Jump to content

MBAM Does Not Remove mrxdavv.sys


Recommended Posts

Hello,

Thank you for your quick response.

To set the stage, I am having the following problems with a WinXP Home SP3 PC:

a) This PC, when connected to my network, seems to be flooding the network with packets preventing Internet access for the other PCs on the network.

b) MBAM continues to say I am infected with C:\WINNT\system32\drivers\mrxdavv.sys

(Rootkit.Agent.H). After many attempted removals with MBAM, Norton AntiVirus 2009, Combo-Fix with the CRScript, Avenger; ComboFix without the script says it deletes two files, C:\WINDOWS\system32\drivers\mrxdavv.sys and C:\WINDOWS\system32\kwave.sys but they remain and are not visible via normal means.

Per your instructions via the link you provided:

1) I did a quick scan with the latest MBAM (v1.33) and the latest database version at the time

(1709) with the following results:

===============================

Malwarebytes' Anti-Malware 1.33

Database version: 1709

Windows 5.1.2600 Service Pack 3

1/30/2009 6:23:58 PM

mbam-log-2009-01-30 (18-23-58).txt

Scan type: Quick Scan

Objects scanned: 60840

Time elapsed: 33 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINNT\system32\drivers\beep.sys (Trojan.Patched) -> Quarantined and deleted successfully.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

================================

2) After the required reboot for the quick scan of MBAM above, I again ran the latest MBAM (v1.33) and the latest database version at the time (1710) with the following results:

================================

Malwarebytes' Anti-Malware 1.33

Database version: 1710

Windows 5.1.2600 Service Pack 3

1/30/2009 7:06:16 PM

mbam-log-2009-01-30 (19-06-16).txt

Scan type: Quick Scan

Objects scanned: 60565

Time elapsed: 24 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

============================

3) I then updated and ran a full system scan of Norton AntiVirus 2009 - no threats found in 559,271 items scanned.

4) I ran the latest HijackThis (v2.02; executable file renamed to HJT.EXE) and here is the resulting log file:

============================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:04:35 PM, on 1/30/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\system32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\PhoneTools\CapFax.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\NMSSvc.exe

C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Documents and Settings\Owner\Desktop\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.citcom.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\IPSBHO.DLL

O2 - BHO: Java

Link to post
Share on other sites

  • Root Admin

Hi Al,

I think there may have been a false positive on the version of the database you have. Please click on the UPDATE tab of MBAM and update the program and do another Quick Scan please and a new HJT log and post both of those back again and we'll go from there.

Link to post
Share on other sites

Hi Al,

I think there may have been a false positive on the version of the database you have. Please click on the UPDATE tab of MBAM and update the program and do another Quick Scan please and a new HJT log and post both of those back again and we'll go from there.

I have done as you requested (results below). However, if this is a false positive how do you explain:

1) This PC (not mine) had been badly infected by viruses and spyware recently (some 70 viruses and malware)

2) Whenever I connect this PC to my network it floods the network killing Internet access for all other PCs on the network

2) Every time I run Combo-Fix, it sees and says it deletes C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) and C:\WINNT\system32\kwave.sys (Trojan.Agent)

I ran MBAM 1.33, Quick Scan with the latest database at this time (1712) with the following results:

================

Malwarebytes' Anti-Malware 1.33

Database version: 1712

Windows 5.1.2600 Service Pack 3

1/31/2009 7:49:59 AM

mbam-log-2009-01-31 (07-49-59).txt

Scan type: Quick Scan

Objects scanned: 60998

Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

================

After the required restart for MBAM to delete the infected files, an update attempt (no new database) and another quick scan, I got the EXACT SAME RESULTS (the two offending files are not deleted on reboot):

================

Malwarebytes' Anti-Malware 1.33

Database version: 1712

Windows 5.1.2600 Service Pack 3

1/31/2009 8:04:26 AM

mbam-log-2009-01-31 (08-04-26).txt

Scan type: Quick Scan

Objects scanned: 60970

Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

================

I am confident we can solve this together.

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

No problem. Just wanted to make sure there was not a FP from that build you had.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Hello,

Since the PC I am trying to clean floods my network with packets, I cannot download COMBOFIX.EXE directly to it. I will need to download it on another PC and transfer it via USB Flash Drive.

I have run COMBOFIX multiple times per my extensive research on the Internet and it has not helped. I will do it again per your instructions; results are below. I did turn off Norton AntiVirus 2009 Auto-Protect and Windows Firewall beforehand.

I have run RootkitRevealer that showed that the two offending files C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) and

C:\WINNT\system32\kwave.sys (Trojan.Agent) are invisible to Windows API and are not in the FAT. If there was a way to stop these from running and to see them to delete them from the hard drive (in the PC itself or attached to another PC) I could remove them. Do you know of any tool that will allow one to see files hidden from Windows API and the FAT?

These files are either not being deleted or they are being REGENERATED (more likely) some how.

c:\winnt\system32\drivers\mrxdavv.sys

c:\winnt\system32\kwave.sys

Note: ComboFix says I do not have the Recover Console installed. I DO have it installed, I installed it manually before running ComboFix and it now comes up with a 30 second wait on each startup giving me a chance to choose the Recovery Console.

Also below is another run of MBAM after ComboFix - the files REMAIN.

==========

ComboFix 09-01-31.01 - Owner 2009-01-31 19:57:24.6 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.157 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Norton AntiVirus *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\winnt\system32\drivers\mrxdavv.sys

c:\winnt\system32\kwave.sys

.

((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))

.

