid of. I'm running XP Pro with SP2. I have AVG running and up to date. Adaware 2008 is also up to date. I have also run CCleaner for both registry and program issues.

    I get an AVG alert every time explorer starts and every time a new IE browser window opens.
    I know compstu.dll is write protected in the registry and won't let me delete it. My latest HJT log is as follows:

    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-07-28 14:37:47
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\avgwdsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\WFXSVC.EXE
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    E:\Program Files\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    E:\Program Files\avgrsx.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\QBOOKSW\QBW32.EXE
    C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
    C:\WINDOWS\system32\WFXSNT40.EXE
    C:\Program Files\WinFax\WFXCTL32.EXE
    C:\Program Files\WinFax\WFXSWTCH.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
    C:\Documents and Settings\mike\Desktop\dss.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\dumprep.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
    O2 - BHO: (no name) - {E7C67BFD-11CD-4593-9F8B-AF0772F90CC2} - C:\WINDOWS\system32\compstu.dll
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
    O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
    O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
    O20 - AppInit_DLLs: avgrsstx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\Program Files\avgwdsvc.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE
    O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

    I have seen where combofix is being used to clean this out, but I really don't know much about that app yet. If someone could help me out with this, I would be most appreciative.

    Thanks in advance!
     
  2. jcw002

    jcw002 Thread Starter

    Joined:
    Jan 15, 2004
    Messages:
    34
    Bump
     
  3. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    Please visit Combofix Guide & Instructions for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply
     
  4. jcw002

    jcw002 Thread Starter

    Joined:
    Jan 15, 2004
    Messages:
    34
    There's a lot more stuff in Doc's and settings than I realized...At any rateI had to attach the text file for the ComboFix log, the report was too long and alot of it got clipped off.

    The Hijack Log is as follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:14:57 PM, on 8/7/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    E:\PROGRA~1\avgwdsvc.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    E:\PROGRA~1\avgrsx.exe
    E:\PROGRA~1\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\WFXSNT40.exe
    C:\Program Files\WinFax\WFXCTL32.exe
    C:\Program Files\WinFax\WFXSWTCH.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    E:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: (no name) - {E7C67BFD-11CD-4593-9F8B-AF0772F90CC2} - C:\WINDOWS\System32\compstu.dll
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
    O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

    I sure appreciate your help with this one. The constant virus warnings are more than a concern here. Thanks for your time and assistance!
     

    Attached Files:

  5. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press SAVE and choose desktop in the list of selections in that window & press save)

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

    This will create a zip file named something like [38][email protected]

    at the end it will pop up an alert & open your browser and ask you to send the zip file

    please follow those instructions. We need to see the zip file before we can carry on with the fix

    If there is no pop up alert or open browser then

    please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:
    the zip file on desktop created by combofix named something like [38][email protected]
     

    Attached Files:

  6. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    OK got the zip & passed on to the antivirus companies, that don't already detect it

    next I would like to see what this finds

    * Run Kaspersky online virus scan Kaspersky Online Scanner.

    After the updates have downloaded, click on the "Scan Settings" button.
    Choose the "Extended database" for the scan.
    Under "Please select a target to scan", click "My Computer".
    When the scan is finished, Save the results from the scan!

    Note: You have to use Internet Explorer to do the online scan.

    Post a new HiJackThis log along with the results from Kaspersky scan

    Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

    You must use IE for the scan to work
     
  7. jcw002

    jcw002 Thread Starter

    Joined:
    Jan 15, 2004
    Messages:
    34
    Derek,

    The results of the ComboFix scan are as follows:

    ComboFix 08-08-07.01 - mike 2008-08-08 14:47:41.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.198 [GMT -4:00]
    Running from: C:\Documents and Settings\mike\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\mike\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\compstu.dll
    C:\WINDOWS\system32\drivers\jhekwedi.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_ZDYTXHQV
    -------\Service_zdytxhqv


    ((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
    .

