Jump to content

Al Stearns

Honorary Members
  • Posts

    33
  • Joined

  • Last visited

Everything posted by Al Stearns

  1. I am glad to help and thanks for your interest!
  2. Here you go... Warmly, Al Stearns Pisgah Forest, NC USA winamp_plugin.zip
  3. Hello, Since I installed eMusic's Download Manager, once a day Malwarebytes' Anti-Malware gives me a warning box saying: "Malwarebytes' Anti-Malware has detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below." C:\program files (86)\emusic download manager\winamp_plugin.exe (Adware.BHO) Per Haider's instructions the file is attached and below is the report from VirusTotal.com: File name: winamp_plugin.exe Submission date: 2010-09-15 17:25:59 (UTC) Current status: queued (#4) queued (#4) analysing finished Result: 1/ 43 (2.3%) VT Community Antivirus Version Last Update Result AhnLab-V3 2010.09.15.01 2010.09.15 - AntiVir 8.2.4.52 2010.09.15 - Antiy-AVL 2.0.3.7 2010.09.15 - Authentium 5.2.0.5 2010.09.15 - Avast 4.8.1351.0 2010.09.15 - Avast5 5.0.594.0 2010.09.15 - AVG 9.0.0.851 2010.09.15 - BitDefender 7.2 2010.09.15 - CAT-QuickHeal 11.00 2010.09.15 - ClamAV 0.96.2.0-git 2010.09.15 - Comodo 6087 2010.09.15 - DrWeb 5.0.2.03300 2010.09.15 - Emsisoft 5.0.0.37 2010.09.15 - eSafe 7.0.17.0 2010.09.15 - eTrust-Vet 36.1.7856 2010.09.15 - F-Prot 4.6.1.107 2010.09.15 - F-Secure 9.0.15370.0 2010.09.15 - Fortinet 4.1.143.0 2010.09.15 - GData 21 2010.09.15 - Ikarus T3.1.1.88.0 2010.09.15 - Jiangmin 13.0.900 2010.09.15 - K7AntiVirus 9.63.2522 2010.09.15 - Kaspersky 7.0.0.125 2010.09.15 - McAfee 5.400.0.1158 2010.09.15 - McAfee-GW-Edition 2010.1C 2010.09.15 - Microsoft 1.6103 2010.09.15 - NOD32 5453 2010.09.15 - Norman 6.06.06 2010.09.15 - nProtect 2010-09-15.01 2010.09.15 - Panda 10.0.2.7 2010.09.15 - PCTools 7.0.3.5 2010.09.15 - Prevx 3.0 2010.09.15 - Rising 22.65.02.04 2010.09.15 - Sophos 4.57.0 2010.09.15 - Sunbelt 6879 2010.09.15 - SUPERAntiSpyware 4.40.0.1006 2010.09.15 Trojan.Agent/Gen-Haote Symantec 20101.1.1.7 2010.09.15 - TheHacker 6.7.0.0.018 2010.09.15 - TrendMicro 9.120.0.1004 2010.09.15 - TrendMicro-HouseCall 9.120.0.1004 2010.09.15 - VBA32 3.12.14.0 2010.09.15 - ViRobot 2010.8.25.4006 2010.09.15 - VirusBuster 12.65.8.0 2010.09.15 - Additional informationShow all MD5 : f4a87922cd185cde805ecebf334c56c5 SHA1 : a7198d7b65508b3d4d449be6eda0df9b5c0beb71 SHA256: 3ab21a6114a9e55d7997fce815436e705657589853c6784e58f4ccb3e5440ffd I might add that Trend Micro Internet Security 2010 does not consider this file a threat either. Warmly, Al Stearns Pisgah Forest, NC USA
  4. Hello all, Since I installed eMusic's Download Manager, once a day Malwarebytes' Anti-Malware gives me a warning box saying: "Malwarebytes' Anti-Malware has detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below." C:\program files (86)\emusic download manager\winamp_plugin.exe (Adware.BHO) Disable Protection/Ignore/Quarantine Disable Protection does not seem to be a good option. I am growing weary of clicking on ignore once a day. Quarantine works until I run eMusic's Download Manger again then MBAM gives the warning box again. Additionally, I don't think winamp_plugin would be malicious since eMusic put it on my PC with their Download Mananger and I am a paying customer. Suggestions? Is there a way to tell MBAM to always ignore (or allow) C:\program files (86)\emusic download manager\winamp_plugin.exe? Warmly, Al Stearns Pisgah Forest, NC USA
  5. Hello all, I have sold and installed 14 MBAM in the past 4 months and have had three with this problem (system becoming unresponsive upon launching of the MBAM Protection Module). What I have found: 1) Installation goes well. 2) Full system scan goes well. 3) running the Protection Module goes well. 4) Trouble free until MBAB update 2200 - ALL THREE of the problem PCs had this update installed when the problem began. I found the solution for two of the PCs were to boot into Safe Mode with Networking, run MBAM, and update beyond 2200. 5) On one of the problem PCs I talked our mutual customer through the above over the phone updating from 2200 to 2216, but this did not work as it did in the first two. I am onsite now and updated from 2216 to 2222 and the problem is gone. You may want to look closely at changes to your definitions file starting with 2200.
  6. I could use the 64-bit version of Malwarebytes' Anti-Malware as well. What is its current status? When will it be available for download? Warmly, Al Stearns Pisgah Forest, NC USA
  7. Every box is already checked - that is what I meant by "with all services and startup programs running for days (ever since AdvancedSetup told me to)." To say it another way, "Normal Startup - load all device driers and services is already selected in MSCONFIG. 1) I have come to trust MBAM as the best malware fighter out there. 2) It continues to say I have an infection and tries to delete it. 3) The PC floods the network with packets when it is connected via Ethernet. 4) I have recovered the PC from dozens of virus/malware infections about 2 weeks ago. My apologies. I will follow your instructions closely. Again my apologies. I will follow your instructions closely. I am looking at MSCONFIG right now. Normal Startup - load all device drivers and services is/has been checked. There are no unchecked boxes under the Services or Startup tabs. Understood. I have done this; the results are below. Please note per AdvancedSetup's instructions this infected PC is NOT on the network. I am using a CDR to get programs and data to the PC and using a USB drive to get data off the PC. Also per AdvancedSetup's instructions this USB drive is formatted NTFS with a read-only autorun.inf file with all rights removed from it. I have run SDFix and HiJackThis per your instructions; the results are below. ================ ComboFix 09-02-06.04 - Owner 2009-02-10 6:13:34.10 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.236 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: c:\program files\Shaw Secure\ORSP Client\fsorsp.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\system32\drivers\mrxdavv.sys c:\winnt\system32\kwave.sys . ((((((((((((((((((((((((( Files Created from 2009-01-10 to 2009-02-10 ))))))))))))))))))))))))))))))) . 2009-02-09 13:51 . 2009-02-09 14:00 <DIR> d-------- c:\program files\Security Task Manager 2009-02-09 13:51 . 2009-02-09 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan 2009-02-08 21:02 . 2009-02-09 06:35 307 --a------ c:\winnt\gmer.ini 2009-02-08 20:55 . 2009-02-08 20:55 <DIR> d--h----- c:\winnt\PIF 2009-02-05 06:13 . 2009-02-05 06:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-02-05 06:13 . 2009-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys 2009-02-05 06:12 . 2009-02-05 06:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 06:12 . 2009-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys 2009-02-01 07:01 . 2009-02-01 07:01 <DIR> d-------- c:\winnt\ERUNT 2009-01-29 15:11 . 2009-01-29 15:10 410,984 --a------ c:\winnt\system32\deploytk.dll 2009-01-29 06:55 . 2009-01-29 06:55 <DIR> d-------- c:\program files\Windows Installer Clean Up 2009-01-29 05:35 . 2009-01-29 05:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-29 04:14 . 2009-02-07 21:08 <DIR> d-------- C:\AntiSpyware 2009-01-29 04:14 . 2009-01-30 21:03 <DIR> d-------- C:\AntiHijack 2009-01-28 21:43 . 2008-04-14 04:42 14,336 --a------ c:\winnt\system32\svchost.exe 2009-01-28 19:37 . 2008-04-13 20:12 116,224 --a------ c:\winnt\system32\dllcache\xrxwiadr.dll 2009-01-28 19:37 . 2001-08-17 22:37 99,865 --a------ c:\winnt\system32\dllcache\xlog.exe 2009-01-28 19:37 . 2004-08-04 05:00 28,288 --a------ c:\winnt\system32\dllcache\xjis.nls 2009-01-28 19:37 . 2001-08-17 22:37 27,648 --a------ c:\winnt\system32\dllcache\xrxftplt.exe 2009-01-28 19:37 . 2001-08-17 22:36 23,040 --a------ c:\winnt\system32\dllcache\xrxwbtmp.dll 2009-01-28 19:37 . 2008-04-13 20:12 18,944 --a------ c:\winnt\system32\dllcache\xrxscnui.dll 2009-01-28 19:37 . 2001-08-17 22:37 4,608 --a------ c:\winnt\system32\dllcache\xrxflnch.exe 2009-01-28 19:35 . 2001-08-17 13:28 794,654 --a------ c:\winnt\system32\dllcache\usr1801.sys 2009-01-28 19:34 . 2001-08-17 12:18 285,760 --a------ c:\winnt\system32\dllcache\stlnata.sys 2009-01-28 19:33 . 2001-08-17 22:36 495,616 --a------ c:\winnt\system32\dllcache\sblfx.dll 2009-01-28 19:32 . 2001-08-17 13:28 899,146 --a------ c:\winnt\system32\dllcache\r2mdkxga.sys 2009-01-28 19:31 . 2001-08-17 14:05 351,616 --a------ c:\winnt\system32\dllcache\ovcodek2.sys 2009-01-28 19:30 . 2004-08-04 05:00 1,875,968 --a------ c:\winnt\system32\dllcache\msir3jp.lex 2009-01-28 19:29 . 2004-08-04 05:00 1,158,818 --a------ c:\winnt\system32\dllcache\korwbrkr.lex 2009-01-28 19:28 . 2004-08-04 05:00 10,129,408 --a------ c:\winnt\system32\dllcache\hwxkor.dll 2009-01-28 19:27 . 2001-08-17 14:56 1,733,120 --a------ c:\winnt\system32\dllcache\g400d.dll 2009-01-28 19:26 . 2001-08-17 12:14 952,007 --a------ c:\winnt\system32\dllcache\diwan.sys 2009-01-28 19:25 . 2004-08-04 05:00 1,677,824 --a------ c:\winnt\system32\dllcache\chsbrkr.dll 2009-01-28 19:24 . 2001-08-17 14:05 314,752 --a------ c:\winnt\system32\dllcache\camdro21.sys 2009-01-28 19:23 . 