2009-01-31 19:43 . 2009-01-31 19:45 34,914,304 --a------ c:\winnt\system32\ODARMFOLZB

2009-01-31 19:30 . 2009-01-31 19:30 <DIR> d-------- C:\$WIN_NT$.~BT

2009-01-30 13:00 . 2009-01-30 13:00 0 --a------ c:\documents and settings\Owner\settings.dat

2009-01-30 12:17 . 2009-01-30 12:17 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb

2009-01-30 12:00 . 2009-01-30 12:14 <DIR> d-------- C:\HaxFix

2009-01-30 12:00 . 2009-01-30 11:30 485,902 --a------ C:\HaxFix.exe

2009-01-30 10:35 . 2009-01-30 10:35 <DIR> d-------- c:\documents and settings\Owner\Application Data\Symantec

2009-01-30 06:49 . 2009-01-30 06:42 1,277,736 --a------ C:\ProcessMonitor.zip

2009-01-29 17:48 . 2007-08-01 22:47 102,664 --a------ c:\winnt\system32\drivers\tmcomm.sys

2009-01-29 15:30 . 2009-01-29 18:23 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6

2009-01-29 15:27 . 2009-01-29 15:27 <DIR> d-------- c:\winnt\Sun

2009-01-29 15:11 . 2009-01-29 15:10 410,984 --a------ c:\winnt\system32\deploytk.dll

2009-01-29 15:11 . 2009-01-29 15:10 73,728 --a------ c:\winnt\system32\javacpl.cpl

2009-01-29 15:09 . 2009-01-29 15:09 <DIR> d-------- c:\program files\Java

2009-01-29 11:00 . 2009-01-29 11:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec

2009-01-29 10:13 . 2008-12-11 22:08 36,272 -ra------ c:\winnt\system32\drivers\SymIM.sys

2009-01-29 06:55 . 2009-01-29 06:55 <DIR> d-------- c:\program files\Windows Installer Clean Up

2009-01-29 06:09 . 2009-01-29 06:09 <DIR> d-------- c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP

2009-01-29 05:35 . 2009-01-29 05:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-29 05:35 . 2009-01-29 05:35 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-01-29 05:35 . 2009-01-29 05:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-29 05:35 . 2009-01-14 16:11 38,496 --a------ c:\winnt\system32\drivers\mbamswissarmy.sys

2009-01-29 05:35 . 2009-01-14 16:11 15,504 --a------ c:\winnt\system32\drivers\mbam.sys

2009-01-29 05:26 . 2009-01-29 10:27 <DIR> d-------- c:\winnt\system32\drivers\NAV

2009-01-29 05:26 . 2009-01-29 05:26 <DIR> d-------- c:\program files\Windows Sidebar

2009-01-29 05:26 . 2009-01-29 05:26 <DIR> d-------- c:\program files\Symantec

2009-01-29 05:26 . 2009-01-29 05:26 <DIR> d-------- c:\program files\Norton AntiVirus

2009-01-29 05:26 . 2009-01-29 05:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton

2009-01-29 05:26 . 2009-01-29 05:26 124,464 --a------ c:\winnt\system32\drivers\SYMEVENT.SYS

2009-01-29 05:26 . 2009-01-29 05:26 60,808 --a------ c:\winnt\system32\S32EVNT1.DLL

2009-01-29 05:26 . 2009-01-29 05:26 10,635 --a------ c:\winnt\system32\drivers\SYMEVENT.CAT

2009-01-29 05:26 . 2009-01-29 05:26 806 --a------ c:\winnt\system32\drivers\SYMEVENT.INF

2009-01-29 05:25 . 2009-01-29 05:25 <DIR> d-------- c:\program files\NortonInstaller

2009-01-29 05:25 . 2009-01-29 05:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-01-29 04:14 . 2009-01-30 07:58 <DIR> d-------- C:\AntiSpyware

2009-01-29 04:14 . 2009-01-30 21:03 <DIR> d-------- C:\AntiHijack

2009-01-28 21:43 . 2008-04-14 04:42 14,336 --a------ c:\winnt\system32\svchost.exe

2009-01-28 20:25 . 2009-01-28 20:25 <DIR> d-------- C:\VundoFix Backups

2009-01-28 20:18 . 2009-01-21 03:45 3,048,418 --a------ C:\Combo-Fix.exe

2009-01-28 20:18 . 2009-01-21 03:48 119,808 --a------ C:\VundoFix.exe

2009-01-28 20:18 . 2009-01-28 18:59 2,521 --a------ C:\xp_taskbar_desktop_fixall.vbs

2009-01-28 19:37 . 2008-04-13 20:12 116,224 --a------ c:\winnt\system32\dllcache\xrxwiadr.dll

2009-01-28 19:37 . 2001-08-17 22:37 99,865 --a------ c:\winnt\system32\dllcache\xlog.exe

2009-01-28 19:37 . 2004-08-04 05:00 28,288 --a------ c:\winnt\system32\dllcache\xjis.nls

2009-01-28 19:37 . 2001-08-17 22:37 27,648 --a------ c:\winnt\system32\dllcache\xrxftplt.exe

2009-01-28 19:37 . 2001-08-17 22:36 23,040 --a------ c:\winnt\system32\dllcache\xrxwbtmp.dll

2009-01-28 19:37 . 2008-04-13 20:12 18,944 --a------ c:\winnt\system32\dllcache\xrxscnui.dll

2009-01-28 19:37 . 2001-08-17 22:37 4,608 --a------ c:\winnt\system32\dllcache\xrxflnch.exe

2009-01-28 19:35 . 2001-08-17 13:28 794,654 --a------ c:\winnt\system32\dllcache\usr1801.sys

2009-01-28 19:34 . 2001-08-17 12:18 285,760 --a------ c:\winnt\system32\dllcache\stlnata.sys

2009-01-28 19:33 . 2001-08-17 22:36 495,616 --a------ c:\winnt\system32\dllcache\sblfx.dll

2009-01-28 19:32 . 2001-08-17 13:28 899,146 --a------ c:\winnt\system32\dllcache\r2mdkxga.sys

2009-01-28 19:31 . 2001-08-17 14:05 351,616 --a------ c:\winnt\system32\dllcache\ovcodek2.sys

2009-01-28 19:30 . 2004-08-04 05:00 1,875,968 --a------ c:\winnt\system32\dllcache\msir3jp.lex