    2008-07-28 14:25 . 2008-07-28 14:25 <DIR> d----c--- C:\Deckard
    2008-07-26 03:30 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-07-25 15:03 . 2008-08-07 16:12 <DIR> d--h-c--- C:\$AVG8.VAULT$
    2008-07-25 14:54 . 2008-08-08 08:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Program Files\AVG
    2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
    2008-07-25 14:54 . 2008-07-25 14:54 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-07-25 14:54 . 2008-07-25 14:54 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-07-25 14:53 . 2008-07-25 16:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2008-07-19 02:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-07-19 02:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-07-18 17:57 . 2008-07-21 09:44 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
    2008-07-18 17:54 . 2008-07-18 17:54 <DIR> d-------- C:\WINDOWS\provisioning
    2008-07-18 17:33 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002655_.tmp
    2008-07-18 17:32 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2008-07-18 11:33 . 2008-07-25 14:55 <DIR> d----c--- C:\Documents and Settings\Administrator
    2008-07-18 11:03 . 2004-08-04 00:56 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll
    2008-07-18 11:00 . 2008-07-18 11:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-18 11:00 . 2008-07-18 17:46 <DIR> d-------- C:\WINDOWS\ehome
    2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a--c--- C:\WINDOWS\system32\dllcache\compatui.dll
    2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a------ C:\WINDOWS\system32\compatui.dll
    2008-07-18 11:00 . 2004-08-03 23:08 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
    2008-07-18 11:00 . 2004-08-04 00:56 32,768 --------- C:\WINDOWS\system32\asr_pfu.exe
    2008-07-18 11:00 . 2004-08-03 22:59 12,800 --------- C:\WINDOWS\system32\spiisupd.exe
    2008-07-18 10:54 . 2004-08-04 00:56 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll
    2008-07-18 10:49 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
    2008-07-18 09:45 . 2008-07-18 09:45 <DIR> d-------- C:\Program Files\Lavasoft
    2008-07-18 09:45 . 2008-07-18 09:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
    2008-07-18 09:44 . 2008-07-18 09:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-12 10:32 . 2008-07-12 10:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-08 14:13 --------- d-----w C:\Program Files\WinFax
    2008-07-11 21:24 --------- d-----w C:\Documents and Settings\mike\Application Data\Lavasoft
    2008-05-21 13:01 24,248 -c--a-w C:\Documents and Settings\mike\Application Data\GDIPFONTCACHEV1.DAT
    2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-07_15.54.54.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-12-12 08:45 28160]
    "AVG8_TRAY"="E:\PROGRA~1\avgtray.exe" [2008-07-25 14:54 1232152]

    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-03-01 07:55:18 972320]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [1998-07-27 05:54 38400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Controller.LNK]
    path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Controller.LNK
    backup=C:\WINDOWS\pss\Controller.LNKCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
    --a------ 2002-12-12 08:45 45568 C:\WINDOWS\system32\WFXSNT40.EXE

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "E:\\Program Files\\avgupd.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-25 14:54]
    R2 avg8wd;AVG Free8 WatchDog;E:\PROGRA~1\avgwdsvc.exe [2008-07-25 14:54]
    R2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE [2000-09-29 00:58]
    R2 XBaseMS-Service;XBaseMS-Service;C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe [2002-06-17 16:26]
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-08 14:54:05
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    E:\Program Files\avgrsx.exe
    .
    **************************************************************************
    .
    Completion time: 2008-08-08 14:59:20 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-08-08 18:59:08
    ComboFix2.txt 2008-08-07 19:56:38

    Pre-Run: 1,538,125,824 bytes free
    Post-Run: 1,484,484,608 bytes free

    119 --- E O F --- 2008-03-13 12:15:33

    The HJT log now looks like this:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:31:57 PM, on 8/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    E:\PROGRA~1\avgwdsvc.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    E:\PROGRA~1\avgtray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    E:\Program Files\avgrsx.exe
    E:\Program Files\avgrsx.exe
    E:\Program Files\firefox.exe
    E:\Program Files\avgrsx.exe
    E:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
    O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

    Looks like we finally killed the compstu.dll. I really appreciate all your help. Please let me know if there is anything further we need. I uploaded the zip file to both the spykiller and bleepingcomputer sites, but did not get a link to copy. Only the home pages showed at both locations. If you need that file posted here, let me know.

    THANKS!!!
     