2001-08-17 14:55 382,592 --a------ c:\winnt\system32\dllcache\atidrab.dll 2009-01-28 19:21 . 2001-08-17 13:28 762,780 --a------ c:\winnt\system32\dllcache\3cwmcru.sys 2009-01-28 19:20 . 2001-08-17 14:56 66,048 --a------ c:\winnt\system32\dllcache\s3legacy.dll 2009-01-28 18:44 . 2009-01-28 18:44 <DIR> d-------- c:\documents and settings\Administrator 2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\usbaapl.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-09 18:53 --------- d-----w c:\program files\Logitech 2009-02-08 11:51 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-29 15:07 --------- d-----w c:\program files\Google 2009-01-26 23:58 --------- d-----w c:\program files\Common Files\Apple 2008-12-15 14:43 --------- d-----w c:\program files\MSN Messenger 2008-12-11 10:57 333,952 ----a-w c:\winnt\system32\drivers\srv.sys 2006-12-30 20:53 95,056 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2002-08-29 13:00 94,784 -csh--w c:\winnt\twain.dll 2008-04-14 00:12 50,688 --sh--w c:\winnt\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\winnt\system32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\winnt\system32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\winnt\system32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\winnt\system32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\winnt\system32\oleaut32.dll 2008-04-14 00:12 84,992 --sha-w c:\winnt\system32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\winnt\system32\regsvr32.exe . ((((((((((((((((((((((((((((( SnapShot@2009-02-08_ 8.30.52.28 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-09 02:00:54 884,736 ----a-w c:\winnt\gmer.dll + 2008-04-18 02:13:00 811,008 ----a-w c:\winnt\gmer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-07-10 155648] "HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-07-10 114688] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\winnt\LOGI_MWX.EXE] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE] "GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 c:\winnt\GWMDMMSG.exe] c:\documents and settings\Owner\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-04-22 299008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Billminder.lnk - c:\program files\QUICKENW\BILLMIND.EXE [2002-11-25 36864] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728] QuickBooks 2002 Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2002-12-12 315392] Quicken Startup.lnk - c:\program files\QUICKENW\QWDLLS.EXE [2002-11-25 36864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= vdrcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ICF"=2 (0x2) "FCI"=2 (0x2) "FSORSPClient"=3 (0x3) "FSMA"=2 (0x2) "FSDFWD"=3 (0x3) "FSAUA"=3 (0x3) "F-Secure Gatekeeper Handler Starter"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= --- Other Services/Drivers In Memory --- *NewlyCreated* - NMSSVC . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-10 06:21:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3143361003-3708641554-3042230386-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . ------------------------ Other Running Processes ------------------------ . c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\winnt\system32\NMSSvc.Exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe c:\winnt\system32\wscntfy.exe c:\winnt\system32\msiexec.exe . ************************************************************************** . Completion time: 2009-02-10 6:28:47 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-10 11:28:43 ComboFix2.txt 2009-02-08 13:32:01 ComboFix3.txt 2009-02-08 02:26:59 Pre-Run: 26,525,282,304 bytes free Post-Run: 26,510,147,584 bytes free 191 --- E O F --- 2009-01-30 12:14:05 ================ ================ SDFix: Version 1.240 Run by Owner on Tue 02/10/2009 at 06:44 AM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-10 06:59:39 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer" "C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd:*:Enabled:Age of Empires II Expansion" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe:*:Disabled:hpgs2wnf Module" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5" "C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe:*:Disabled:TODO: <File description>" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe" "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe" "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader" "C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files : Files with Hidden Attributes : Thu 29 Jan 2009 207 A.SHR --- "C:\BOOT.BAK" Thu 29 Aug 2002 94,784 ..SH. --- "C:\WINNT\twain.dll" Sun 13 Apr 2008 50,688 ..SH. --- "C:\WINNT\twain_32.dll" Thu 27 Jun 2002 37,615,264 A..H. --- "C:\Program Files\Online Services\AOL70US.EXE" Sun 13 Apr 2008 1,028,096 A.SH. --- "C:\WINNT\system32\mfc42.dll" Sun 13 Apr 2008 57,344 A.SH. --- "C:\WINNT\system32\msvcirt.dll" Sun 13 Apr 2008 413,696 A.SH. --- "C:\WINNT\system32\msvcp60.dll" Sun 13 Apr 2008 343,040 A.SH. --- "C:\WINNT\system32\msvcrt.dll" Sun 13 Apr 2008 551,936 ..SH. --- "C:\WINNT\system32\oleaut32.dll" Sun 13 Apr 2008 84,992 A.SH. --- "C:\WINNT\system32\olepro32.dll" Sun 13 Apr 2008 11,776 ..SH. --- "C:\WINNT\system32\regsvr32.exe" Fri 13 Dec 2002 353,217 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1A.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1B.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1C.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1D.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1E.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1F.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT20.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT21.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT22.tmp" Thu 28 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\Setup\BIT23.tmp" Sun 4 Jan 2004 84,480 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL3477.tmp" Tue 1 Jul 2008 286,208 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0668.tmp" Wed 14 Dec 2005 225,280 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3557.tmp" Finished! =============== =============== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:10:10 AM, on 2/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Safe mode Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Documents and Settings\Owner\Desktop\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file) O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124652100218 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe -- End of file - 3984 bytes ================ Keeping the PC in Safe Mode, I await your further instructions.
  8. Thank you for your kind interest. My PC has been in Normal Mode with all services and startup programs runnng for days (ever since AdvancedSetup told me to). Since C:\winnt\system32\drivers\mrxdavv.sys and C:\winnt\system32\kwave.sys were in CFScript.txt and ComboFix lists them as Other Deletions, doesn't that mean they were deleted? Of course, it seems they are being recreated upon startup some how. I deleted the following by hand so as to have a close look at anything that might be causing the problem. Nothing really stood out. c:\documents and settings\Owner\settings.dat C:\ProcessMonitor.zip c:\winnt\system32\drivers\tmcomm.sys c:\winnt\system32\drivers\SymIM.sys c:\winnt\system32\drivers\GEARAspiWDM.sys (deleting this one caused my CD drive to disappear in Windows Explorer - I got it back by removing Roxio CD Creator 5) c:\program files\rgzvb.txt (contained the following text) Files to delete: C:\winnt\system32\drivers\mrxdavv.sys C:\winnt\system32\kwave.sys c:\program files\directxwebsetup.exe Folder:: c:\documents and settings\Owner\Application Data\Symantec C:\found.000 c:\documents and settings\All Users\Application Data\fssg c:\winnt\system32\ODARMFOLZB (this was not a folder it was a 32MB file) c:\documents and settings\Owner\.housecall6.6 c:\documents and settings\Administrator\Application Data\InterTrust c:\documents and settings\Administrator\Application Data\InterVideo c:\program files\IncrediMail c:\program files\hbinst Registry:: [-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] I was not sure how to do more than delete the driver files, so for good measure I ran ComboFix with your CFScript file. Driver:: tmcomm SymIM GEARAspiWDM The ComboFix results: ================ ComboFix 09-02-06.04 - Owner 2009-02-09 18:40:46.9 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.242 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\system32\drivers\mrxdavv.sys c:\winnt\system32\kwave.sys . ((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 ))))))))))))))))))))))))))))))) . 2009-02-09 13:51 . 2009-02-09 14:00 <DIR> d-------- c:\program files\Security Task Manager 2009-02-09 13:51 . 2009-02-09 13:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan 2009-02-08 21:02 . 2009-02-09 06:35 307 --a------ c:\winnt\gmer.ini 2009-02-08 20:55 . 2009-02-08 20:55 <DIR> d--h----- c:\winnt\PIF 2009-02-07 06:43 . 2009-01-30 11:30 485,902 --a------ C:\HaxFix.exe 2009-02-05 06:13 . 