2009-01-28 19:29 . 2004-08-04 05:00 1,158,818 --a------ c:\winnt\system32\dllcache\korwbrkr.lex

2009-01-28 19:28 . 2004-08-04 05:00 10,129,408 --a------ c:\winnt\system32\dllcache\hwxkor.dll

2009-01-28 19:27 . 2001-08-17 14:56 1,733,120 --a------ c:\winnt\system32\dllcache\g400d.dll

2009-01-28 19:26 . 2001-08-17 12:14 952,007 --a------ c:\winnt\system32\dllcache\diwan.sys

2009-01-28 19:25 . 2004-08-04 05:00 1,677,824 --a------ c:\winnt\system32\dllcache\chsbrkr.dll

2009-01-28 19:24 . 2001-08-17 14:05 314,752 --a------ c:\winnt\system32\dllcache\camdro21.sys

2009-01-28 19:23 . 2001-08-17 14:55 382,592 --a------ c:\winnt\system32\dllcache\atidrab.dll

2009-01-28 19:21 . 2001-08-17 13:28 762,780 --a------ c:\winnt\system32\dllcache\3cwmcru.sys

2009-01-28 19:20 . 2001-08-17 14:56 66,048 --a------ c:\winnt\system32\dllcache\s3legacy.dll

2009-01-28 18:44 . 2002-11-13 18:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

2009-01-28 18:44 . 2002-11-13 21:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterVideo

2009-01-28 18:44 . 2002-11-13 18:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InterTrust

2009-01-28 18:44 . 2009-01-28 18:44 <DIR> d-------- c:\documents and settings\Administrator

2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\usbaapl.sys

2009-01-28 13:53 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\GEARAspiWDM.sys

2009-01-26 19:02 . 2009-01-26 21:58 <DIR> d-------- c:\winnt\SxsCaPendDel

2009-01-24 16:00 . 2009-01-24 16:00 119 --a------ c:\winnt\system32\ak

2009-01-23 18:56 . 2009-01-27 05:23 7 --a------ c:\winnt\system32\nar.bin

2009-01-23 18:48 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\drivers\iscflash.sys

2009-01-23 18:48 . 2009-01-23 18:48 8,688 --a------ c:\winnt\system32\btw3a.sys

2009-01-23 18:48 . 2009-01-23 18:48 0 --a------ c:\winnt\system32\system32xp.exe.tmp

2009-01-23 18:47 . 2009-01-23 18:47 137,152 --a------ c:\winnt\system32\drivers\ethigokf.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-30 14:54 172 ----a-w c:\program files\rgzvb.txt

2009-01-30 11:59 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-30 03:20 --------- d-----w c:\program files\Yahoo!

2009-01-29 15:53 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-01-29 15:07 --------- d-----w c:\program files\Google

2009-01-29 11:59 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-29 11:59 --------- d-----w c:\program files\Logitech

2009-01-28 19:26 --------- d-----w c:\program files\hbinst

2009-01-26 23:58 --------- d-----w c:\program files\Common Files\Apple

2008-12-15 14:43 --------- d-----w c:\program files\MSN Messenger

2008-12-11 10:57 333,952 ----a-w c:\winnt\system32\drivers\srv.sys

2008-12-03 19:01 --------- d-----w c:\program files\QuickTime

2006-12-30 20:53 95,056 -c--a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

2003-12-27 20:26 1,733,056 -c--a-w c:\program files\canon-raw.exe

2003-12-27 20:18 299,624 -c--a-w c:\program files\directxwebsetup.exe

2002-08-29 13:00 94,784 -csh--w c:\winnt\twain.dll

2008-04-14 00:12 50,688 --sh--w c:\winnt\twain_32.dll

2004-10-10 22:27 32 --sha-w c:\winnt\{BB7B70C3-B2F2-407C-A791-CF2DDA431A93}.dat

2008-04-14 00:11 1,028,096 --sha-w c:\winnt\system32\mfc42.dll

2008-04-14 00:12 57,344 --sha-w c:\winnt\system32\msvcirt.dll

2008-04-14 00:12 413,696 --sha-w c:\winnt\system32\msvcp60.dll

2008-04-14 00:12 343,040 --sha-w c:\winnt\system32\msvcrt.dll

2008-04-14 00:12 551,936 --sh--w c:\winnt\system32\oleaut32.dll

2008-04-14 00:12 84,992 --sha-w c:\winnt\system32\olepro32.dll

2008-04-14 00:12 11,776 --sh--w c:\winnt\system32\regsvr32.exe

2004-10-10 22:27 32 --sha-w c:\winnt\system32\{26F9959A-E681-4126-A620-D2F17F4F38E6}.dat

.

((((((((((((((((((((((((((((( snapshot_2009-01-24_17.04.33.20 )))))))))))))))))))))))))))))))))))))))))

.

+ 2001-07-14 22:32:24 69,632 ----a-w c:\winnt\setupupd\temp\wsdueng.dll

- 2000-08-31 13:00:00 161,792 ----a-w c:\winnt\SWREG.exe

+ 2000-08-31 13:00:00 286,720 ----a-w c:\winnt\SWREG.exe

+ 2009-02-01 01:06:26 16,384 ----atw c:\winnt\temp\Perflib_Perfdata_10c.dat

+ 2009-02-01 01:06:00 16,384 ----atw c:\winnt\temp\Perflib_Perfdata_2dc.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 200767]

"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

"IgfxTray"="c:\winnt\System32\igfxtray.exe" [2003-07-10 155648]

"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [2003-07-10 114688]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"CapFax"="c:\program files\PhoneTools\CapFax.EXE" [2001-11-07 20480]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-03 684032]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-29 136600]

"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 c:\winnt\LOGI_MWX.EXE]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE]

"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 c:\winnt\GWMDMMSG.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-04-22 299008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"MyWebSearchService"=2 (0x2)

