• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 784
  • Last Modified:

AVG found Vundo (and 2 others), ComboFix run and included

I have a machine with AVG (7.5).  It reported Vundo.ER (2 files), BHO.HJE, and SHeur2.PPQ as file threats and deleted them.  I downloaded and ran ComboFix.  It seemed to go fine and run successfully.  The resulting log file is in the snippet below.

Anything left or anything else I should do as far as testing, etc?  Let me know if you have a question or need more info.

bol

p.s.  I might not be real fast in responding and can only get on that machine at certain times of the day so sorry (in advance) for any delays.
ComboFix 09-02-08.02 - Administrator 2009-02-10  7:51:55.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2046.1557 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: AVG Firewall 7.5.500 *disabled*
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\system32\1\
c:\windows\system32\2\
c:\windows\system32\3\
c:\windows\system32\cbXQgFxW.dll
c:\windows\system32\ddcBRjKd.dll
c:\windows\system32\kzjecq.dll
c:\windows\system32\oxkqiber.ini
c:\windows\system32\rebiqkxo.dll
c:\windows\system32\rqRIyWmK.dll
c:\windows\system32\saxwrwfm.dll
c:\windows\system32\WxFgQXbc.ini
c:\windows\system32\WxFgQXbc.ini2
 
.
(((((((((((((((((((((((((   Files Created from 2009-01-10 to 2009-02-10  )))))))))))))))))))))))))))))))
.
 
2009-02-10 07:36 . 2009-02-10 07:36	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-02-10 07:35 . 2009-02-10 07:35	<DIR>	d--------	c:\documents and settings\Administrator\Application Data\AVG7
2009-02-09 09:55 . 2009-02-09 17:18	<DIR>	d--------	C:\[u]0[/u]8MASCAN
2009-02-06 14:06 . 2009-02-06 19:09	<DIR>	d--------	C:\[u]0[/u]8hiscan
2009-02-04 15:30 . 2009-02-04 15:30	<DIR>	d--------	C:\[u]0[/u]3DATA1
2009-02-04 15:29 . 2009-02-04 15:29	<DIR>	d--------	C:\heatherforms
2009-02-04 15:19 . 2009-02-04 15:32	<DIR>	d--------	C:\[u]0[/u]3data
2009-02-04 09:50 . 2009-02-04 10:08	<DIR>	d--------	C:\[u]0[/u]8mtelf
2009-02-03 09:48 . 2009-02-03 10:04	6,148	--a------	c:\windows\system32\DE_Est-2.prn
2009-02-03 09:48 . 2009-02-03 10:04	5,124	--a------	c:\windows\system32\DE_Est-1.prn
2009-02-03 09:00 . 2009-02-03 09:46	15,364	--a------	c:\windows\system32\DE_NR-1.prn
2009-02-03 09:00 . 2009-02-03 09:46	12,548	--a------	c:\windows\system32\DE_NR-2.prn
2009-02-03 09:00 . 2009-02-03 09:46	12,036	--a------	c:\windows\system32\DE_res-2.prn
2009-02-03 09:00 . 2009-02-03 09:46	8,964	--a------	c:\windows\system32\DE_res-3.prn
2009-02-03 09:00 . 2009-02-03 09:47	4,356	--a------	c:\windows\system32\DE_NR-3.prn
2009-02-03 08:59 . 2009-02-03 09:45	15,364	--a------	c:\windows\system32\DE_res-1.prn
2009-02-02 16:19 . 2009-02-02 16:20	<DIR>	d--------	C:\[u]0[/u]8WPtnr
2009-02-02 16:10 . 2009-02-02 16:11	<DIR>	d--------	C:\[u]0[/u]8WCorp
2009-01-29 08:10 . 2009-01-29 09:01	5,192	--a------	c:\windows\system32\PA-40pg2.prn
2009-01-29 08:10 . 2009-01-29 08:47	4,486	--a------	c:\windows\system32\PA-40pg1.prn
2009-01-28 11:54 . 2009-01-29 11:59	<DIR>	d--------	C:\[u]0[/u]8NJSCAN
2009-01-28 11:54 . 2009-01-28 11:54	<DIR>	d--------	C:\[u]0[/u]8NJELF
2009-01-26 19:06 . 2009-01-26 19:12	<DIR>	d--------	C:\[u]0[/u]8VAELF
2009-01-22 09:06 . 2009-01-22 09:06	6,660	--a------	c:\windows\system32\MT2441M.prn
2009-01-22 09:05 . 2009-01-22 09:05	8,708	--a------	c:\windows\system32\MT2-8.prn
2009-01-22 09:05 . 2009-01-22 09:05	8,708	--a------	c:\windows\system32\MT2-5.prn
2009-01-22 09:05 . 2009-01-22 09:05	7,940	--a------	c:\windows\system32\MT2-7.prn
2009-01-22 09:05 . 2009-01-22 09:05	6,916	--a------	c:\windows\system32\MT2-6.prn
2009-01-22 09:05 . 2009-01-22 09:05	6,916	--a------	c:\windows\system32\MT2-4.prn
2009-01-22 09:05 . 2009-01-22 09:05	6,916	--a------	c:\windows\system32\MT2-3.prn
2009-01-22 09:05 . 2009-01-22 09:05	3,076	--a------	c:\windows\system32\MT2-9.prn
2009-01-22 09:04 . 2009-01-22 09:04	14,084	--a------	c:\windows\system32\MT2-1.prn
2009-01-22 09:04 . 2009-01-22 09:04	11,012	--a------	c:\windows\system32\MT2-2.prn
2009-01-22 08:35 . 2009-02-09 18:38	<DIR>	d--------	C:\[u]0[/u]8MTSCAN
2009-01-20 09:11 . 2009-02-03 14:57	<DIR>	d--------	C:\[u]0[/u]8VASCAN
2009-01-14 18:12 . 2009-01-27 14:37	<DIR>	d--------	C:\[u]0[/u]8nyelf
2009-01-14 13:36 . 2009-01-14 15:20	<DIR>	d--------	C:\[u]0[/u]8gascan
2009-01-12 18:55 . 2009-01-12 19:00	<DIR>	d--------	C:\[u]0[/u]8mdelf
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-10 03:20	---------	d-----w	c:\documents and settings\Dave\Application Data\AVG7
2009-02-10 03:11	---------	d-----w	c:\program files\Mozilla Thunderbird
2009-02-07 03:40	3,578	----a-w	C:\BACKSAFE.BAT
2009-01-15 02:50	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-10 02:29	---------	d-----w	c:\program files\Wise
2009-01-06 17:46	---------	d-----w	c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-16 00:26	82	----a-w	C:\GL.BAT
2008-12-11 11:57	333,184	----a-w	c:\windows\system32\drivers\srv.sys
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-24 219136]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2007-08-28 13:57 9216 c:\windows\system32\avgwlntf.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=kzjecq.dll
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
 