2009-02-05 06:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-02-05 06:13 . 2009-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys 2009-02-05 06:12 . 2009-02-05 06:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 06:12 . 2009-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys 2009-02-01 07:01 . 2009-02-01 07:01 <DIR> d-------- c:\winnt\ERUNT 2009-01-29 15:11 . 2009-01-29 15:10 410,984 --a------ c:\winnt\system32\deploytk.dll 2009-01-29 06:55 . 2009-01-29 06:55 <DIR> d-------- c:\program files\Windows Installer Clean Up 2009-01-29 05:35 . 2009-01-29 05:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-29 04:14 . 2009-02-07 21:08 <DIR> d-------- C:\AntiSpyware 2009-01-29 04:14 . 2009-01-30 21:03 <DIR> d-------- C:\AntiHijack 2009-01-28 21:43 . 2008-04-14 04:42 14,336 --a------ c:\winnt\system32\svchost.exe 2009-01-28 19:37 . 2008-04-13 20:12 116,224 --a------ c:\winnt\system32\dllcache\xrxwiadr.dll 2009-01-28 19:37 . 2001-08-17 22:37 99,865 --a------ c:\winnt\system32\dllcache\xlog.exe 2009-01-28 19:37 . 2004-08-04 05:00 28,288 --a------ c:\winnt\system32\dllcache\xjis.nls 2009-01-28 19:37 . 2001-08-17 22:37 27,648 --a------ c:\winnt\system32\dllcache\xrxftplt.exe 2009-01-28 19:37 . 2001-08-17 22:36 23,040 --a------ c:\winnt\system32\dllcache\xrxwbtmp.dll 2009-01-28 19:37 . 2008-04-13 20:12 18,944 --a------ c:\winnt\system32\dllcache\xrxscnui.dll 2009-01-28 19:37 . 2001-08-17 22:37 4,608 --a------ c:\winnt\system32\dllcache\xrxflnch.exe 2009-01-28 19:35 . 2001-08-17 13:28 794,654 --a------ c:\winnt\system32\dllcache\usr1801.sys 2009-01-28 19:34 . 2001-08-17 12:18 285,760 --a------ c:\winnt\system32\dllcache\stlnata.sys 2009-01-28 19:33 . 2001-08-17 22:36 495,616 --a------ c:\winnt\system32\dllcache\sblfx.dll 2009-01-28 19:32 . 2001-08-17 13:28 899,146 --a------ c:\winnt\system32\dllcache\r2mdkxga.sys 2009-01-28 19:31 . 2001-08-17 14:05 351,616 --a------ c:\winnt\system32\dllcache\ovcodek2.sys 2009-01-28 19:30 . 2004-08-04 05:00 1,875,968 --a------ c:\winnt\system32\dllcache\msir3jp.lex 2009-01-28 19:29 . 2004-08-04 05:00 1,158,818 --a------ c:\winnt\system32\dllcache\korwbrkr.lex 2009-01-28 19:28 . 2004-08-04 05:00 10,129,408 --a------ c:\winnt\system32\dllcache\hwxkor.dll 2009-01-28 19:27 . 2001-08-17 14:56 1,733,120 --a------ c:\winnt\system32\dllcache\g400d.dll 2009-01-28 19:26 . 2001-08-17 12:14 952,007 --a------ c:\winnt\system32\dllcache\diwan.sys 2009-01-28 19:25 . 2004-08-04 05:00 1,677,824 --a------ c:\winnt\system32\dllcache\chsbrkr.dll 2009-01-28 19:24 . 2001-08-17 14:05 314,752 --a------ c:\winnt\system32\dllcache\camdro21.sys 2009-01-28 19:23 . 2001-08-17 14:55 382,592 --a------ c:\winnt\system32\dllcache\atidrab.dll 2009-01-28 19:21 . 2001-08-17 13:28 762,780 --a------ c:\winnt\system32\dllcache\3cwmcru.sys 2009-01-28 19:20 . 2001-08-17 14:56 66,048 --a------ c:\winnt\system32\dllcache\s3legacy.dll 2009-01-28 18:44 . 2009-01-28 18:44 <DIR> d-------- c:\documents and settings\Administrator 2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\usbaapl.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-09 18:53 --------- d-----w c:\program files\Logitech 2009-02-08 11:51 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-29 15:07 --------- d-----w c:\program files\Google 2009-01-26 23:58 --------- d-----w c:\program files\Common Files\Apple 2008-12-15 14:43 --------- d-----w c:\program files\MSN Messenger 2008-12-11 10:57 333,952 ----a-w c:\winnt\system32\drivers\srv.sys 2006-12-30 20:53 95,056 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2002-08-29 13:00 94,784 -csh--w c:\winnt\twain.dll 2008-04-14 00:12 50,688 --sh--w c:\winnt\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\winnt\system32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\winnt\system32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\winnt\system32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\winnt\system32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\winnt\system32\oleaut32.dll 2008-04-14 00:12 84,992 --sha-w c:\winnt\system32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\winnt\system32\regsvr32.exe . ((((((((((((((((((((((((((((( SnapShot@2009-02-08_ 8.30.52.28 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-09 02:00:54 884,736 ----a-w c:\winnt\gmer.dll + 2008-04-18 02:13:00 811,008 ----a-w c:\winnt\gmer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-07-10 155648] "HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-07-10 114688] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\winnt\LOGI_MWX.EXE] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE] "GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 c:\winnt\GWMDMMSG.exe] c:\documents and settings\Owner\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-04-22 299008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Billminder.lnk - c:\program files\QUICKENW\BILLMIND.EXE [2002-11-25 36864] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728] QuickBooks 2002 Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2002-12-12 315392] Quicken Startup.lnk - c:\program files\QUICKENW\QWDLLS.EXE [2002-11-25 36864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= vdrcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ICF"=2 (0x2) "FCI"=2 (0x2) "FSORSPClient"=3 (0x3) "FSMA"=2 (0x2) "FSDFWD"=3 (0x3) "FSAUA"=3 (0x3) "F-Secure Gatekeeper Handler Starter"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= --- Other Services/Drivers In Memory --- *NewlyCreated* - NMSSVC . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-09 18:47:37 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3143361003-3708641554-3042230386-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . ------------------------ Other Running Processes ------------------------ . c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\winnt\system32\NMSSvc.Exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe c:\winnt\system32\wscntfy.exe c:\winnt\system32\msiexec.exe . ************************************************************************** . Completion time: 2009-02-09 18:55:44 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-09 23:55:41 ComboFix2.txt 2009-02-08 13:32:01 ComboFix3.txt 2009-02-08 02:26:59 Pre-Run: 26,303,082,496 bytes free Post-Run: 26,291,167,232 bytes free 190 --- E O F --- 2009-01-30 12:14:05 ================
  9. Silent Runners results: ================ "Silent Runners.vbs", revision 59, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINNT\system32\ctfmon.exe" [MS] "MoneyAgent" = ""C:\Program Files\Microsoft Money\System\mnyexpr.exe"" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Share-to-Web Namespace Daemon" = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "IgfxTray" = "C:\WINNT\System32\igfxtray.exe" ["Intel Corporation"] "HotKeysCmds" = "C:\WINNT\System32\hkcmd.exe" ["Intel Corporation"] "Hot Key Kbd 9910 Daemon" = "SK9910DM.EXE" ["Silitek Corporation"] "GWMDMMSG" = "GWMDMMSG.exe" ["GTW"] "googletalk" = "C:\Program Files\Google\Google Talk\googletalk.exe /autostart" ["Google"] "CapFax" = "C:\Program Files\PhoneTools\CapFax.EXE" ["BVRP Software"] "AppleSyncNotifier" = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" ["Apple Inc."] "Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"] "AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension" -> {HKLM...CLSID} = "Adaptec DirectCD Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINNT\system32\WPDShServiceObj.dll" [MS] HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ <<!>> ("zwebauth.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll" HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}" -> {HKLM...CLSID} = "IMMenuShellExt Class" \InProcServer32\(Default) = "C:\Program Files\IncrediMail\bin\IMShExt.dll" ["IncrediMail, Ltd."] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Default executables: -------------------- <<!>> HKCU\Software\Classes\.com\(Default) = "ComFile" <<!>> HKCU\Software\Classes\.exe\(Default) = "exefile" <<!>> HKCU\Software\Classes\.hta\(Default) = "htafile" Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoBandCustomize" = (REG_DWORD) dword:0x00000000 {Disable customizing browser toolbars} "NoMovingBands" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoCloseDragDropBands" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoSetTaskbar" = (REG_DWORD) dword:0x00000000 {Prevent changes to Taskbar and Start Menu Settings} "NoToolbarsOnTaskbar" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} "DisableRegistryTools" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINNT\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINNT\ACD Wallpaper.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ ACDSeeAcquirePicturesOnArrival\ "Provider" = "ACDSee" "InvokeProgID" = "ACDSee.AutoPlayHandlerAcquire" "InvokeVerb" = "Acquire" HKLM\SOFTWARE\Classes\ACDSee.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\7.0\ACDSee7.exe" /detect:%1" ["ACD Systems Ltd."] ACDSeeShowPicturesOnArrival\ "Provider" = "ACDSee" "InvokeProgID" = "ACDSee.AutoPlayHandler" "InvokeVerb" = "Open" HKLM\SOFTWARE\Classes\ACDSee.