"ICF"=2 (0x2)

"FCI"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=

"c:\\Program Files\\MSN Gaming Zone\\zclient.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ati4joxx;ati4joxx; [x]

R0 jpwkzfgz;jpwkzfgz; [x]

R1 btw3a;Bluetooth 2.0.CE Driver;c:\winnt\system32\btw3a.sys [2009-01-23 8688]

R1 ethigokf;ethigokf;c:\winnt\system32\drivers\ethigokf.sys [2009-01-23 137152]

R1 iscFlash;iscFlash;c:\winnt\SYSTEM32\DRIVERS\iscflash.sys [2009-01-23 8688]

R1 PCDRDRV;Pcdr Helper Driver; [x]

R3 ati7uaxx;ati7uaxx; [x]

R3 BNNIV;BNNIV; [x]

R3 GQXKKXFC;GQXKKXFC; [x]

R3 ONWXUV;ONWXUV; [x]

S0 SymEFA;Symantec Extended File Attributes; [x]

S1 BHDrvx86;Symantec Heuristics Driver;c:\winnt\System32\Drivers\NAV\1002000.007\BHDrvx86.sys [2008-12-11 255536]

S1 ccHP;Symantec Hash Provider;c:\winnt\System32\Drivers\NAV\1002000.007\ccHPx86.sys [2009-01-29 362544]

S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090129.001\IDSxpx86.sys [2009-01-29 274808]

S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe [2008-12-11 115560]

S2 RioPNP;RioPNP; [x]

S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-29 99376]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG

*NewlyCreated* - NMSSVC

*Deregistered* - adpu160m

*Deregistered* - AFD

*Deregistered* - agp440

*Deregistered* - ALG

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - BHDrvx86

*Deregistered* - Browser

*Deregistered* - ccHP

*Deregistered* - Cdfs

*Deregistered* - cdudf_xp

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - eeCtrl

*Deregistered* - EraserUtilRebootDrv

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fips

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - helpsvc

*Deregistered* - HTTP

*Deregistered* - IDSxpx86

*Deregistered* - ImapiService

*Deregistered* - IntelIde

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - JavaQuickStarterService

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - MDM

*Deregistered* - mmc_2K

*Deregistered* - mnmdd

*Deregistered* - MountMgr

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - MSIServer

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NAVENG

*Deregistered* - NAVEX15

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - NMSCFG

*Deregistered* - NMSSvc

*Deregistered* - Norton AntiVirus

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - Pml Driver HPZ12

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - RioPNP

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Sk9920nt

*Deregistered* - Spooler

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - SRTSP

*Deregistered* - SRTSPX

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - SYMDNS

*Deregistered* - SymEFA

*Deregistered* - SymEvent

*Deregistered* - SYMFW

*Deregistered* - SYMIDS

*Deregistered* - SymIMMP

*Deregistered* - SYMNDIS

*Deregistered* - SYMREDRV

*Deregistered* - SYMTDI

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - tmcomm

*Deregistered* - TrkWks

*Deregistered* - UdfReadr_xp

*Deregistered* - ultra

*Deregistered* - Update

*Deregistered* - VgaSave

*Deregistered* - ViaIde

*Deregistered* - VolSnap

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uStart Page = hxxp://home.citcom.net/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-31 20:06:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE

c:\program files\HP\Digital Imaging\bin\hpqtra08.exe

c:\program files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

c:\program files\QUICKENW\QWDLLS.EXE

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\program files\HP\Digital Imaging\bin\hpqste08.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\winnt\system32\NMSSvc.Exe

c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\winnt\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-01-31 20:20:16 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-01 01:19:37

ComboFix2.txt 2009-01-24 22:08:58

ComboFix3.txt 2009-01-31 13:58:54

ComboFix4.txt 2009-01-30 14:46:51

ComboFix5.txt 2009-02-01 00:55:48

Pre-Run: 25,574,522,880 bytes free

Post-Run: 25,567,072,256 bytes free

379 --- E O F --- 2009-01-30 12:14:05

==========

==========

Malwarebytes' Anti-Malware 1.33

Database version: 1712

Windows 5.1.2600 Service Pack 3

1/31/2009 8:49:56 PM

mbam-log-2009-01-31 (20-49-56).txt

Scan type: Quick Scan

Objects scanned: 60557

Time elapsed: 27 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

==========

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

I'm sorry and I understand your frustration but I've not seen what's going on with your system so I need these logs to help me determine why or how they come back.

Please run the following tools to gather information.

You may want to print out the instructions or view from another connected computer while working on it.

How to use SDFix

Then run this one.

Please download the following scanning tool. GMER

  • Open the zip file and copy the file
    gmer.exe
    to your Desktop.
  • Double click on
    gmer.exe
    and run it.

  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Hopefully between these 2 I'll have enough information to kill this off.

Link to post
Share on other sites

Hello,

I ran SDFix per your instructions. The log file is below. It did not help. MBAM still finds the following two files on the PC:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H)

C:\WINNT\system32\kwave.sys (Trojan.Agent)

I downloaded and tried to run gmer.exe. It fails with the following message:

CreateFile "C:\WINNT\System32\drivers\gmer.sys" : Not enough quota is available to process this command

Disk Quota are DISABLED. The PC is running 512MB with 768MB virtual RAM. This command makes no sense unless the remaining infections are misinforming WinXP Home SP3.

I also found this error in the catchme.log file created by ComboFix (ComboFix uses GMER).

