Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Mihira

4 Posts

544

May 26th, 2008 02:00

Removing avc23.exe

This malware is making problems during Windows Vista Business logon.

Sometimes it takes a long to show the desktop and shows that "A program can't display an messege in your desktop" and it changes my partitions icons for an ugly folder and what else it does.

If I remove it from linux, my Windows do not open ANY program, and can't execute NOTHING.

I'm trying to remove this for some time, i reinstalled windows 3 times(yes, 3 times) and it just comes back!

 

Please Help me!


Combofix log:

 

ComboFix 08-05-25.3 - Mihira 2008-05-25 23:47:23.1 - NTFSx86
Running from: D:\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 02:34 --------- d-----w C:\Program Files\Trend Micro
2008-05-26 01:40 --------- d-----w C:\Program Files\Alwil Software
2008-05-26 00:24 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-05-25 23:38 --------- d-----w C:\Program Files\Dell
2008-05-25 22:31 --------- d-----w C:\Users\Mihira\AppData\Roaming\Ventrilo
2008-05-25 22:29 --------- d-----w C:\Program Files\Ventrilo
2008-05-25 22:24 --------- d-----w C:\Users\Mihira\AppData\Roaming\Skype
2008-05-25 22:00 --------- d-----w C:\Users\Mihira\AppData\Roaming\skypePM
2008-05-25 21:57 --------- d-----w C:\ProgramData\Skype
2008-05-25 21:57 --------- d-----w C:\Program Files\Skype
2008-05-25 16:07 --------- d-----w C:\Users\Mihira\AppData\Roaming\ESET
2008-05-25 16:05 --------- d-----w C:\ProgramData\ESET
2008-05-23 23:54 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-23 23:51 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-05-23 23:51 229,888 ----a-w C:\Windows\System32\msshsq.dll
2008-05-23 23:44 --------- d-----w C:\Program Files\Gravity
2008-05-23 23:41 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-23 17:10 --------- d-----w C:\Users\Mihira\AppData\Roaming\Media Player Classic
2008-05-23 17:10 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-05-22 14:52 --------- d-----w C:\Users\Mihira\AppData\Roaming\Subversion
2008-05-22 01:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 00:09 --------- d-----w C:\Program Files\Foxit Software
2008-05-21 22:57 --------- d-----w C:\Program Files\MSBuild
2008-05-21 22:57 --------- d-----w C:\Program Files\Microsoft Works
2008-05-21 22:56 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-21 22:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-05-21 22:06 174 --sha-w C:\Program Files\desktop.ini
2008-05-21 22:01 --------- d-----w C:\Program Files\Windows Sidebar
2008-05-21 22:01 --------- d-----w C:\Program Files\Windows Mail
2008-05-21 22:01 --------- d-----w C:\Program Files\Windows Defender
2008-05-21 22:01 --------- d-----w C:\Program Files\Windows Calendar
2008-05-21 21:44 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-05-21 21:44 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-05-21 21:44 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-05-21 21:42 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-05-21 21:42 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-05-21 21:41 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-05-21 21:41 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-05-21 21:39 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-05-21 21:39 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-05-21 21:38 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-05-21 21:37 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-05-21 21:37 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-05-21 21:37 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-05-21 21:37 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-05-21 21:37 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-05-21 21:36 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-05-21 21:36 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-05-21 21:36 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-05-21 21:36 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-05-21 21:36 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-05-21 21:36 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-05-21 21:36 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-05-21 21:36 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-05-21 21:36 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-05-21 21:35 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-05-21 21:35 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-05-21 21:35 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-05-21 21:35 25,656 ----a-w C:\Windows\system32\drivers\msahci.sys
2008-05-21 21:35 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-05-21 21:35 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-05-21 21:35 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-05-21 21:35 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-05-21 21:35 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-05-21 21:34 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-05-21 21:34 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-05-21 21:34 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-05-21 21:33 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2008-05-21 21:33 8,704 ----a-w C:\Windows\System32\hccoin.dll
2008-05-21 21:33 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2008-05-21 21:33 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2008-05-21 21:33 23,040 ----a-w C:\Windows\system32\drivers\usbuhci.sys
2008-05-21 21:33 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2008-05-21 21:33 192,000 ----a-w C:\Windows\system32\drivers\usbhub.sys
2008-05-21 21:32 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-05-21 21:32 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-05-21 21:32 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-05-21 21:32 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-05-21 21:32 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-05-21 21:32 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-05-21 21:29 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2008-05-21 21:28 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2008-05-21 21:28 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2008-05-21 21:28 2,048 ----a-w C:\Windows\System32\asferror.dll
2008-05-21 21:28 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-05-21 21:27 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2008-05-21 21:27 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2008-05-21 21:27 39,936 ----a-w C:\Windows\System32\slcinst.dll
2008-05-21 21:27 351,232 ----a-w C:\Windows\System32\SLUI.exe
2008-05-21 21:27 33,280 ----a-w C:\Windows\System32\slwmi.dll
2008-05-21 21:27 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-05-21 21:27 268,288 ----a-w C:\Windows\System32\mcbuilder.exe
2008-05-21 21:27 223,232 ----a-w C:\Windows\System32\SLC.dll
2008-05-21 21:27 2,605,568 ----a-w C:\Windows\System32\SLsvc.exe
2008-05-21 21:27 186,368 ----a-w C:\Windows\System32\SLLUA.exe
2008-05-21 21:26 2,048 ----a-w C:\Windows\System32\msxml6r.dll
2008-05-21 21:26 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2008-05-21 21:24 84,480 ----a-w C:\Windows\System32\INETRES.dll
2008-05-21 21:24 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2008-05-21 21:24 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-01 12:29 73,728 --sha-r C:\Windows\System32\avc23.exe
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-02-15 09:41 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-02-15 09:41 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-02-15 09:41 133656]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2007-12-08 14:34 3444736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2008-02-22 17:01:38 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3868862581-77112850-3194157550-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2BEE5994-0B77-4026-AE4C-32240FE67017}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{6F7EF1AC-6216-46B7-B875-B3D7C88BE0B7}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{25991277-C98B-43AF-86EA-D663833D15F4}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{CE33E9A7-06A2-4723-8FB8-7439F39259C6}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BDCAE226-3EA1-4A3D-9A23-DEF026364EBF}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DB477CA7-AF3C-4B79-B4C5-79E36D3BD24E}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-01-02 16:48]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;C:\Windows\system32\drivers\IntcHdmi.sys [2007-06-06 23:21]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-17 10:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS B FE mpssvc
GPSvcGroup REG_MULTI_SZ GPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a4d18f60-2781-11dd-b209-001d094423b3}]
\shell\AutoRun\command - F:\avc23.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 23:49:10
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-25 23:49:54
ComboFix-quarantined-files.txt 2008-05-26 02:49:51

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

170 --- E O F --- 2008-05-24 00:24:58

Message Edited by Mihira on 05-25-2008 10:25 PM

Mihira

4 Posts

May 26th, 2008 02:00

Hijackthis log:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:05:49, on 26/05/2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\WLTRAY.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 3898 bytes

 

Please help me guys!! 

Was this post helpful?

View All

0 events found

No Events found!

Top