  8. jcw002

    jcw002 Thread Starter

    Joined:
    Jan 15, 2004
    Messages:
    34
    Derek,

    Sorry for the delay. I have not had the opportunity to run the scan you requested with Kaspersky yet, however I will get to it. It will probably have to wait until Monday as other issues (weekend travel) are in store. I will be back Monday and will post the results of the scan you requested.

    I thank you for your time and assistance...both are greatly appreciated!
     
  9. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    Until I see the results of the Kaspersky scan I won't say whether you are clean or not so will wait for your next reply
     
  10. jcw002

    jcw002 Thread Starter

    Joined:
    Jan 15, 2004
    Messages:
    34
    Derek,

    The results of the Kaspersky scan are as follows:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Monday, August 11, 2008
    Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Monday, August 11, 2008 14:41:41
    Records in database: 1082298
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    S:\

    Scan statistics:
    Files scanned: 36686
    Threat name: 2
    Infected objects: 2
    Suspicious objects: 0
    Duration of the scan: 01:58:50


    File name / Threat name / Threats count
    C:\QooBox\Quarantine\catchme2008-08-08_145027.40.zip Infected: Rootkit.Win32.Agent.aap 1
    C:\WINDOWS\system32\drivers\jhekwedi.sys Infected: Rootkit.Win32.Agent.iy 1

    The selected area was scanned.


    The HJT log is as follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:02:20 PM, on 8/11/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    E:\PROGRA~1\avgwdsvc.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbkern32.exe
    C:\Program Files\Messenger\msmsgs.exe
    E:\PROGRA~1\avgrsx.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\mike\Local Settings\temp\jkos-mike\binaries\ScanningProcess.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    E:\QBOOKSW\qbw32.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
    E:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\avgtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\avgwdsvc.exe
    O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
    O23 - Service: XBaseMS-Service - Transaction Software, D 81737 Munich - C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe

    Looks like we are getting closer! I really appreciate your assistance.
     
  11. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    Open Notepad and copy and paste the text in the code box below into it:



    Code:
    File::
    C:\WINDOWS\system32\drivers\jhekwedi.sys
    
    
    save the notepad file to your desktop & call it CFScript.txt

    Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before going any further

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



    [​IMG]



    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

    Remember to reconnect to the net and enable any disabled antivirus etc BEFORE reconnecting

    Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
     
  12. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Just an FYI, Derek, somewhere along the line, the poster reverted back to an older version of HJT.
     
  13. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    47,800
    Thanks Candy

    I can see all I need to see in Combofix so we can get HJT updated again before we finish just in case
     
  14. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    (y) You're welcome :)
     
  15. jcw002

    jcw002 Thread Starter

    Joined:
    Jan 15, 2004
    Messages:
    34
    Derek,

    Finished with the latest run of ComboFix moments ago. The log is as follows:

    ComboFix 08-08-10.05 - mike 2008-08-11 16:08:05.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.186 [GMT -4:00]
    Running from: C:\Documents and Settings\mike\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\mike\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    FILE ::
    C:\WINDOWS\system32\drivers\jhekwedi.sys
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\drivers\jhekwedi.sys

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
    .