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\7.0\ACDSee7.exe" "%1"" ["ACD Systems Ltd."] CanonZB4PicturesOnArrival\ "Provider" = "ZoomBrowser EX" "InvokeProgID" = "Zb.AutoplayHandler" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\Zb.AutoplayHandler\shell\open\command\(Default) = "C:\PROGRA~1\Canon\ZOOMBR~1\Program\ZoomBrowser.exe /AUTOPLAY "%1"" [empty string] HPUnloadAutoplay\ "Provider" = "HP Transfer and Quick Print" "InvokeProgID" = "HpqUnApl.Autoplay" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = "C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"] IviDVDEventHandler\ "Provider" = "InterVideo WinDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "play" HKCU\Software\Classes\DVD\shell\play\command\(Default) = ""C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"" [MS] IviVideoCDHandler\ "Provider" = "InterVideo WinDVD" "InvokeProgID" = "Ivi.MediaFile" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = ""C:\Program Files\DVD\DVD Player\WinDVD.exe" %1" ["InterVideo Inc."] MMJBAutoplayBURNERPLUS\ "Provider" = "MUSICMATCH Burner Plus" "InvokeProgID" = "MMJB.BURN" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmfwlaunch.exe""-mmjb"" ["MUSICMATCH, Inc."] MMJBPlayCDAudioOnArrival\ "Provider" = "MUSICMATCH Jukebox" "InvokeProgID" = "MMJB.AUDIOCD" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\MMJB.AUDIOCD\shell\Play\command\(Default) = ""C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjblaunch.exe" /AudioCD "%1"" ["MUSICMATCH, Inc."] MMJBPlayMediaOnArrival\ "Provider" = "MUSICMATCH Jukebox" "InvokeProgID" = "MMJB.MMJB" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\MMJB.MMJB\shell\Play\command\(Default) = ""C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjblaunch.exe" "%1"" ["MUSICMATCH, Inc."] MSPictureItViewOnArrival\ "Provider" = "Microsoft Picture It! Photo 7.0" "InvokeProgID" = "Microsoft.Picture.It.7.AutoPlay" "InvokeVerb" = "AutoPlay" HKLM\SOFTWARE\Classes\Microsoft.Picture.It.7.AutoPlay\shell\AutoPlay\Command\(Default) = ""C:\Program Files\Microsoft Picture It! 7\pip.exe" /invoke={D0551EC1-5A78-11cf-9DBE-00AA00A70BB5}" [MS] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINNT\system32\WPDShextAutoplay.exe" [MS] PSASE30ImportPicturesOnArrival\ "Provider" = "Adobe Photoshop Album Starter Edition" "InvokeProgID" = "PSASE30.autoplay" "InvokeVerb" = "launch" HKLM\SOFTWARE\Classes\PSASE30.autoplay\shell\launch\command\(Default) = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\psaproxy.exe" -v %1\" ["Adobe Systems Incorporated"] RoxioSelectOnArrival\ "Provider" = "Roxio Easy CD Creator" "InvokeProgID" = "CreateCD50" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CreateCD50\shell\open\Command\(Default) = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -x" ["Roxio"] RPCDBurningOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.CDBurn.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."] RPDeviceOnArrival\ "Provider" = "RealPlayer" "ProgID" = "RealPlayer.HWEventHandler" HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}" -> {HKLM...CLSID} = "RealNetworks Scheduler" \LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."] RPPlayCDAudioOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AudioCD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."] RPPlayDVDMovieOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.DVD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."] RPPlayMediaOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AutoPlay.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\Owner\Start Menu\Programs\Startup "HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Billminder" -> shortcut to: "C:\Program Files\QUICKENW\BILLMIND.EXE -startup" ["Intuit"] "HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] "HP Image Zone Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data] "QuickBooks 2002 Delivery Agent" -> shortcut to: "C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe" [empty string] "Quicken Startup" -> shortcut to: "C:\Program Files\QUICKENW\QWDLLS.EXE" ["Intuit"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINNT\system32\ieframe.dll" [MS] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{D6A116E7-5906-42E4-87F6-E7E15936415E}\(Default) = "MoneySide" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyside.dll" [MS] HKLM\SOFTWARE\Classes\CLSID\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = "Real.com" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"] hpzlnt12\Driver = "hpzlnt12.dll" ["HP"] ---------- (launch time: 2009-02-09 06:31:52) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 13 seconds. ---------- (total run time: 74 seconds) ================ GMER ================ GMER 1.0.14.14536 - http://www.gmer.net Autostart scan 2009-02-09 06:36:17 Windows 5.1.2600 Service Pack 3 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINNT\system32\userinit.exe, HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>> dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll igfxcui@DLLName = igfxsrvc.dll WgaLogon@DLLName = WgaLogon.dll HKLM\SYSTEM\CurrentControlSet\Services\ >>> MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" NMSSvc@ = C:\WINNT\System32\NMSSvc.exe Pml Driver HPZ12@ = C:\WINNT\system32\HPZipm12.exe ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @Share-to-Web Namespace DaemonC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe @Logitech UtilityLogi_MwX.Exe = Logi_MwX.Exe @IgfxTrayC:\WINNT\System32\igfxtray.exe = C:\WINNT\System32\igfxtray.exe @HotKeysCmdsC:\WINNT\System32\hkcmd.exe = C:\WINNT\System32\hkcmd.exe @Hot Key Kbd 9910 DaemonSK9910DM.EXE = SK9910DM.EXE @GWMDMMSGGWMDMMSG.exe = GWMDMMSG.exe @googletalkC:\Program Files\Google\Google Talk\googletalk.exe /autostart /*file not found*/ = C:\Program Files\Google\Google Talk\googletalk.exe /autostart /*file not found*/ @CapFaxC:\Program Files\PhoneTools\CapFax.EXE = C:\Program Files\PhoneTools\CapFax.EXE @AppleSyncNotifierC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe @Adobe Photo Downloader"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" @AdaptecDirectCD"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>> @ctfmon.exeC:\WINNT\system32\ctfmon.exe = C:\WINNT\system32\ctfmon.exe @MoneyAgent"C:\Program Files\Microsoft Money\System\mnyexpr.exe" = "C:\Program Files\Microsoft Money\System\mnyexpr.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINNT\system32\WPDShServiceObj.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/(null) = @{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) = @{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll @{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL @{5E44E225-A408-11CF-B581-008029601108} /*Adaptec DirectCD Shell Extension*/C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll = C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll @{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL @{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINNT\system32\twext.dll = C:\WINNT\system32\twext.dll @{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINNT\system32\twext.dll = C:\WINNT\system32\twext.dll @{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINNT\system32\extmgr.dll = C:\WINNT\system32\extmgr.dll @{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINNT\system32\ieframe.dll = C:\WINNT\system32\ieframe.dll @{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll @{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll @{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll @{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) = HKLM\Software\Classes\*\shellex\ContextMenuHandlers\IMMenuShellExt@{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\Program Files\IncrediMail\bin\IMShExt.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll HKLM\Software\Microsoft\Internet Explorer\Main >>> @Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157 @Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157 @Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main@Local Page = C:\WINNT\system32\blank.htm HKLM\Software\Classes\PROTOCOLS\Handler\ >>> dvd@CLSID = C:\WINNT\system32\msvidctl.dll its@CLSID = C:\WINNT\System32\itss.dll mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll ms-its@CLSID = C:\WINNT\System32\itss.dll ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll msnim@CLSID = "C:\PROGRA~1\MSNMES~1\msgrapp.dll" mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL tv@CLSID = C:\WINNT\system32\msvidctl.dll HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINNT\System32\wiascr.dll C:\Documents and Settings\Owner\Start Menu\Programs\Startup = HotSync Manager.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>> Billminder.lnk = Billminder.lnk HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk HP Image Zone Fast Start.lnk = HP Image Zone Fast Start.lnk QuickBooks 2002 Delivery Agent.lnk = QuickBooks 2002 Delivery Agent.lnk Quicken Startup.lnk = Quicken Startup.lnk ---- EOF - GMER 1.0.14 ---- ================
  10. Hello, Evidently \systemRoot\System32\Drivers\GearAspiWDM.sys is a file necessary to access the CDROM drive, although its version tab was missing. I have reinstated it.