================

SDFix: Version 1.240

Run by Owner on Sun 02/01/2009 at 07:06 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-01 07:16:46

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"

"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd:*:Enabled:Age of Empires II Expansion"

"C:\\Program Files\\MSN Gaming Zone\\zclient.exe"="C:\\Program Files\\MSN Gaming Zone\\zclient.exe:*:Enabled:Zone Datafile"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe:*:Disabled:hpgs2wnf Module"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe:*:Disabled:TODO: <File description>"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"

"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

Files with Hidden Attributes :

Thu 29 Jan 2009 207 A.SHR --- "C:\BOOT.BAK"

Thu 29 Aug 2002 94,784 ..SH. --- "C:\WINNT\twain.dll"

Sun 13 Apr 2008 50,688 ..SH. --- "C:\WINNT\twain_32.dll"

Thu 27 Jun 2002 37,615,264 A..H. --- "C:\Program Files\Online Services\AOL70US.EXE"

Sun 13 Apr 2008 1,028,096 A.SH. --- "C:\WINNT\system32\mfc42.dll"

Sun 13 Apr 2008 57,344 A.SH. --- "C:\WINNT\system32\msvcirt.dll"

Sun 13 Apr 2008 413,696 A.SH. --- "C:\WINNT\system32\msvcp60.dll"

Sun 13 Apr 2008 343,040 A.SH. --- "C:\WINNT\system32\msvcrt.dll"

Sun 13 Apr 2008 551,936 ..SH. --- "C:\WINNT\system32\oleaut32.dll"

Sun 13 Apr 2008 84,992 A.SH. --- "C:\WINNT\system32\olepro32.dll"

Sun 13 Apr 2008 11,776 ..SH. --- "C:\WINNT\system32\regsvr32.exe"

Fri 13 Dec 2002 353,217 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1A.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1B.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1C.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1D.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1E.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT1F.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT20.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT21.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\BIT22.tmp"

Thu 28 Aug 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Fri 13 Dec 2002 0 A..H. --- "C:\Program Files\MSN\MSNCoreFiles\Setup\BIT23.tmp"

Sun 4 Jan 2004 84,480 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Templates\~WRL3477.tmp"

Tue 1 Jul 2008 286,208 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL0668.tmp"

Wed 14 Dec 2005 225,280 ...H. --- "C:\Documents and Settings\Owner\Application Data\Microsoft\Word\~WRL3557.tmp"

Finished!

===============

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

Hi Al,

Yes I know it did not remove it, I'm trying to get the correct information so that we can remove it.

Please run the following to remove GMER.

Click on START - RUN and type in %windir%\gmer_uninstall.cmd and press the ENTER key.

Then run this to remove your current copy of Combofix

To uninstall ComboFix.exe
  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox\LastRun if the uninstall instructions don't work.

Then download and run this tool: RootRepeal and provide me the logs from it please. Click on the REPORT tab and choose all check boxes.

Link to post
Share on other sites

Hello,

1) I have removed GMER per your instructions.

2) I attempted to remove ComboFix per your instructions and got an error box:

Windows cannot find '32788R22FWJFW\Prep.com'. Make sure you typed the name correctly, and then try again. TO search for a file, click on the Start button, and then click search.

I searched the entire hard drive for prep.com and it was not found.

I clicked on the OK button of the error message and the ComboFix removal seemed to stop.

I tried to remove the folder C:\QooBox\LastRun folder but it did not exist.

3) I downloaded RootRepeal.zip per your link and when running it I get the following error:

Error - invalid PE image found

I clicked OK on the error and RootRepeal seems to run.

I clicked on the Report tab, clicked on Scan and selected all scans (6)- the results:

==========

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/02/02 08:52

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys

Address: 0xEF52B000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS

Address: 0xF8BF2000 Size: 8192 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINNT\system32\drivers\rootrepeal.sys

Address: 0xEE8DA000 Size: 45056 File Visible: No

Status: -

Name: SYMEFA.SYS

Image Path: SYMEFA.SYS

Address: 0xF8501000 Size: 323584 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINNT\$NtServicePackUninstall$\avc.sys

Status: Locked to the Windows API!

Path: C:\WINNT\ServicePackFiles\i386\avc.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 012 Function Name: NtAlertResumeThread

Status: Hooked by "<unknown>" at address 0x82d3c440

#: 013 Function Name: NtAlertThread

Status: Hooked by "<unknown>" at address 0x82dbb500

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "<unknown>" at address 0x82ebae48

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "<unknown>" at address 0x82ed2c38

#: 031 Function Name: NtConnectPort

Status: Hooked by "<unknown>" at address 0x82e65738

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINNT\system32\Drivers\SYMEVENT.SYS" at address 0xef912020

#: 043 Function Name: NtCreateMutant

Status: Hooked by "<unknown>" at address 0x82e01ba8

#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "<unknown>" at address 0x828a40c0

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x82d2c478

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "<unknown>" at address 0x82ec58d8

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINNT\system32\Drivers\SYMEVENT.SYS" at address 0xef9122a0

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINNT\system32\Drivers\SYMEVENT.SYS" at address 0xef912800

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "<unknown>" at address 0x82e2fbb8

#: 083 Function Name: NtFreeVirtualMemory

Status: Hooked by "<unknown>" at address 0x82cc86d8

#: 089 Function Name: NtImpersonateAnonymousToken

Status: Hooked by "<unknown>" at address 0x82eee3e8

#: 091 Function Name: NtImpersonateThread

Status: Hooked by "<unknown>" at address 0x82dbd868

#: 097 Function Name: NtLoadDriver

Status: Hooked by "<unknown>" at address 0x82cdc008

#: 108 Function Name: NtMapViewOfSection

Status: Hooked by "<unknown>" at address 0x82cd4090

#: 114 Function Name: NtOpenEvent

Status: Hooked by "<unknown>" at address 0x82db66b0

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0x82ddfd78

#: 123 Function Name: NtOpenProcessToken

Status: Hooked by "<unknown>" at address 0x82cd8700

#: 125 Function Name: NtOpenSection

Status: Hooked by "<unknown>" at address 0x82ec1c00

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0x82d5e490

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "<unknown>" at address 0x8286f0c0