    2008-08-11 09:38 . 2008-08-11 09:38 <DIR> d-------- C:\WINDOWS\Sun
    2008-08-11 09:37 . 2008-08-11 09:37 <DIR> d-------- C:\Program Files\Sun
    2008-08-11 09:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-08-11 09:34 . 2008-08-11 09:37 <DIR> d-------- C:\Program Files\Java
    2008-08-11 09:33 . 2008-08-11 09:33 <DIR> d-------- C:\Program Files\Common Files\Java
    2008-08-08 15:22 . 2008-08-08 15:22 0 --a------ C:\WINDOWS\nsreg.dat
    2008-07-28 14:25 . 2008-07-28 14:25 <DIR> d----c--- C:\Deckard
    2008-07-26 03:30 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
    2008-07-25 15:03 . 2008-08-08 15:23 <DIR> d--h-c--- C:\$AVG8.VAULT$
    2008-07-25 14:54 . 2008-08-08 08:23 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
    2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Program Files\AVG
    2008-07-25 14:54 . 2008-07-25 14:54 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
    2008-07-25 14:54 . 2008-07-25 14:54 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-07-25 14:54 . 2008-07-25 14:54 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
    2008-07-25 14:53 . 2008-07-25 16:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2008-07-19 02:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
    2008-07-19 02:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
    2008-07-18 17:57 . 2008-07-21 09:44 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
    2008-07-18 17:54 . 2008-07-18 17:54 <DIR> d-------- C:\WINDOWS\provisioning
    2008-07-18 17:33 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002655_.tmp
    2008-07-18 17:32 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
    2008-07-18 11:33 . 2008-07-25 14:55 <DIR> d----c--- C:\Documents and Settings\Administrator
    2008-07-18 11:03 . 2004-08-04 00:56 96,768 --a------ C:\WINDOWS\system32\dpcdll.dll
    2008-07-18 11:00 . 2008-07-18 11:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
    2008-07-18 11:00 . 2008-07-18 17:46 <DIR> d-------- C:\WINDOWS\ehome
    2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a--c--- C:\WINDOWS\system32\dllcache\compatui.dll
    2008-07-18 11:00 . 2004-08-04 00:56 252,928 --a------ C:\WINDOWS\system32\compatui.dll
    2008-07-18 11:00 . 2004-08-03 23:08 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
    2008-07-18 11:00 . 2004-08-04 00:56 32,768 --------- C:\WINDOWS\system32\asr_pfu.exe
    2008-07-18 11:00 . 2004-08-03 22:59 12,800 --------- C:\WINDOWS\system32\spiisupd.exe
    2008-07-18 10:54 . 2004-08-04 00:56 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll
    2008-07-18 10:49 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
    2008-07-18 09:45 . 2008-07-18 09:45 <DIR> d-------- C:\Program Files\Lavasoft
    2008-07-18 09:45 . 2008-07-18 09:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
    2008-07-18 09:44 . 2008-07-18 09:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-07-12 10:32 . 2008-07-12 10:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-11 17:05 --------- d-----w C:\Program Files\WinFax
    2008-07-11 21:24 --------- d-----w C:\Documents and Settings\mike\Application Data\Lavasoft
    2008-05-21 13:01 24,248 -c--a-w C:\Documents and Settings\mike\Application Data\GDIPFONTCACHEV1.DAT
    2008-05-16 15:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-07_15.54.54.53 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
    + 2008-06-10 05:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
    + 2008-06-10 05:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
    + 2008-06-10 06:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
    + 2008-03-25 03:21:18 2,889,088 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
    + 2008-03-25 03:21:20 218,496 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
    + 2008-08-08 19:57:09 70,264 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 00:56 1667584]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2002-12-12 08:45 28160]
    "AVG8_TRAY"="E:\PROGRA~1\avgtray.exe" [2008-07-25 14:54 1232152]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]

    C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-03-01 07:55:18 972320]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [1998-07-27 05:54 38400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Controller.LNK]
    path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Controller.LNK
    backup=C:\WINDOWS\pss\Controller.LNKCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-08-04 00:56 1667584 C:\Program Files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
    --a------ 2002-12-12 08:45 45568 C:\WINDOWS\system32\WFXSNT40.EXE

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "E:\\Program Files\\avgupd.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-25 14:54]
    R2 avg8wd;AVG Free8 WatchDog;E:\PROGRA~1\avgwdsvc.exe [2008-07-25 14:54]
    R2 XBaseMS-Service;XBaseMS-Service;C:\Program Files\ProQuestMS\PartsManagerPro\XBaseSrvr\tbmux32.exe [2002-06-17 16:26]
    S2 wfxsvc;WinFax PRO;C:\WINDOWS\System32\WFXSVC.EXE [2000-09-29 00:58]
    .
    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-11 16:10:59
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-11 16:14:06
    ComboFix-quarantined-files.txt 2008-08-11 20:14:01
    ComboFix2.txt 2008-08-08 18:59:21
    ComboFix3.txt 2008-08-07 19:56:38

    Pre-Run: 1,924,456,448 bytes free
    Post-Run: 1,992,724,480 bytes free

    121 --- E O F --- 2008-03-13 12:15:33


    Please advise on my next step.

    Thank you for your time and assistance!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/735011