  11. Hello, In Normal mode, GMER.EXE gives one of the two errors I got before: CreateFile "C:\WINNT\system3\drivers\gmer.sys": Not enough quota is available to process this command. It then found the following Rootkit/Malware: \systemRoot\System32\Drivers\GearAspiWDM.sys Its date was 1/23/09 which coincided with the infection. I ZIPped the file up in case you would like it. I then deleted the \systemRoot\System32\Drivers\GearAspiWDM.sys - it was MISSING its version tab which is often the sign of a bogus file. Tell me, what is QMER.EXE and QMER.DLL? I cannot find a reference to these anywhere on the Internet. I cannot find the QMER.EXE file (invisible). I can find the QMER.DLL but its Version tab is suspect. It has only two items: file version 1,0,14,14536 (matches the version of GMER I am using, so it may be related to GMER) and language of Polish (where the GMER web site is based). So I guess these are GMER related files... What about me not being able to update MBAM due to my computer being isolated from the network? ================ GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-02-09 05:24:51 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- Code \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\qmer.sys ZwTerminateProcess [0xEEB5B1EC] Code \SystemRoot\System32\Drivers\GEARAspiWDM.sys IoCreateFile ---- Kernel code sections - GMER 1.0.14 ---- PAGE ntoskrnl.exe!IoCreateFile 8056CC6B 5 Bytes JMP F8B14559 \SystemRoot\System32\Drivers\GEARAspiWDM.sys PAGE ntoskrnl.exe!ZwTerminateProcess 805822EC 1 Byte [ E9 ] PAGE ntoskrnl.exe!ZwTerminateProcess + 2 805822EE 3 Bytes [ 8E, 5D, 6E ] ? System32\Drivers\GEARAspiWDM.sys The system cannot find the path specified. ! ? C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\qmer.sys The system cannot find the file specified. ! ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT \WINNT\System32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IofCompleteRequest] [EEB5DF76] \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\qmer.sys ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1716] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.14 ---- Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation) ---- Processes - GMER 1.0.14 ---- Library C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\qmer.exe (*** hidden *** ) @ C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\qmer.exe [3336] 0x00400000 Library C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\qmer.dll (*** hidden *** ) @ C:\DOCUME~1\Owner\LOCALS~1\Temp\RarSFX0\qmer.exe [3336] 0x72000000 ---- EOF - GMER 1.0.14 ---- ================
  12. Since your suggestion, all file transfers to the infected PC have been done with a CDR and all file transfers from the infected PC have been done with a new NTFS formatted USB flash drive with a read only autorun.ini file at the root with all security access removed to the autorun.ini file. STEP 1 ========== START - RUN - type in MSCONFIG ensure the system is set to NORMAL and reboot if needed For the past day or so I have been running in a CLEAN BOOT mode (all Startup and non-MS services disabled) so as to keep things as simple as possible and to possibly not run harmful software. I have just changed that to NORMAL. ========== ========== STEP 2 Logs indicate that both Symantec and F-Secure are installed. For now please FULLY remove both products and when we're done you can re-intall which ever one you want. Add/Remove programs have neither of these listed and WinXP complains that no antivirus program is installed. Norton AntiVirus 2009 I had already removed via Add/Remove Programs AND I ran the Norton Removal Tool after that; I just ran the Norton Removal Tool again. I have searched for an deleted all directories with Norton and Symantec in their names. F-Secure Internet Security 2009 I had already remvoved via Add/Remove Programs AND I ran the F-Secure Uninstall Tool; I just ran the F-Secure Uninstall Tool again. As a final clean attempt of these two antivirus programs, I ran Norton Windoctor 2008 to clear the registry of any remnants of these two antivirus programs. ========== ========== STEP 3 What is in this folder? Not normal to have a SUN folder off the root of %windir% c:\winnt\Sun This folder contained no files and 2 empty directories - I have deleted it. ========== ========== STEP 4 System shows other security software is installed or was run on the sytem. Please review Add/Remove and remove ALL Anti-Virus software and PC Doctor Check on the Add/Ons and Browser Helper Objects in IE and remove all Security ones like this one please. c:\documents and settings\Owner\.housecall6.6 See step 2 for antivirus software removal. I have removed PC Doctor. I have also removed MSN Gaming Zone (may contain some of the files below in Step 5). I total reset ALL of Internet Explorer 7. ========== ========== STEP 5 If you look in this key there is an questionable DLL file that starts with Windows. HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders zwebauth.dll If you can please copy that and upload it from another system to Jotti's malware scanner Let me know what it finds. If it is Virus/Malware then remove that entry from the Registry please and add it to the list of file in your CF script below. C:\WINNT\SYSTEM32\zwebauth.dll (or where it's located) NORMAL msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll UNKNOWN msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll msapsspc.dll is a DPA Client for 32 bit platforms from Microsoft in the C:\WINNT\system32, C:\WINNT\ServicePackFiles/i386 and C:\WINNT\System32\dllcache directories dated 4/13/2008 (before the infection) schannel.dll is a TLS/SSL Security Provider from Microsoft in the C:\WINNT\system32, C:\WINNT\ServicePackFiles/i386 and C:\WINNT\System32\dllcache directories dated 4/13/2008 (before the infection) digest.dll is a Digest SSPI Authentication Package from Microsoft in the C:\WINNT\system32, C:\WINNT\ServicePackFiles/i386 and C:\WINNT\System32\dllcache directories dated 4/13/2008 (before the infection). It seems to have a closely related file wdigest.dll which is in the same locations with the same dates. zwebauth.dll is a Zone Web Authentication SSP from Microsoft in the C:\WINNT\system32 directory dated 9/18/2001. It is part of the MSN Gaming Zone and was evidently not uninstalled when I uninstalled MSN Gaming Zone. I deleted it manually. ========== I have completed Step 6 and the results are below. Please note per you instructions, this infected PC is NOT on the network, thus I cannot update MBAM. ComboFix and MBAM still see the two files and do not remove them (probably being regenerated). =================== ComboFix 09-02-06.04 - Owner 2009-02-08 8:19:24.8 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.192 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: c:\atf\Qctest\PCDoc\PCDRDRV.sys c:\winnt\system32\26.tmp . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\system32\drivers\mrxdavv.sys c:\winnt\system32\kwave.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_MEMSWEEP2 -------\Service_MEMSWEEP2 -------\Service_PCDRDRV ((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))))) . 2009-02-08 07:49 . 2009-02-08 07:49 <DIR> d-------- c:\documents and settings\Owner\Application Data\Symantec 2009-02-07 08:01 . 2009-02-07 08:01 <DIR> d--hs---- C:\found.000 2009-02-07 06:43 . 2009-02-07 06:51 <DIR> d-------- C:\HaxFix 2009-02-07 06:43 . 2009-01-30 11:30 485,902 --a------ C:\HaxFix.exe 2009-02-05 06:13 . 2009-02-05 06:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-02-05 06:13 . 2009-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys 2009-02-05 06:12 . 2009-02-05 06:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 06:12 . 2009-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys 2009-02-04 16:40 . 2009-02-04 16:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg 2009-02-01 07:01 . 2009-02-01 07:01 <DIR> d-------- c:\winnt\ERUNT 2009-01-31 19:43 . 2009-01-31 19:45 34,914,304 --a------ c:\winnt\system32\ODARMFOLZB 2009-01-30 13:00 . 2009-01-30 13:00 0 --a------ c:\documents and settings\Owner\settings.dat 2009-01-30 12:17 . 2009-01-30 12:17 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb 2009-01-30 06:49 . 2009-01-30 06:42 1,277,736 --a------ C:\ProcessMonitor.zip 2009-01-29 17:48 . 2007-08-01 22:47 102,664 --a------ c:\winnt\system32\drivers\tmcomm.sys 2009-01-29 15:30 . 2009-01-29 18:23 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6 2009-01-29 15:11 . 2009-01-29 15:10 410,984 --a------ c:\winnt\system32\deploytk.dll 2009-01-29 10:13 . 2008-12-11 22:08 36,272 -ra------ c:\winnt\system32\drivers\SymIM.sys 2009-01-29 06:55 . 2009-01-29 06:55 <DIR> d-------- c:\program files\Windows Installer Clean Up 2009-01-29 05:35 . 2009-01-29 05:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-29 04:14 . 2009-02-07 21:08 <DIR> d-------- C:\AntiSpyware 2009-01-29 04:14 . 2009-01-30 21:03 <DIR> d-------- C:\AntiHijack 2009-01-28 21:43 . 2008-04-14 04:42 14,336 --a------ c:\winnt\system32\svchost.exe 2009-01-28 19:37 . 2008-04-13 20:12 116,224 --a------ c:\winnt\system32\dllcache\xrxwiadr.dll 2009-01-28 19:37 . 2001-08-17 22:37 99,865 --a------ c:\winnt\system32\dllcache\xlog.exe 2009-01-28 19:37 . 2004-08-04 05:00 28,288 --a------ c:\winnt\system32\dllcache\xjis.nls 2009-01-28 19:37 . 2001-08-17 22:37 27,648 --a------ c:\winnt\system32\dllcache\xrxftplt.exe 2009-01-28 19:37 . 2001-08-17 22:36 23,040 --a------ c:\winnt\system32\dllcache\xrxwbtmp.dll 2009-01-28 19:37 . 2008-04-13 20:12 18,944 --a------ c:\winnt\system32\dllcache\xrxscnui.dll 2009-01-28 19:37 . 2001-08-17 22:37 4,608 --a------ c:\winnt\system32\dllcache\xrxflnch.exe 2009-01-28 19:35 . 2001-08-17 13:28 794,654 --a------ c:\winnt\system32\dllcache\usr1801.sys 2009-01-28 19:34 . 2001-08-17 12:18 285,760 --a------ c:\winnt\system32\dllcache\stlnata.sys 2009-01-28 19:33 . 2001-08-17 22:36 495,616 --a------ c:\winnt\system32\dllcache\sblfx.dll 2009-01-28 19:32 . 2001-08-17 13:28 899,146 --a------ c:\winnt\system32\dllcache\r2mdkxga.sys 2009-01-28 19:31 . 2001-08-17 14:05 351,616 --a------ c:\winnt\system32\dllcache\ovcodek2.sys 2009-01-28 19:30 . 2004-08-04 05:00 1,875,968 --a------ c:\winnt\system32\dllcache\msir3jp.lex 2009-01-28 19:29 . 2004-08-04 05:00 1,158,818 --a------ c:\winnt\system32\dllcache\korwbrkr.lex 2009-01-28 19:28 . 2004-08-04 05:00 10,129,408 --a------ c:\winnt\system32\dllcache\hwxkor.dll 2009-01-28 19:27 . 2001-08-17 14:56 1,733,120 --a------ c:\winnt\system32\dllcache\g400d.dll 2009-01-28 19:26 . 2001-08-17 12:14 952,007 --a------ c:\winnt\system32\dllcache\diwan.sys 2009-01-28 19:25 . 2004-08-04 05:00 1,677,824 --a------ c:\winnt\system32\dllcache\chsbrkr.dll 2009-01-28 19:24 . 2001-08-17 14:05 314,752 --a------ c:\winnt\system32\dllcache\camdro21.sys 2009-01-28 19:23 . 2001-08-17 14:55 382,592 --a------ c:\winnt\system32\dllcache\atidrab.dll 2009-01-28 19:21 . 