?
Solved

AVG found Vundo (and 2 others), ComboFix run and included

Posted on 2009-02-10
4
Medium Priority
?
763 Views
Last Modified: 2013-11-22
I have a machine with AVG (7.5).  It reported Vundo.ER (2 files), BHO.HJE, and SHeur2.PPQ as file threats and deleted them.  I downloaded and ran ComboFix.  It seemed to go fine and run successfully.  The resulting log file is in the snippet below.

Anything left or anything else I should do as far as testing, etc?  Let me know if you have a question or need more info.

bol

p.s.  I might not be real fast in responding and can only get on that machine at certain times of the day so sorry (in advance) for any delays.
ComboFix 09-02-08.02 - Administrator 2009-02-10  7:51:55.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1557 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: AVG Firewall 7.5.500 *disabled*
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\system32\1\
c:\windows\system32\2\
c:\windows\system32\3\
c:\windows\system32\cbXQgFxW.dll
c:\windows\system32\ddcBRjKd.dll
c:\windows\system32\kzjecq.dll
c:\windows\system32\oxkqiber.ini
c:\windows\system32\rebiqkxo.dll
c:\windows\system32\rqRIyWmK.dll
c:\windows\system32\saxwrwfm.dll
c:\windows\system32\WxFgQXbc.ini
c:\windows\system32\WxFgQXbc.ini2
 
.
(((((((((((((((((((((((((   Files Created from 2009-01-10 to 2009-02-10  )))))))))))))))))))))))))))))))
.
 
2009-02-10 07:36 . 2009-02-10 07:36	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-02-10 07:35 . 2009-02-10 07:35	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\AVG7
2009-02-09 09:55 . 2009-02-09 17:18	<DIR>	d--------	C:\[u]0[/u]8MASCAN
2009-02-06 14:06 . 2009-02-06 19:09	<DIR>	d--------	C:\[u]0[/u]8hiscan
2009-02-04 15:30 . 2009-02-04 15:30	<DIR>	d--------	C:\[u]0[/u]3DATA1
2009-02-04 15:29 . 2009-02-04 15:29	<DIR>	d--------	C:\heatherforms
2009-02-04 15:19 . 2009-02-04 15:32	<DIR>	d--------	C:\[u]0[/u]3data
2009-02-04 09:50 . 2009-02-04 10:08	<DIR>	d--------	C:\[u]0[/u]8mtelf
2009-02-03 09:48 . 2009-02-03 10:04	6,148	--a------	c:\windows\system32\DE_Est-2.prn
2009-02-03 09:48 . 2009-02-03 10:04	5,124	--a------	c:\windows\system32\DE_Est-1.prn
2009-02-03 09:00 . 2009-02-03 09:46	15,364	--a------	c:\windows\system32\DE_NR-1.prn
2009-02-03 09:00 . 2009-02-03 09:46	12,548	--a------	c:\windows\system32\DE_NR-2.prn
2009-02-03 09:00 . 2009-02-03 09:46	12,036	--a------	c:\windows\system32\DE_res-2.prn
2009-02-03 09:00 . 2009-02-03 09:46	8,964	--a------	c:\windows\system32\DE_res-3.prn
2009-02-03 09:00 . 2009-02-03 09:47	4,356	--a------	c:\windows\system32\DE_NR-3.prn
2009-02-03 08:59 . 2009-02-03 09:45	15,364	--a------	c:\windows\system32\DE_res-1.prn
2009-02-02 16:19 . 2009-02-02 16:20	<DIR>	d--------	C:\[u]0[/u]8WPtnr
2009-02-02 16:10 . 2009-02-02 16:11	<DIR>	d--------	C:\[u]0[/u]8WCorp
2009-01-29 08:10 . 2009-01-29 09:01	5,192	--a------	c:\windows\system32\PA-40pg2.prn
2009-01-29 08:10 . 2009-01-29 08:47	4,486	--a------	c:\windows\system32\PA-40pg1.prn
2009-01-28 11:54 . 2009-01-29 11:59	<DIR>	d--------	C:\[u]0[/u]8NJSCAN
2009-01-28 11:54 . 2009-01-28 11:54	<DIR>	d--------	C:\[u]0[/u]8NJELF
2009-01-26 19:06 . 2009-01-26 19:12	<DIR>	d--------	C:\[u]0[/u]8VAELF
2009-01-22 09:06 . 2009-01-22 09:06	6,660	--a------	c:\windows\system32\MT2441M.prn
2009-01-22 09:05 . 2009-01-22 09:05	8,708	--a------	c:\windows\system32\MT2-8.prn
2009-01-22 09:05 . 2009-01-22 09:05	8,708	--a------	c:\windows\system32\MT2-5.prn
2009-01-22 09:05 . 2009-01-22 09:05	7,940	--a------	c:\windows\system32\MT2-7.prn
2009-01-22 09:05 . 2009-01-22 09:05	6,916	--a------	c:\windows\system32\MT2-6.prn
2009-01-22 09:05 . 2009-01-22 09:05	6,916	--a------	c:\windows\system32\MT2-4.prn
2009-01-22 09:05 . 2009-01-22 09:05	6,916	--a------	c:\windows\system32\MT2-3.prn
2009-01-22 09:05 . 2009-01-22 09:05	3,076	--a------	c:\windows\system32\MT2-9.prn
2009-01-22 09:04 . 2009-01-22 09:04	14,084	--a------	c:\windows\system32\MT2-1.prn
2009-01-22 09:04 . 2009-01-22 09:04	11,012	--a------	c:\windows\system32\MT2-2.prn
2009-01-22 08:35 . 2009-02-09 18:38	<DIR>	d--------	C:\[u]0[/u]8MTSCAN
2009-01-20 09:11 . 2009-02-03 14:57	<DIR>	d--------	C:\[u]0[/u]8VASCAN
2009-01-14 18:12 . 2009-01-27 14:37	<DIR>	d--------	C:\[u]0[/u]8nyelf
2009-01-14 13:36 . 2009-01-14 15:20	<DIR>	d--------	C:\[u]0[/u]8gascan
2009-01-12 18:55 . 2009-01-12 19:00	<DIR>	d--------	C:\[u]0[/u]8mdelf
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 03:20	---------	d-----w	c:\documents and settings\Dave\Application Data\AVG7
2009-02-10 03:11	---------	d-----w	c:\program files\Mozilla Thunderbird
2009-02-07 03:40	3,578	----a-w	C:\BACKSAFE.BAT
2009-01-15 02:50	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-10 02:29	---------	d-----w	c:\program files\Wise
2009-01-06 17:46	---------	d-----w	c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-16 00:26	82	----a-w	C:\GL.BAT
2008-12-11 11:57	333,184	----a-w	c:\windows\system32\drivers\srv.sys
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-08-28 13:57 9216 c:\windows\system32\avgwlntf.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kzjecq.dll
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
 
