Jump to content

dont we love mrxdavv.sys kwave.sys?


malfy

Recommended Posts

mrxdavv.sys

kwave.sys

Common problem that seems to be surfacing everywhere lately. I have searched for many hours for a solution and it seems as if it isn't going to be easy. I love malwarebytes and hope that they're close to a solution, I have seen more than 1 moderator on these forums hint toward false positives, and made assurances that in the next version of mbam, it wont be an issue. Well I hope they weren't seriously suggesting something as absurd as them being false positives because those two 'files' are definately related to some issue. I am of course unable to rid myslef of these phantom files and I am hoping someone out there knows what to do.

Not sure if it helps but, the reason I ran mbam in the first place was when I noticed (today) all of the sudden I could no longer use the 'task manager.' I remeber this being the case with a virus or malware I had once in the distant past so I assumed it was related, and that is when I discovered these files.

As of right now, if I run mbam those 2 files will remain persistantly, I dont really have/use other malware cleaning software on my computer as this is rarely ever a problem for me. Here are my log files:

Malwarebytes' Anti-Malware 1.34

Database version: 1809

Windows 5.1.2600 Service Pack 3

2/27/2009 6:36:23 AM

mbam-log-2009-02-27 (06-36-23).txt

Scan type: Quick Scan

Objects scanned: 58667

Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

//////////////////////////////////////////////////////////////////////////////////////////////////

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:48:55 AM, on 2/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\Apache2.2\bin\httpd.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Apache2.2\bin\httpd.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab

O18 - Filter hijack: text/html - {7d9a5b50-346d-420b-a94f-82c94e931453} - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache2.2\bin\httpd.exe

O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)

O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 3783 bytes

**note: just a list of other files which were removed that could be related.

...system32\a9k.bin

...system32\proto.dll

...Application Data\Microsoft\Windows\mas32.dll

Link to post
Share on other sites

You appear to be running this computer as a server? If possible, it might be a good idea to take the server offline for a bit to prevent people from getting infected.

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

OK ummm, my computer isn't running as an online server, that was just a local setup I have to test web content before I put it online. However I went ahead and disabled my apache/mysql services to avoid any confusion. After that I followed your posts instructions to the letter and here are the logs:

ComboFix 09-02-26.02 - malfy 2009-02-27 13:28:46.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1682 [GMT -6:00]

Running from: c:\documents and settings\malfy\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\LocalService\Application Data\twain_32

c:\documents and settings\LocalService\Application Data\twain_32\user.ds

C:\install.exe

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\KSAIOqss.ini

c:\windows\system32\KSAIOqss.ini2

c:\windows\system32\kwave.sys

c:\windows\system32\kyscfmxr.ini

c:\windows\system32\omnrswok.ini

c:\windows\system32\packet.dll

c:\windows\system32\wpcap.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))

.

2009-02-27 05:29 . 2009-02-27 05:29 <DIR> d-------- c:\program files\Trend Micro

2009-02-27 04:47 . 2009-02-27 04:47 <DIR> d-------- c:\documents and settings\malfy\DoctorWeb

2009-02-27 04:15 . 2009-02-27 04:15 61,440 --a------ c:\windows\system32\drivers\llqp.sys

2009-02-27 04:11 . 2009-02-27 04:11 61,440 --a------ c:\windows\system32\drivers\gdhw.sys

2009-02-26 02:04 . 2009-02-17 10:59 2,794,234 --a------ c:\windows\system32\GameMon.des

2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\malfy\Application Data\Malwarebytes

2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-19 13:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-19 13:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-19 01:29 . 2009-02-19 01:29 336 --a------ c:\windows\system32\ikhcore.cfg

2009-02-19 00:16 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Common Files\Download Manager

2009-02-17 14:54 . 2009-02-17 16:58 145 --a-s---- c:\windows\system32\582960402.dat

2009-02-16 18:49 . 2009-02-26 22:23 7 --a------ c:\windows\system32\nar.bin

2009-02-16 10:21 . 2009-02-16 10:21 8,768 --a------ c:\windows\system32\drivers\bcmwl5.sys

2009-02-16 10:21 . 2009-02-16 10:21 50 --a------ c:\windows\system32\wdh.bin

2009-02-09 17:04 . 2009-02-26 23:46 <DIR> d-------- c:\program files\Full Tilt Poker

2009-02-06 11:21 . 2009-02-06 11:21 <DIR> d-------- c:\program files\Common

2009-02-02 21:40 . 2009-02-02 21:40 <DIR> d-------- c:\program files\Sony

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-27 10:15 324 ----a-w c:\program files\bpxmss.txt

2009-02-27 10:02 --------- d-----w c:\program files\PokerStars

2009-02-27 04:23 --------- d-----w c:\program files\Steam

2009-02-27 01:12 --------- d-----w c:\program files\Warcraft III

2009-02-19 19:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-19 19:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment

2009-02-17 00:56 --------- d-----w c:\program files\World of Warcraft

2009-02-17 00:55 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-19 05:09 --------- d-----w c:\program files\mIRC

2009-01-02 21:04 --------- d--h--w c:\documents and settings\malfy\Application Data\ijjigame

2008-12-29 13:13 --------- d-----w c:\documents and settings\malfy\Application Data\Apple Computer

2007-07-26 19:32 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2007-07-26 19:32 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2007-07-26 19:32 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2007-07-26 19:32 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2007-07-26 19:32 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-08-12 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat

.