2001-08-17 13:28 762,780 --a------ c:\winnt\system32\dllcache\3cwmcru.sys 2009-01-28 19:20 . 2001-08-17 14:56 66,048 --a------ c:\winnt\system32\dllcache\s3legacy.dll 2009-01-28 18:44 . 2002-11-13 21:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterVideo 2009-01-28 18:44 . 2002-11-13 18:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust 2009-01-28 18:44 . 2009-01-28 18:44 <DIR> d-------- c:\documents and settings\Administrator 2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\usbaapl.sys 2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\GEARAspiWDM.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-08 11:51 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-05 00:51 --------- d-----w c:\program files\IncrediMail 2009-01-30 14:54 172 ----a-w c:\program files\rgzvb.txt 2009-01-29 15:07 --------- d-----w c:\program files\Google 2009-01-29 11:59 --------- d-----w c:\program files\Logitech 2009-01-28 19:26 --------- d-----w c:\program files\hbinst 2009-01-26 23:58 --------- d-----w c:\program files\Common Files\Apple 2008-12-15 14:43 --------- d-----w c:\program files\MSN Messenger 2008-12-11 10:57 333,952 ----a-w c:\winnt\system32\drivers\srv.sys 2006-12-30 20:53 95,056 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2003-12-27 20:26 1,733,056 -c--a-w c:\program files\canon-raw.exe 2003-12-27 20:18 299,624 -c--a-w c:\program files\directxwebsetup.exe 2002-08-29 13:00 94,784 -csh--w c:\winnt\twain.dll 2008-04-14 00:12 50,688 --sh--w c:\winnt\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\winnt\system32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\winnt\system32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\winnt\system32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\winnt\system32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\winnt\system32\oleaut32.dll 2008-04-14 00:12 84,992 --sha-w c:\winnt\system32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\winnt\system32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360] "MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344] "IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-07-10 155648] "HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-07-10 114688] "googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 684032] "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\winnt\LOGI_MWX.EXE] "Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE] "GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 c:\winnt\GWMDMMSG.exe] c:\documents and settings\Owner\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-04-22 299008] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Billminder.lnk - c:\program files\QUICKENW\BILLMIND.EXE [2002-11-25 36864] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728] QuickBooks 2002 Delivery Agent.lnk - c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe [2002-12-12 315392] Quicken Startup.lnk - c:\program files\QUICKENW\QWDLLS.EXE [2002-11-25 36864] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= vdrcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ICF"=2 (0x2) "FCI"=2 (0x2) "FSORSPClient"=3 (0x3) "FSMA"=2 (0x2) "FSDFWD"=3 (0x3) "FSAUA"=3 (0x3) "F-Secure Gatekeeper Handler Starter"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= --- Other Services/Drivers In Memory --- *NewlyCreated* - NMSSVC . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-08 08:25:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3143361003-3708641554-3042230386-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . ------------------------ Other Running Processes ------------------------ . c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe c:\winnt\system32\wscntfy.exe c:\winnt\system32\msiexec.exe . ************************************************************************** . Completion time: 2009-02-08 8:31:58 - machine was rebooted [Owner] ComboFix-quarantined-files.txt 2009-02-08 13:31:55 ComboFix2.txt 2009-02-08 02:26:59 Pre-Run: 26,316,627,968 bytes free Post-Run: 26,308,792,320 bytes free 209 --- E O F --- 2009-01-30 12:14:05 ================== ================== Malwarebytes' Anti-Malware 1.33 Database version: 1736 Windows 5.1.2600 Service Pack 3 2/8/2009 8:46:31 AM mbam-log-2009-02-08 (08-46-31).txt Scan type: Quick Scan Objects scanned: 60379 Time elapsed: 5 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot. C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot. =================
  13. Hello, I have disconnected the infected PC from my network. I downloaded a new latest copy of ComboFix and burned it to a CDR. I Searched for and deleted all ComboFix files. I took a NEW, NEVER CONNECTED TO A PC BEFORE USB flash drive, formatted as NTFS. I then created an autorun.inf file at the root and made it Read Only. I then right clicked on the file, clicked on Properties, clicked the Security tab, clicked on the Advanced button, unchecked Inherit from the parent the permission entries that apply to child objects. This caused all Permissions to disappear. As I understand it, no one can access this file or delete it without me (the creator) re-establishing my rights to it. I have two other PCs on the network. They are both WinXP Pro SP3 fully updated with Norton AntiVirus 2009 and CA AntiSpyware 2009. On one of these other PCs I ran MBAM Quick Scan and Full Scan (as a comparison with the infected PC) and both scans came up clean. I ran ComboFix and it found and said it deleted the two files: C:\WINNT\system32\drivers\mrxdavv.sys and C:\WINNT\system32\kwave.sys. I restarted the PC and ran MBAM which found the same two files and said it would delete them on reboot. After the reboot I re-ran MBAM and it found the same two files. The results are below: ================ ComboFix 09-02-06.04 - Owner 2009-02-07 21:12:56.7 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.277 [GMT -5:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\winnt\system32\drivers\mrxdavv.sys c:\winnt\system32\kwave.sys . ((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))))) . 2009-02-07 08:01 . 2009-02-07 08:01 <DIR> d--hs---- C:\found.000 2009-02-07 06:43 . 2009-02-07 06:51 <DIR> d-------- C:\HaxFix 2009-02-07 06:43 . 2009-01-30 11:30 485,902 --a------ C:\HaxFix.exe 2009-02-05 06:13 . 2009-02-05 06:13 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-02-05 06:13 . 2009-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys 2009-02-05 06:12 . 2009-02-05 06:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-05 06:12 . 2009-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys 2009-02-04 18:26 . 2009-02-04 19:39 <DIR> d-------- c:\program files\CCleaner 2009-02-04 16:54 . 2009-02-04 16:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\F-Secure 2009-02-04 16:41 . 2009-02-07 05:58 <DIR> d-------- c:\program files\F-Secure Internet Security 2009-02-04 16:40 . 2009-02-04 16:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\fssg 2009-02-04 16:37 . 2009-02-07 05:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\f-secure 2009-02-01 07:01 . 2009-02-01 07:01 <DIR> d-------- c:\winnt\ERUNT 2009-01-31 19:43 . 2009-01-31 19:45 34,914,304 --a------ c:\winnt\system32\ODARMFOLZB 2009-01-30 13:00 . 2009-01-30 13:00 0 --a------ c:\documents and settings\Owner\settings.dat 2009-01-30 12:17 . 2009-01-30 12:17 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb 2009-01-30 06:49 . 2009-01-30 06:42 1,277,736 --a------ C:\ProcessMonitor.zip 2009-01-29 17:48 . 2007-08-01 22:47 102,664 --a------ c:\winnt\system32\drivers\tmcomm.sys 2009-01-29 15:30 . 2009-01-29 18:23 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6 2009-01-29 15:27 . 2009-01-29 15:27 <DIR> d-------- c:\winnt\Sun 2009-01-29 15:11 . 2009-01-29 15:10 410,984 --a------ c:\winnt\system32\deploytk.dll 2009-01-29 10:13 . 2008-12-11 22:08 36,272 -ra------ c:\winnt\system32\drivers\SymIM.sys 2009-01-29 06:55 . 2009-01-29 06:55 <DIR> d-------- c:\program files\Windows Installer Clean Up 2009-01-29 05:35 . 2009-01-29 05:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-01-29 05:26 . 2009-02-02 15:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton 2009-01-29 05:25 . 2009-02-02 15:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller 2009-01-29 04:14 . 2009-02-07 21:08 <DIR> d-------- C:\AntiSpyware 2009-01-29 04:14 . 2009-01-30 21:03 <DIR> d-------- C:\AntiHijack 2009-01-28 21:43 . 2008-04-14 04:42 14,336 --a------ c:\winnt\system32\svchost.exe 2009-01-28 19:37 . 2008-04-13 20:12 116,224 --a------ c:\winnt\system32\dllcache\xrxwiadr.dll 2009-01-28 19:37 . 2001-08-17 22:37 99,865 --a------ c:\winnt\system32\dllcache\xlog.exe 2009-01-28 19:37 . 2004-08-04 05:00 28,288 --a------ c:\winnt\system32\dllcache\xjis.nls 2009-01-28 19:37 . 2001-08-17 22:37 27,648 --a------ c:\winnt\system32\dllcache\xrxftplt.exe 2009-01-28 19:37 . 2001-08-17 22:36 23,040 --a------ c:\winnt\system32\dllcache\xrxwbtmp.dll 2009-01-28 19:37 . 2008-04-13 20:12 18,944 --a------ c:\winnt\system32\dllcache\xrxscnui.dll 2009-01-28 19:37 . 2001-08-17 22:37 4,608 --a------ c:\winnt\system32\dllcache\xrxflnch.exe 2009-01-28 19:35 . 2001-08-17 13:28 794,654 --a------ c:\winnt\system32\dllcache\usr1801.sys 2009-01-28 19:34 . 2001-08-17 12:18 285,760 --a------ c:\winnt\system32\dllcache\stlnata.sys 2009-01-28 19:33 . 2001-08-17 22:36 495,616 --a------ c:\winnt\system32\dllcache\sblfx.dll 2009-01-28 19:32 . 2001-08-17 13:28 899,146 --a------ c:\winnt\system32\dllcache\r2mdkxga.sys 2009-01-28 19:31 . 2001-08-17 14:05 351,616 --a------ c:\winnt\system32\dllcache\ovcodek2.sys 2009-01-28 19:30 . 2004-08-04 05:00 1,875,968 --a------ c:\winnt\system32\dllcache\msir3jp.lex 2009-01-28 19:29 . 2004-08-04 05:00 1,158,818 --a------ c:\winnt\system32\dllcache\korwbrkr.lex 2009-01-28 19:28 . 2004-08-04 05:00 10,129,408 --a------ c:\winnt\system32\dllcache\hwxkor.dll 2009-01-28 19:27 . 2001-08-17 14:56 1,733,120 --a------ c:\winnt\system32\dllcache\g400d.dll 2009-01-28 19:26 . 2001-08-17 12:14 952,007 --a------ c:\winnt\system32\dllcache\diwan.sys 2009-01-28 19:25 . 2004-08-04 05:00 1,677,824 --a------ c:\winnt\system32\dllcache\chsbrkr.dll 2009-01-28 19:24 . 2001-08-17 14:05 314,752 --a------ c:\winnt\system32\dllcache\camdro21.sys 2009-01-28 19:23 . 2001-08-17 14:55 382,592 --a------ c:\winnt\system32\dllcache\atidrab.dll 2009-01-28 19:21 . 2001-08-17 13:28 762,780 --a------ c:\winnt\system32\dllcache\3cwmcru.sys 2009-01-28 19:20 . 2001-08-17 14:56 66,048 --a------ c:\winnt\system32\dllcache\s3legacy.dll 2009-01-28 18:44 . 2002-11-13 18:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec 2009-01-28 18:44 . 2002-11-13 21:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterVideo 2009-01-28 18:44 . 2002-11-13 18:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust 2009-01-28 18:44 . 2009-01-28 18:44 <DIR> d-------- c:\documents and settings\Administrator 2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\usbaapl.sys 2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\GEARAspiWDM.