Very weird Virus, would like some help please

[cabby]

Compter got a virus that keeps popping up. Trojan Horse PSW.generic7.AXHO

It says its in the Windows/Temp folder. I delete it and 5 minutes later there is a new one in the same place Hijackthis found nothing, used malwarebytes as well. And of course AVG. I'm baffled and totally lost on this one.

 

[Droogie]

Run HJT again and post a fresh log. Next direct this thread to the attention of Johnb35. He's the best on the forum for deciphering these logs.

I would help you myself, but I'm not very good at reading the HJT logs.

 

[cabby]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:06 AM, on 12/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www.youhide.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165794950288
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe (file missing)
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 6461 bytes










Malwarebytes' Anti-Malware 1.42
Database version: 3362
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/15/2009 9:32:31 AM
mbam-log-2009-12-15 (09-32-31).txt

Scan type: Quick Scan
Objects scanned: 98949
Time elapsed: 14 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[dirtbikeryzz]

run combofix

 

[cabby]

run combofix

I've never ran that program ever, don't even know what it is. I will look it up and run the program though. Does it give you a logfile?

 

[cabby]

i just tried to search combofix and when i tried to go to their page my browser popped some kind of weird search thing up I'm no longer getting virus notifications from avg but can't use ie search functions. it always send me to another page

 

[johnb35]

Your log shows no affections but if you are still getting popups from avg saying you are infected then we need to look further. However, the program you need to run is not available at the moment, its getting fixed. You need to run combofix and post the log that it displays at the end. Follow the instructions and get the download here.


http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Don't try to download it yet and only click on the bleeping computer link on that page. The forospyware one is not showing the right size as of now.

In the meantime, have you ran Ccleaner to clean your system of old temp files and such? Get it here.

http://download.cnet.com/ccleaner/

i will post back when combofix is available for download.

Also try downloading and running superantispyware.

http://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=mncol

 

[softe]

dowload ComboFix, download ATF Cleaner, Download Malwarebytes

disconnect your PC from the network so you are NOT connected to the internet.
run combofix first
then run ATF cleaner
and last run Malwarebytes

reboot PC and you should be good to go
let me know if this helped, good luck

 

[johnb35]

Bleeping computer has just posted a new beta for combofix so you may now download it. However, you must use this link that goes to facebook but will link back to bleeping computer.

http://www.facebook.com/l.php?u=htt...ttyFix.exe&h=9cc3996b2803c213d4b3eccdac0c5f95

Run the scan and post the logfile from it.

 

[gamblingman]

Hjt

First off, is your A/V working yet? And do you think you are still infected, why or why not?

I'm just going to jump right into it:
Ok, I saw a few things I want to mention. You have the Java updater running, I'd disable it in the Java program window and in msconfig. All you have to do then is just check for updates manually. It eliminates one process from running all the time needlessly.

I would recommend you download SuperAntiSpyware for some extra removal success. This is a good program that functions much like Malwarebytes, but can catch some items that other programs miss. S.A.S. won't interfere with your A/V, so no worries. Download it now if possible while in normal boot mode, see the bottom of this post for the link.

The other is that TEMP file "virus", sometimes my A/V comes back with that stuff saying its a virus. It usually isn't, its just a temp file that looks like a horrible problem, kind of like tracking cookies (they aren't good, but they aren't death). Now I'm not going to say its not harmful, but as a first shot try and go to safe mode with networking and update then run CCleaner and see if you can clean your temp, cookie, etc... folders. But stay in safe mode and keep reading...

(As an aside, I'd also mention these few bits. Since you are using Internet Explorer, I would also go to I.E. and in internet options go to the Advanced tab and under browsing check-mark the box for I.E. to "Close Unused Folders in History and Favorites". Also under security check-mark the "Empty Temporary Files folder when browser is closed".)

While still in safe mode with networking, update Malwarebytes and your A/V after running CCleaner. Then run the virus removal tools and your A/V, but don't run both at the same time. I would recommend that you run your A/V program first then run Malwarebytes and then run SuperAntiSpyware. One after the other, not all at the same time.

If you want it there is also the Microsoft Malicious Software Removal Tool, it is open to anyone running windows. I works with nearly any version of windows back to win2000. This normally comes monthly with windows updates once a month, but its also available anytime. You can just download it and it will run in the background and other programs shouldn't interfere with it running. BUT as with all virus removal tools, they do work better if nothing else is being done at the same time.

Now I am going to side-track and mention that if you are going into safe mode, that is not the time to be going online to check mail or do lots of other activities. Just what has to be done online and only to sites that are safe. If possible, already have the programs necessary for repair downloaded and ready to use, and if necessary a printout of any forum topics that may be needed while working. This will allow working fast and efficiently while in safe mode, because safe mode is not the place to relax and play. (IMO, no offense intended)

If you need the links to any of those tools I have mentioned, I am including them here for anyone who wants to have them.

CCleaner from Piriform Ltd.: http://www.piriform.com/

MalwareBytes from MalwareBytes Corp.: http://www.malwarebytes.org/

Super AntiSpyware from SUPERAntiSpyware.com: http://www.superantispyware.com/company.html

Malicious Software Removal Tool from Microsoft Corp: http://www.microsoft.com/security/malwareremove/default.aspx

As reassurance, I don't suggest tools I myself don't have or methods of repair or haven't tried. I have dealt with malicious objects before, and these tools and methods have worked for me. However, I cannot guarantee success since I am not there to see the problem first hand and to understand the full details and dynamics of your problem.