WinAvXX and printer.exe Trojan

Avast Free Antivirus / Premium Security
1

Hello,

Every time my PC starts These two things start to bother me. there are located in
C:\Windows\system32

There is a file “WinAvXX.exe” and “printer.exe”

I tried to scan the folder using Avast 4.7 home edition. It doesn’t detect the Files as Virus/Trojan.

This has happened to me a few times. Avast doesn’t detect these things so doesn’t remove them.

This is what the log file (of the scan) contains

C:\Documents and Settings\Home\Local Settings\Temp~DF4E0E.tmp… file could not be scanned!
C:\Documents and Settings\Home\Local Settings\Temp~DF4E14.tmp… file could not be scanned!
C:\Documents and Settings\Home\Local Settings\Temp~DFB98C.tmp… file could not be scanned!
C:\Documents and Settings\Home\Local Settings\Temp~DFB992.tmp… file could not be scanned!
C:\Documents and Settings\Home\Local Settings\Temp\Perflib_Perfdata_26c.dat… file could not be scanned!

Can Anyone tell me what do do.

2

Oh…

Hmm… try to send some copy to virus@avast.com
using yahoo mail or any e-mail sending site…

attach the file… on the message…

but try to zip the malicious file before sending…

Avast! will examine that file… and within a week, if it is a virus or threat Alwil will release some
VPS updates…

TRUST ME… ;D ;D ;D

again…

  1. COPY THE SUSPECTED FILE
  2. ZIP THE FILE
  3. SEND IT TO virus@avast.com (Thru YAHOO MAIL or anything)
  4. Wait for the updates (For my issue, Alwil release VPS after 2 days from the day i send the file)
  5. SCAN
  6. DELETE THE FILE if necessary… OR MOVE IT TO THE CHEST… ;D
  7. SMILE ;D ;D ;D

REMINDERS: MAKE SURE THAT THE AVAST! TEAM KNOWS THAT YOU SEND SOME FILES.

Thank’s.

JK

3

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

  1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

  2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

  4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

  5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG, Panda and/or F-Secure BlackLight.

  6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

  7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

  8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

4

They are both Trojans that go under various names Zip and password to Avast as previously stated then

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

5

@ maqmo254
Before dealing with these try to send a sample to avast so that they might be added to the detections.

If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest (after adding it to the User Files section of the chest).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

@ essexboy you might want to add a little bit about sending undetected sample to avast in your script.

6

I did DavidR however it was tucked at the top. However, from now on I will make that section bold. I can see where you are coming from

e.g They are both Trojans that go under various names Zip and password to Avast as previously stated then it should stand out a bit more… Thanks ;D

7

Dhoo, missed that ;D

8

I downloaded and ran Hijack this. This is the content of the Log file.
I had earlier downloaded and ran AVG Anti-Spyware. It removed both the files successfully. But I have a new problem now. When I started my PC this morning while windows XP was loading, I got errors like " The file printer.exe does not exist.". And the error was also showing the previous location of the files.
It is like windows is trying to run those file every time it start/reboots.
I wanted to remove some softwares and tried to open CONTROL PANEL. but it was not there.
I tried to use the cammand prompt to do so. I get an error “The operation has been canceled due to restrictions on this computer. Please contact your system administrator”.
I was surprised as the PC I am using has only one user and that is me. There are no other user besides me.

I am not able to perform any system administration tasks such as running and stopping the services, changing the time etc. I get the same error every time.

Should I contact my Internet service provider for help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:09 AM, on 8/15/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\System32\printer.exe
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,userinit.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip..{0B8E8A77-CBA0-48B0-A89A-8F8C0E0E2BB5}: NameServer = 172.11.0.1
O17 - HKLM\System\CS1\Services\Tcpip..{0B8E8A77-CBA0-48B0-A89A-8F8C0E0E2BB5}: NameServer = 172.11.0.1
O17 - HKLM\System\CS2\Services\Tcpip..{0B8E8A77-CBA0-48B0-A89A-8F8C0E0E2BB5}: NameServer = 172.11.0.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ServiceLayer - Nokia. - E:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe


End of file - 3349 bytes

9
Should I contact my Internet service provider for help.
No they can do nothing

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\System32\printer.exe
F2 - REG:system.ini: UserInit=E:\WINDOWS\system32\userinit.exe,userinit.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

NOW

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

I will look at restoring your tools once the initial clean up is done

10

So here we are over a month later and AVAST is still unable to pick up this virus. I just spent 2 hours cleaning a machine with this virus which included using a barts disk with another cleaner on it and then using a tool called combofix to restore the registry entries.

At no point is AVAST picking up these files (there are actually 3 of them - autorun.exe, printer.exe and the winavxx.exe)

Be nice to have some confidence in AVAST as this virus appears to have come out quite a while ago.

11

Shame… Hope virus analysts give some priority to this…
Have you sent these files for analysis?

12

Anyone know if this has been resolved yet? It appears I may yet again get the pleasure of trying to clean this POS from another system with AVAST installed.

13

Isn’t avast detecting this virus (yet)?

14

This infection also gets past Kaspersky - Norton - McAfee - AVG to name just a few that I have dealt with recently