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-05 00:51 --------- d-----w c:\program files\IncrediMail 2009-02-05 00:45 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-03 08:28 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-01-30 14:54 172 ----a-w c:\program files\rgzvb.txt 2009-01-29 15:07 --------- d-----w c:\program files\Google 2009-01-29 11:59 --------- d-----w c:\program files\Logitech 2009-01-28 19:26 --------- d-----w c:\program files\hbinst 2009-01-26 23:58 --------- d-----w c:\program files\Common Files\Apple 2008-12-15 14:43 --------- d-----w c:\program files\MSN Messenger 2008-12-11 10:57 333,952 ----a-w c:\winnt\system32\drivers\srv.sys 2006-12-30 20:53 95,056 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT 2003-12-27 20:26 1,733,056 -c--a-w c:\program files\canon-raw.exe 2003-12-27 20:18 299,624 -c--a-w c:\program files\directxwebsetup.exe 2002-08-29 13:00 94,784 -csh--w c:\winnt\twain.dll 2008-04-14 00:12 50,688 --sh--w c:\winnt\twain_32.dll 2008-04-14 00:11 1,028,096 --sha-w c:\winnt\system32\mfc42.dll 2008-04-14 00:12 57,344 --sha-w c:\winnt\system32\msvcirt.dll 2008-04-14 00:12 413,696 --sha-w c:\winnt\system32\msvcp60.dll 2008-04-14 00:12 343,040 --sha-w c:\winnt\system32\msvcrt.dll 2008-04-14 00:12 551,936 --sh--w c:\winnt\system32\oleaut32.dll 2008-04-14 00:12 84,992 --sha-w c:\winnt\system32\olepro32.dll 2008-04-14 00:12 11,776 --sh--w c:\winnt\system32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSConfig"="c:\winnt\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= vdrcodec.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk backup=c:\winnt\pss\Billminder.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\winnt\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=c:\winnt\pss\HP Image Zone Fast Start.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk backup=c:\winnt\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk backup=c:\winnt\pss\Quicken Startup.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk backup=c:\winnt\pss\HotSync Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] --a------ 2002-10-03 19:50 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] --a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax] --------- 2001-11-07 14:25 20480 c:\program files\PhoneTools\capFax.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\winnt\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk] --a------ 2007-01-01 16:22 3739648 c:\program files\Google\Google Talk\googletalk.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] --a------ 2003-07-10 03:13 114688 c:\winnt\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] --a------ 2003-07-10 03:25 155648 c:\winnt\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent] --a------ 2002-07-17 12:00 200767 c:\program files\Microsoft Money\System\mnyexpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2001-07-03 09:11 57344 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG] --a------ 2002-08-06 16:24 90112 c:\winnt\GWMDMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd 9910 Daemon] --a------ 2001-01-03 15:50 66048 c:\winnt\system32\SK9910DM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility] --------- 2003-11-07 04:50 19968 c:\winnt\LOGI_MWX.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ICF"=2 (0x2) "FCI"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "Pml Driver HPZ12"=2 (0x2) "NMSSvc"=2 (0x2) "MDM"=2 (0x2) "FSORSPClient"=3 (0x3) "FSMA"=2 (0x2) "FSDFWD"=3 (0x3) "FSAUA"=3 (0x3) "F-Secure Gatekeeper Handler Starter"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"= "c:\\Program Files\\MSN Gaming Zone\\zclient.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= S1 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\winnt\system32\26.tmp --> c:\winnt\system32\26.tmp [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - NMSSVC . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-F-Secure Manager - c:\program files\F-Secure Internet Security\Common\FSM32.EXE MSConfigStartUp-F-Secure TNB - c:\program files\F-Secure Internet Security\FSGUI\TNBUtil.exe . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uStart Page = hxxp://home.citcom.net/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-07 21:19:03 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\winnt\system32\26.tmp" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3143361003-3708641554-3042230386-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . ------------------------ Other Running Processes ------------------------ . c:\winnt\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-02-07 21:26:57 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-08 02:26:54 Pre-Run: 26,217,775,104 bytes free Post-Run: 26,217,844,736 bytes free 239 --- E O F --- 2009-01-30 12:14:05 ================ ================ Malwarebytes' Anti-Malware 1.33 Database version: 1736 Windows 5.1.2600 Service Pack 3 2/7/2009 9:34:07 PM mbam-log-2009-02-07 (21-34-07).txt Scan type: Quick Scan Objects scanned: 59790 Time elapsed: 5 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot. C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot. ================ Just FYI, we will have access to this PC for another week. If we have not been able to defeat this infection by then I will be forced to back up the data, destroy the partition and reinstall WinXP. Until then I will continue to work with you to hopefully provide MB and their customers with a solution to this new threat.
  14. Hello, I do have a license - I would be happy to provide you with its ID and key should you want to verify it. My apologies for causing offense. This has been a frustrating experience. Path: C:\Avenger Status: Could not get file information (Error 0xc0000008) Repaired with chkdsk Path: C:\temp\trinity-rescue-kit.3.2-build-279u.iso Status: Invisible to the Windows API! seemingly non issue file but it's locked from normal Windows seeing it. Is it really hidden or is this a false message? It was hidden - it is an alternative to the Ariva Rescue CD that does not work on the infected PC. I deleted the entire C:\Temp directory. Path: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\kwave.sys Status: Locked to the Windows API! If kwave.sys did not really exist why is it in the System Restore? Is this the one you created? System Restore has been turned off for some time - odd that there is anything in _restore. I connected the hard drive to another PC and deleted the _restore{46DE8921-1D39-44D2-A9E9-64119261F211} folder. Path: C:\WINNT\ServicePackFiles\i386\avc.sys enumerates 1394 devices - why is this and the other ones affected? Status: Locked to the Windows API! I do not understand your question on this one. Path: C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb locked maybe but shouldn't be hidden Status: Invisible to the Windows API! This is hidden on the infected PC and my office PC.
  15. Hello, What is POS that is blocking GMER? What does POS stand for? I have removed all traces of GMER and have cleared %temp%. I have uninstalled F-Secure Internet Security 2009. I downloaded http://rootrepeal.googlepages.com/RootRepeal.zip and transferred it to the infected PC. I unzipped the file. Upon running RootRepeal I get the following error. RootRepeal Error Error - invalid PE image found! This reminds me; why have you not commented on the errors I got with GMER or on the two different GMER logs I sent you? It seems you ask for tons of information, I provide it, and you just ask for more information. I click OK on the Error message and RootRepeal appears open and ready to go. I click on the Report tab and click on the Scan button, selecting all 6 categories and the C drive (only drive). The results are below. By the way, System Restore IS OFF. Also, earlier I created a C:\WINNT\system32\kwave.sys file (with the text: STOP DOING THAT!) that was hidden and read-only. MBAM was able to successfully delete it (but not the actual malware). It was stored in the C:\Avenger directory. I could not delete this file/directory on the infected PC so I attached it to another PC and deleted the directory. Evidently, something did not like that since it was flagged in RootRepeal. I ran the Hax tool. The results are below. ================ ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/02/07 06:27 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys Address: 0xEF5A0000 Size: 98304 File Visible: No Status: - Name: dump_WMILIB.SYS Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS Address: 0xF8B82000 Size: 8192 File Visible: No Status: - Name: rootrepeal.sys Image Path: C:\WINNT\system32\drivers\rootrepeal.sys Address: 0xEF235000 Size: 45056 File Visible: No Status: - Hidden/Locked Files ------------------- Path: C:\Avenger Status: Could not get file information (Error 0xc0000008) Path: C:\temp\trinity-rescue-kit.3.2-build-279u.iso Status: Invisible to the Windows API! Path: C:\temp\clientutil.log Status: Visible to the Windows API, but not on disk. Path: C:\WINNT\$NtServicePackUninstall$\avc.sys Status: Locked to the Windows API! Path: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\kwave.sys Status: Locked to the Windows API! Path: C:\WINNT\ServicePackFiles\i386\avc.sys Status: Locked to the Windows API! Path: C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Status: Invisible to the Windows API! Path: C:\WINNT\system32\wbem\Logs\wmiadap.log Status: Allocation size mismatch (API: 80, Raw: 0) ================ ================ HAXFIX logfile - by Marckie version 5.028 Sat 02/07/2009 6:43:27.93 running from C:\HaxFix --- Checking for Haxdoor --- checking for a3d files a3d files not found checking for matching notify keys no matching notify keys found checking for matching services no matching services found checking for matching safeboot services no matching safeboot services found --- Checking for Goldun - Spybanker --- checking for SSODL keys no ssodl keys found checking for notify keys no notify keys found checking for services no services found checking for browser helper objects no known browser helper objects found checking for appinit files no files found checking for possible infected files please submit these file here: http://www.bleepingcomputer.com/submit-mal....php?channel=11 [C:\WINNT\system32\mmsystem.dll] BAC7CA4576EF5509F336F5B007DC195B checking iexplore.exe iexplore.exe is not infected --- Checking for other Goldun, Spybanker and Haxdoor files --- no other Haxdoor or Goldun files found --- Catchme logfile - thank you Gmer --- catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-07 06:43:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" "DeviceNotSelectedTimeout"="15" "GDIProcessHandleQuota"=dword:00002710 "Spooler"="yes" "swapdisk"="" "TransmissionRetryTimeout"="90" "USERProcessHandleQuota"=dword:00002710 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 --- Analysing Catchme logfile --- no matching regkeys found Finished! ================