#: 206 Function Name: NtResumeThread

Status: Hooked by "<unknown>" at address 0x82cf9128

#: 213 Function Name: NtSetContextThread

Status: Hooked by "<unknown>" at address 0x82e562b0

#: 228 Function Name: NtSetInformationProcess

Status: Hooked by "<unknown>" at address 0x82ceee98

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "<unknown>" at address 0x82ea1790

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINNT\system32\Drivers\SYMEVENT.SYS" at address 0xef912a50

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "<unknown>" at address 0x82d3d0a8

#: 254 Function Name: NtSuspendThread

Status: Hooked by "<unknown>" at address 0x82da9250

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0x82a380e8

#: 258 Function Name: NtTerminateThread

Status: Hooked by "<unknown>" at address 0x82d97b50

#: 267 Function Name: NtUnmapViewOfSection

Status: Hooked by "<unknown>" at address 0x82dc4380

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0x82eb7ae0

Stealth Objects

-------------------

Object: Hidden Code [ETHREAD: 0x82cf8d10]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a7eda8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a22868]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82db14c0]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a24810]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a8dda8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82d001f0]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ce1138]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e57530]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e35468]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82daf958]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e57118]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a25250]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a5eda8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82db91f0]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e375b0]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82cf8478]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ce4a20]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a3e2e8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e25da8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82de0da8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82dc3020]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e37a78]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ccbda8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e30370]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a6ada8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a818b8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82cf97e8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e2d020]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x827e7020]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ecfda8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ddf410]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ce0da8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ccb978]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82dc4020]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82da0020]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a81560]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e86528]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82d9c2c0]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82cf5188]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ce3540]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82cea400]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a2a2b8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82d45da8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ce1da8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82b187d8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82db9870]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82de7b18]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a1d950]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82ddd7b0]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a33350]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a20588]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82cec428]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82a19020]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82cef7c8]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [ETHREAD: 0x82e54698]

Process: System Address: 0x81ff2feb Size: -

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]

Process: System Address: 0x81ffa626 Size: -

==========

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

Okay well let's try a forced removal since that tool did not provide the information either.

Though Combofix said it removed it already as well so if this does not work then you've got something deep and trying to protect itself.

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
mrxdavv
kwave

Files to delete:
C:\WINDOWS\system32\drivers\mrxdavv.sys
C:\WINDOWS\system32\kwave.sys
C:\WINNT\system32\kwave.sys
C:\WINNT\system32\drivers\mrxdavv.sys
  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

Link to post
Share on other sites

Hello,

I have run Avenger per your instructions and as you can see from the results below, it did not find any of the variations of C:\WINNT\system32\kwave.sys and C:\WINNT\system32\drivers\mrxdavv.sys.

I updated MBAM and ran a quick scan and it found the two pests C:\WINNT\system32\kwave.sys and C:\WINNT\system32\drivers\mrxdavv.sys. Rebooting the PC and running MBAM again showed that the pests remain.

I ran HJT and the results are below.

It is amazing how well hidden these pests are.

Tell me, do you know of any tools that will allow me to look at the hard drive in raw format to locate and delete these two files without them hiding within Windows? I have tried NTFSDOS, but since the files are hidden from the FAT (according to an earlier run of RootkitReveal - more recent runs do not see these two files), they do not show under NTFSDOS.

================

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\mrxdavv" not found!

Deletion of driver "mrxdavv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\kwave" not found!

Deletion of driver "kwave" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "C:\WINDOWS\system32\drivers\mrxdavv.sys"

Deletion of file "C:\WINDOWS\system32\drivers\mrxdavv.sys" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "C:\WINDOWS\system32\kwave.sys"

Deletion of file "C:\WINDOWS\system32\kwave.sys" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "C:\WINNT\system32\kwave.sys" not found!

Deletion of file "C:\WINNT\system32\kwave.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINNT\system32\drivers\mrxdavv.sys" not found!

Deletion of file "C:\WINNT\system32\drivers\mrxdavv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

================

Malwarebytes' Anti-Malware 1.33

Database version: 1718

Windows 5.1.2600 Service Pack 3

2/3/2009 3:54:16 AM

mbam-log-2009-02-03 (03-54-16).txt

Scan type: Quick Scan

Objects scanned: 60256

Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

================

================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:08:56 AM, on 2/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\PhoneTools\CapFax.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\System32\svchost.exe

C:\Documents and Settings\Owner\Desktop\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.citcom.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124652100218

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: GQXKKXFC - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\GQXKKXFC.exe (file missing)

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--

End of file - 5464 bytes

================

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

Well if this is the one that I think it is, it is a dual RootKit infection.

Here is what I recommend to try to remove it. Make sure your data is backed up first.

Please download this, place a blank CD in your burner and double-click on the downloaded file. It will automatically burn the CD for you.

At the bottom left should be 2 flags. If you use your mouse and click on the British flag the interface should switch to English for you.

Have it scan ALL files. There is no way that I'm aware of to save a log, so you may need to write down any special errors or infections found and their outcome.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Link to post
Share on other sites

That sounds promising!

I never saw an option to change to English, so the Avira AntiVir Rescue CD program on the infected PC is in GERMAN.

Where exactly is this change to English?

Due to low resolution, the lower part of each screen is off screen. Would the language change option be in the area I cannot see? Is there a way to change the resolution?

Please advise.

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

Hello,

I have narrowed down the problem I am having using the Avira AntiVir Rescue CD and have asked the following question on their forums.

===============

I just learned of your product and thought I would try it to deal with a dual root kit infection. I downloaded it an hour ago from:

http://www.free-av.com/en/tools/12/avira_a...cue_system.html

I am having a similar problem mentioned in the thread: "Rescue disk: No Language Selection & Screen size wrong"

The problem is that the screen resolution is 640 x 480 which makes the lower portion of the GUI interface unavailable. I have tried this on two different monitors with the same problem.

The missing lower portion of the GUI interface contains the language buttons which I need - I speak English, not German.

Since I am in the CD's Linux environment and not in Windows, I cannot adust the screen resolution in WIndows.

I could really use a way to view the entire GUI interface so I can proceed.