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-03-17 65536]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -
 
BHO-{102dc251-6661-4165-9df4-e666117d3bf1} - c:\windows\system32\kzjecq.dll
BHO-{E9C4A4A8-B3B5-461C-B076-043CA33A385E} - c:\windows\system32\cbXQgFxW.dll
 
 
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070802
mStart Page = hxxp://www.dell.com
LSP: c:\windows\system32\avgfwafu.dll
FF - ProfilePath - 
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-10 07:55:14
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\avgwlntf.dll
 
- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\avgfwafu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgfwsrv.exe
c:\program files\Grisoft\AVG7\avgcc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2009-02-10  7:58:25 - machine was rebooted
ComboFix-quarantined-files.txt  2009-02-10 15:58:23
 
Pre-Run: 30,592,335,872 bytes free
Post-Run: 30,632,595,456 bytes free
 
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
 
164	--- E O F ---	2009-01-15 02:50:51

Open in new window

0
b0lsc0tt
Asked:
b0lsc0tt
  • 2
  • 2
1 Solution
 
David-HowardCommented:
It looks like Combofix did the job. I don't see anything in your log file.
For future reference you may want to have Malwarebytes on your system as well.
It's free, reliabe and you can get it from www.malwarebytes.org
Just remember to update your antimalware/virus suites and reboot into Safe Mode for any future scans.
David
0
 
David-HowardCommented:
FYI: Vundo information and removal procedures.
http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde
(Just in case your system gets Vundo again.)
0
 
b0lsc0ttIT ManagerAuthor Commented:
Thanks for the response.  Machine seems good now and I appreciate you confirming the log was clean.
bol
0
 
b0lsc0ttIT ManagerAuthor Commented:
Thanks for the help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now