  16. Hello, 1) I did a clean boot of WinXP. 2) I launch GMER. 3) I get an error: CreateFile "C:\WINNT\system32\drivers\gmer.sys" Not enough quota is available to process the command. (I have mentioned this error before - I can't help but think it is the infection's way of protecting itself) 4) I click OK on the error message. 5) I get another error message: Warning!!! Loaded GMER's driver version is incompatible with the currently running GMER application. You need to stop the driver with the command "net stop gmer" or restart your computer. 6) I click OK on the error message. 7) GMER 1.0.14.14536 opens. 8) I click on the Scan button. 9) I click on the SAVE button, browse to the Desktop and save the file as GMER.LOG. 10) I found a file SGMER.COM on the Internet that is supposed to help GMER.EXE run. 11) I ran SGMER.COM. 12) It got the same two messages as above, but pushed through them. 13) GMER 1.0.14.14536 opens - at this point I see a BIG difference. Before only Services, Registry, Files and ADS are checked with the rest greyed out. Now ALL boxes to the right of GMER's display panel are available and already checked. 14) I click on the Scan button - the scan ends with the message: "GMER has found system modification caused by ROOTKIT activity" - I click on OK. 15) I click on the SAVE button, browse to the Desktop and save the file as SGMER.LOG. 16) I ZIP both GMER.LOG and SGMER.LOG file as GMERLOG.ZIP. 20) I copy the GMERLOG.ZIP file to a USB flash drive for tranfer from the infected PC to the PC I am writing this on. 21) I attach the GMERLOG.ZIP file to this message. It would seem that the run of GMER.EXE is suspect because of the errors and the limited scan. Please let me know if the SGMER.COM log was more enlightening. Warmly, Al Stearns Pisgah Forest, NC USA
  17. Hello, Some more additional information. While I was using the Trinity Rescue Kit 3.2 build 279 CD (Linux) I created a KWAVE.SYS file with the test STOP THAT RIGHT NOW! in it. I shut down, connected the hard drive to a WinXP PC and hid and write protected the file. I placed the hard drive back in the infected PC and started in Safe Mode. I went to the C:\WINNT\System32\KWAVE.SYS file I had created and tried to open it with Notepad (worked fine in my non-infected PC) and I get a blank document with the error "Not enough quota is available to process this command." I have seen this error multiple times when working to clean this PC - it must be part of the infection's defense mechinism. I am doing all I can on this end. I look forward to some additional help from Malwarebytes. Warmly, Al Stearns Pisgah Forest, NC USA
  18. Hello, Some additional information. I have booted of the Trinity Rescue Kit 3.2 build 279 CD (Linux) and have cd'ed to /hda1/WINNT/System32 and KWAVE.SYS is not there. I suspect this file is being created upon PC startup and deleted on PC shutdown. Warmly, Al Stearns Pisgah Forest, NC USA
  19. Hello, I do not understand how Easy CD Creator could be causing problems (if updated it does support WinXP) but I can uninstall it if you wish. I followed your instructions about GMER and KWAVE.SYS is not listed in C:\WINNT\SYSTEM32. Warmly, Al Stearns Pisgah Forest, NC USA
  20. Hello, ========== If none of those other Anti-Virus boot disks work then I think we only have a few other options. 1. Build an Ultimate Boot CD for Windows and use that to attempt to locate the Parent process file. 2. Some how get the Avira disk to work 3. Backup all data and Remove ALL security software and un-needed software, then try RK scanning software again. 4. FDISK, Format and re-install Windows. ========== F-Secure Rescue disk did not find anything. F-Secure Internet Security 2009 trial did not find anything but does stop the infected PC from flooding the network with packets. 1) HOW would I use the Ultimate Boot CD for Windows to locate the Parent process file? 2) Not an option until May 09 or so (they need to fix). 3) What does RK scanning mean? 4) NOT AN OPTION In my eyes you folks have become number one in fighting malware in the past 6-8 months. I am suprized Malwarebytes is not more interested in finding out what this is. Can I contact an upper level tech? I have a PC with a new malware infection and some 26 years experience working with PCs. I would thing you would want to take advantage of this? Warmly, Al Stearns Pisgah Forest, NC USA
  21. Hello, Check out the following link and you will see that I am not alone having problems running the potentially useful Avira AntiVir Rescue CD due to video problems. http://forum.avira.com/wbb/index.php?page=...amp;boardID=210 (my username there is arstearns) I do understand how to use an ISO file to create a CD. I have Roxio Media Creator 2009 if CD burning software is needed. This rootkit infection is hidden from both Windows API and the File Allocation Table. Standard antivirus programs are not going find it. MBAM is the best program to deal with this sort of thing - it sees it but cannot do anything about it. Again, HOW is MBAM seeing these files? If we could see them manually we might be able to do something about them. NAV 2009 does not see them, Avenger does not see them. F-Secure BlackLight Root Detection and Elimination Tool does not see them, Sophos Anti-Rootkit v1.3 does not see them, GMER does not see them. Warmly, Al Stearns Pisgah Forest, NC USA
  22. Hello, I ran Avenger 2.0 with the code you provided - the results are below. Note that c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP is a folder and not a file - I deleted this manually. I ran MBAM, updated it, ran a Quick Scan (results below), rebooted, ran a Quick Scan again - same two files are still found. The results are below. C:\WINNT\system32\kwave.sys C:\WINNT\system32\drivers\mrxdavv.sys It seems that these two files are CRITICAL to the rootkit's survival. MBAM can see them on some level, but cannot delete them. Is there a tool we can use to SEE them and manually delete them. The latest HJT log is below. The following files contain gibberish. I renamed them both with a hld extension. c:\winnt\{BB7B70C3-B2F2-407C-A791-CF2DDA431A93}.dat c:\winnt\system32\{26F9959A-E681-4126-A620-D2F17F4F38E6}.dat ================ Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Driver "ati4joxx" deleted successfully. Driver "jpwkzfgz" deleted successfully. Driver "btw3a" deleted successfully. Driver "ethigokf" deleted successfully. Driver "iscFlash" deleted successfully. Driver "ati7uaxx" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\BNNIV" not found! Deletion of driver "BNNIV" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Driver "GQXKKXFC" deleted successfully. Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ONWXUV" not found! Deletion of driver "ONWXUV" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Driver "RioPNP" deleted successfully. File "c:\winnt\system32\btw3a.sys" deleted successfully. File "c:\winnt\SYSTEM32\DRIVERS\iscflash.sys" deleted successfully. Error: file "C:\WINNT\system32\drivers\mrxdavv.sys" not found! Deletion of file "C:\WINNT\system32\drivers\mrxdavv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINNT\system32\kwave.sys" not found! Deletion of file "C:\WINNT\system32\kwave.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: "c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" is a folder, not a file! Deletion of file "c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" failed! Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY) --> use "Folders to delete:" instead of "Files to delete:" to delete a directory File "c:\winnt\system32\ak" deleted successfully. File "c:\winnt\system32\nar.bin" deleted successfully. File "c:\winnt\system32\system32xp.exe.tmp" deleted successfully. File "c:\winnt\system32\drivers\ethigokf.sys" deleted successfully. Folder "C:\$WIN_NT$.~BT" deleted successfully. Folder "c:\winnt\SxsCaPendDel" deleted successfully. Completed script processing. ******************* Finished! Terminate. ================ Malwarebytes' Anti-Malware 1.33 Database version: 1725 Windows 5.1.2600 Service Pack 3 2/4/2009 8:23:40 AM mbam-log-2009-02-04 (08-23-40).txt Scan type: Quick Scan Objects scanned: 60848 Time elapsed: 7 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot. C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot. ================ ================ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:39:33 AM, on 2/4/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\WINNT\System32\hkcmd.exe C:\WINNT\system32\SK9910DM.EXE C:\WINNT\GWMDMMSG.exe C:\Program Files\Google\Google Talk\googletalk.exe C:\Program Files\PhoneTools\CapFax.EXE C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe C:\Program Files\QUICKENW\QWDLLS.EXE C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINNT\System32\svchost.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Documents and Settings\Owner\Desktop\HJT.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\componentlauncher.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.citcom.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124652100218 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe -- End of file - 5794 bytes ================ Warmly, Al Stearns Pisgah Forest, NC USA
  23. Hello, I have narrowed down the problem I am having using the Avira AntiVir Rescue CD and have asked the following question on their forums. =============== I just learned of your product and thought I would try it to deal with a dual root kit infection. I downloaded it an hour ago from: http://www.free-av.com/en/tools/12/avira_a...cue_system.html I am having a similar problem mentioned in the thread: "Rescue disk: No Language Selection & Screen size wrong" The problem is that the screen resolution is 640 x 480 which makes the lower portion of the GUI interface unavailable. I have tried this on two different monitors with the same problem. The missing lower portion of the GUI interface contains the language buttons which I need - I speak English, not German. Since I am in the CD's Linux environment and not in Windows, I cannot adust the screen resolution in WIndows. I could really use a way to view the entire GUI interface so I can proceed. Thanks for your help! ================ Warmly, Al Stearns Pisgah Forest, NC USA
  24. That sounds promising! I never saw an option to change to English, so the Avira AntiVir Rescue CD program on the infected PC is in GERMAN. Where exactly is this change to English? Due to low resolution, the lower part of each screen is off screen. Would the language change option be in the area I cannot see? Is there a way to change the resolution? Please advise. Warmly, Al Stearns Pisgah Forest, NC USA
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.