Thanks for your help!

================

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

Your the second one to complain of this issue. I've run it on a few systems and have not had a problem, wish I could help but not sure how to correct it. Maybe you could try one of these other boot tools. Most are in ISO so you don't just burn the file to a CD you need to OPEN the ISO and burn it.

LiveCD for Malware and Virus Removal

Here are links to Antivirus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair if needed.

All of them except Avira are in the ISO image file format. Avira uses an EXE that has built-in CD burning capability.

Avira AntiVir Rescue System

BitDefender LiveCD

Dr Web LiveCD

F-Secure Rescue CD

Kaspersky RescueDisk

For those users that need a FREE utility to properly burn the ISO image

ImgBurn

Link to post
Share on other sites

  • Root Admin

Hi Al,

I took a little more time to review your logs and hopefully maybe this will make a dent in it.

If not then maybe a NEW run of Combofix would provide more details as this script is from old data from your system now.

Double click on AVENGER.EXE on your Desktop.

Copy and paste the following text from the code box below into the main window of Avenger.

Drivers to delete:
ati4joxx
jpwkzfgz
btw3a
ethigokf
iscFlash
ati7uaxx
BNNIV
GQXKKXFC
ONWXUV
RioPNP


Files to delete:
c:\winnt\system32\btw3a.sys
c:\winnt\SYSTEM32\DRIVERS\iscflash.sys
C:\WINNT\system32\drivers\mrxdavv.sys
C:\WINNT\system32\kwave.sys
c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
c:\winnt\system32\ak
c:\winnt\system32\nar.bin
c:\winnt\system32\system32xp.exe.tmp
c:\winnt\system32\drivers\ethigokf.sys


Folders to delete:
C:\$WIN_NT$.~BT
c:\winnt\SxsCaPendDel
  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

Please look and see if you can find more information about these files.

Maybe try opening them in NOTEPAD and see if you can tell what they are.

Google can not find them, and another couple sites used for Malware detection don't show them either which makes them suspicious.

If nothing else maybe try renaming them to somehing like .DDD instead of .dat

c:\winnt\{BB7B70C3-B2F2-407C-A791-CF2DDA431A93}.dat

c:\winnt\system32\{26F9959A-E681-4126-A620-D2F17F4F38E6}.dat

Link to post
Share on other sites

Hello,

I ran Avenger 2.0 with the code you provided - the results are below. Note that c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP is a folder and not a file - I deleted this manually.

I ran MBAM, updated it, ran a Quick Scan (results below), rebooted, ran a Quick Scan again - same two files are still found. The results are below.

C:\WINNT\system32\kwave.sys

C:\WINNT\system32\drivers\mrxdavv.sys

It seems that these two files are CRITICAL to the rootkit's survival. MBAM can see them on some level, but cannot delete them. Is there a tool we can use to SEE them and manually delete them.

The latest HJT log is below.

The following files contain gibberish. I renamed them both with a hld extension.

c:\winnt\{BB7B70C3-B2F2-407C-A791-CF2DDA431A93}.dat

c:\winnt\system32\{26F9959A-E681-4126-A620-D2F17F4F38E6}.dat

================

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver "ati4joxx" deleted successfully.

Driver "jpwkzfgz" deleted successfully.

Driver "btw3a" deleted successfully.

Driver "ethigokf" deleted successfully.

Driver "iscFlash" deleted successfully.

Driver "ati7uaxx" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\BNNIV" not found!

Deletion of driver "BNNIV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "GQXKKXFC" deleted successfully.

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ONWXUV" not found!

Deletion of driver "ONWXUV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Driver "RioPNP" deleted successfully.

File "c:\winnt\system32\btw3a.sys" deleted successfully.

File "c:\winnt\SYSTEM32\DRIVERS\iscflash.sys" deleted successfully.

Error: file "C:\WINNT\system32\drivers\mrxdavv.sys" not found!

Deletion of file "C:\WINNT\system32\drivers\mrxdavv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINNT\system32\kwave.sys" not found!

Deletion of file "C:\WINNT\system32\kwave.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: "c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" is a folder, not a file!

Deletion of file "c:\winnt\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP" failed!

Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)

--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "c:\winnt\system32\ak" deleted successfully.

File "c:\winnt\system32\nar.bin" deleted successfully.

File "c:\winnt\system32\system32xp.exe.tmp" deleted successfully.

File "c:\winnt\system32\drivers\ethigokf.sys" deleted successfully.

Folder "C:\$WIN_NT$.~BT" deleted successfully.

Folder "c:\winnt\SxsCaPendDel" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

================

Malwarebytes' Anti-Malware 1.33

Database version: 1725

Windows 5.1.2600 Service Pack 3

2/4/2009 8:23:40 AM

mbam-log-2009-02-04 (08-23-40).txt

Scan type: Quick Scan

Objects scanned: 60848

Time elapsed: 7 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

================

================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:39:33 AM, on 2/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\system32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\PhoneTools\CapFax.EXE

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINNT\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

C:\Program Files\QUICKENW\QWDLLS.EXE

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

C:\Documents and Settings\Owner\Desktop\HJT.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\componentlauncher.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.citcom.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124652100218

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

--

End of file - 5794 bytes

================

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

Hello,

Check out the following link and you will see that I am not alone having problems running the potentially useful Avira AntiVir Rescue CD due to video problems.

http://forum.avira.com/wbb/index.php?page=...amp;boardID=210

(my username there is arstearns)

I do understand how to use an ISO file to create a CD. I have Roxio Media Creator 2009 if CD burning software is needed.

This rootkit infection is hidden from both Windows API and the File Allocation Table. Standard antivirus programs are not going find it. MBAM is the best program to deal with this sort of thing - it sees it but cannot do anything about it. Again, HOW is MBAM seeing these files? If we could see them manually we might be able to do something about them. NAV 2009 does not see them, Avenger does not see them. F-Secure BlackLight Root Detection and Elimination Tool does not see them, Sophos Anti-Rootkit v1.3 does not see them, GMER does not see them.