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -
 
BHO-{102dc251-6661-4165-9df4-e666117d3bf1} - c:\windows\system32\kzjecq.dll
BHO-{E9C4A4A8-B3B5-461C-B076-043CA33A385E} - c:\windows\system32\cbXQgFxW.dll
 
 
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070802
mStart Page = hxxp://www.dell.com
LSP: c:\windows\system32\avgfwafu.dll
FF - ProfilePath - 
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 07:55:14
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avgwlntf.dll
 
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\avgfwafu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgfwsrv.exe
c:\program files\Grisoft\AVG7\avgcc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-02-10  7:58:25 - machine was rebooted
ComboFix-quarantined-files.txt  2009-02-10 15:58:23
 
Pre-Run: 30,592,335,872 bytes free
Post-Run: 30,632,595,456 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
 
164	--- E O F ---	2009-01-15 02:50:51

Open in new window

0
Comment
Question by:b0lsc0tt
  • 2
  • 2
4 Comments
 
LVL 27

Accepted Solution

by:
David-Howard earned 2000 total points
ID: 23602139
It looks like Combofix did the job. I don't see anything in your log file.
For future reference you may want to have Malwarebytes on your system as well.
It's free, reliabe and you can get it from www.malwarebytes.org
Just remember to update your antimalware/virus suites and reboot into Safe Mode for any future scans.
David
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 23602148
FYI: Vundo information and removal procedures.
http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde
(Just in case your system gets Vundo again.)
0
 
LVL 54

Author Comment

by:b0lsc0tt
ID: 23628795
Thanks for the response.  Machine seems good now and I appreciate you confirming the log was clean.
bol
0
 
LVL 54

Author Closing Comment

by:b0lsc0tt
ID: 31545091
Thanks for the help!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question