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

MBAM uses a proprietary low level driver to locate hidden files.

Quite similar to some of these other rootkit detectors but not the same and nothing exactly like it available anywhere else that I'm aware of.

Okay, this certainly won't remove the issue, but you should remove these items for now.

All older versions of Java have code that has been exploited and needs to be removed.

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

The Easy CD Creator 5 is very old and not very compatible with XP

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

Easy CD Creator 5.0 does not function in Windows XP

I'm sure as you've said that you have newer software for it anyways. If not and you need something then you might

want to take a look at: ImgBurn

What I think is happening is that their is a driver that is the "Parent process" that so far we've overlooked and we need to find that driver and remove it.

I'm betting that both the C:\WINNT\system32\drivers\mrxdavv.sys and C:\WINNT\system32\kwave.sys don't exist during boot and are re-created by the Parent process on the fly.

If none of those other Anti-Virus boot disks work then I think we only have a few other options.

1. Build an Ultimate Boot CD for Windows and use that to attempt to locate the Parent process file.

2. Some how get the Avira disk to work

3. Backup all data and Remove ALL security software and un-needed software, then try RK scanning software again.

4. FDISK, Format and re-install Windows.

Certainly there are other variations but I think you get the idea of the situation.

Please let me know what direction you'd like to take.

If it were my own system I would at least try option 1 or 3 but up to you.

Link to post
Share on other sites

Hello,

==========

If none of those other Anti-Virus boot disks work then I think we only have a few other options.

1. Build an Ultimate Boot CD for Windows and use that to attempt to locate the Parent process file.

2. Some how get the Avira disk to work

3. Backup all data and Remove ALL security software and un-needed software, then try RK scanning software again.

4. FDISK, Format and re-install Windows.

==========

F-Secure Rescue disk did not find anything. F-Secure Internet Security 2009 trial did not find anything but does stop the infected PC from flooding the network with packets.

1) HOW would I use the Ultimate Boot CD for Windows to locate the Parent process file?

2) Not an option until May 09 or so (they need to fix).

3) What does RK scanning mean?

4) NOT AN OPTION

In my eyes you folks have become number one in fighting malware in the past 6-8 months. I am suprized Malwarebytes is not more interested in finding out what this is. Can I contact an upper level tech? I have a PC with a new malware infection and some 26 years experience working with PCs. I would thing you would want to take advantage of this?

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

Hi Al,

MBAM is already aware of this file and will have a fix for it in the next version but it currently can't remove it due to limitations of the current build of the program.

The next build might not be out for a while though so that's why we use other tools.

The file C:\WINDOWS\system32\drivers\mrxdavv.sys does not really exist and is basically smoke and mirrors by the RootKit to throw you off track.

Finding and locating the entry for C:\WINDOWS\system32\kwave.sys on your system has been more difficult due to a couple of other issues such as the Daemon Tools and Easy CD Creator

Let's see if we can just manually blow out the file with GMER.

Please start GMER and click on the tab with the 3 > > > arrows.

Then click on the Files tab and browse to this location.

C:\WINDOWS\system32\ and locate the file kwave.sys and highlight it.

Then click on KILL and then REBOOT

Then do another MBAM scan. It should find the file again but this time it should be able to remove it.

Have MBAM remove them again and reboot again and do another MBAM quick scan and this time they should not be there.

If they are then there is some other rootkit on the system, or possibly patched Microsoft OS files.

Link to post
Share on other sites

Hello,

Some additional information.

I have booted of the Trinity Rescue Kit 3.2 build 279 CD (Linux) and have cd'ed to /hda1/WINNT/System32 and KWAVE.SYS is not there.

I suspect this file is being created upon PC startup and deleted on PC shutdown.

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

Hello,

Some more additional information.

While I was using the Trinity Rescue Kit 3.2 build 279 CD (Linux) I created a KWAVE.SYS file with the test STOP THAT RIGHT NOW! in it. I shut down, connected the hard drive to a WinXP PC and hid and write protected the file. I placed the hard drive back in the infected PC and started in Safe Mode. I went to the C:\WINNT\System32\KWAVE.SYS file I had created and tried to open it with Notepad (worked fine in my non-infected PC) and I get a blank document with the error "Not enough quota is available to process this command."

I have seen this error multiple times when working to clean this PC - it must be part of the infection's defense mechinism.

I am doing all I can on this end. I look forward to some additional help from Malwarebytes.

Warmly, Al Stearns

Pisgah Forest, NC

USA

Link to post
Share on other sites

  • Root Admin

Okay as said at this point MBAM can only detect it and can not remove it till a future update.

(Yes, I understand that Easy CD Creator put out a newer fix, and if you don't wish to remove it that's up to you, it is not interfering with our scans, but do you really want something that old an unsupported on the box when there are much better tools available and for free?, that was offered as advice in general not so much for the Malware.)

Please do the following.

Disconnect from the Internet, or other Networks.

Set the Anti-Virus to DISABLED and reboot the computer.

Make sure ALL programs and software are stopped and quit any that you can in the system tray.

  • Double click on
    gmer.exe
    and run it.
  • It may take a minute to load and become available.

  • Do not make any changes. Click on the
    SCAN
    button and DO NOT use the computer while it's scanning.

  • Once the scan is done click on the
    SAVE
    button and browse to your Desktop and save the file as
    GMER.LOG

  • Zip up the
    GMER.LOG
    file and save it as
    gmerlog.zip
    and attach it to your reply post.

  • DO NOT
    directly post this log into a reply. You
    MUST
    attach it as a .ZIP file.

  • Click OK and quit the GMER program.

Download haxfix.exe

and save it to your desktop.

  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"

A red "dos window" (dos box) will open with options:

1. Make logfile

2. Run auto fix

3. Run manual fix

E. Exit Haxfix

  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.