------- Sigcheck -------

2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys

2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-06-20 05:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

2008-08-10 07:26 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\$NtServicePackUninstall$\tcpip.sys

2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys

2003-03-31 06:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys

2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys

2008-04-13 13:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys

2008-04-13 13:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys

2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys

2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys

2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll

2006-07-05 04:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

2007-04-16 10:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll

2007-04-16 09:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\$NtServicePackUninstall$\kernel32.dll

2004-08-04 01:56 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll

2003-03-31 06:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtUninstallKB917422_0$\kernel32.dll

2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll

2008-04-13 18:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll

2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\kernel32.dll

2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\dllcache\kernel32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

"VIDC.RUD0"= rududu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcmwl5.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk

backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^malfy^Start Menu^Programs^Startup^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

--a------ 2008-11-11 11:55 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2007-04-27 15:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-04-12 23:44 8429568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-04-12 23:44 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2008-11-02 02:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-10-10 18:20 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]

-ra------ 2006-12-14 20:58 208896 c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]

-ra------ 2006-12-14 20:58 69632 c:\windows\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]

-ra------ 2006-12-14 20:59 217088 c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-04-12 23:44 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"aawservice"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"MySQL"=2 (0x2)

"Apache2.2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\malfunktion@prodigy.net\\counter-strike\\hl.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5999:UDP"= 5999:UDP:*:Disabled:MaxiVista Server

S2 aspnet_stateEventSystem;ASP.NET State Service aspnet_stateEventSystem; srv --> srv [?]

S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]

S4 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [2008-06-13 24635]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e1ece4-cce7-11dd-85f3-00044b032701}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s

.

Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Microsoft Windows Sound - svuhost.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-27 13:30:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateEventSystem]

"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]

"ImagePath"="c:\mysql\bin\mysqld-nt MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C11AF94B-CD15-D6B5-087F-DECB344D0DD3}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"nanhmlnghhidgnkgcjaegkpjbelm"=hex:69,61,67,6d,65,63,68,67,63,6e,69,66,67,68,

66,62,6c,65,00,00

"mahhddllgmncbgnkckpciinekj"=hex:6a,61,6a,6d,6e,66,61,66,61,64,6d,65,62,63,6c,

6c,68,6e,69,70,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)

c:\windows\system32\MrvGINA.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2009-02-27 13:33:25 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-27 19:33:23

Pre-Run: 51,932,557,312 bytes free

Post-Run: 52,429,914,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

242 --- E O F --- 2009-02-25 09:00:23

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:40:27 PM, on 2/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab

O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 2664 bytes

**note: I am going to be moving from one apartment to another shortly so I may be on and offline irregularly, please do not think I have abandonded this problem and lock the thread. I will be here!

Link to post
Share on other sites

Since your sever is just for your own testing purposes, feel free to enable it again. I just wanted to make sure it wasn't one for a real website as it could infect others.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\582960402.dat

c:\program files\bpxmss.txt

Collect::

c:\windows\system32\drivers\llqp.sys

c:\windows\system32\drivers\gdhw.sys

c:\windows\system32\drivers\bcmwl5.sys

c:\windows\system32\nar.bin

c:\windows\system32\wdh.bin

c:\windows\system32\ikhcore.cfg

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Ok ran the script for ComboFix, also when ComboFix loaded this time it ran a self-update, which didn't appear to interfere with the script running. So here are my new logs:

ComboFix 09-02-27.01 - 2009-02-27 15:30:47.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1616 [GMT -6:00]

Running from: c:\documents and settings\malfy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\malfy\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\program files\bpxmss.txt

c:\windows\system32\582960402.dat

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\bpxmss.txt

c:\windows\system32\582960402.dat

c:\windows\system32\drivers\bcmwl5.sys

c:\windows\system32\drivers\gdhw.sys

c:\windows\system32\drivers\llqp.sys

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\ikhcore.cfg

c:\windows\system32\kwave.sys

c:\windows\system32\nar.bin

c:\windows\system32\wdh.bin

.

((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))

.

2009-02-27 05:29 . 2009-02-27 05:29 <DIR> d-------- c:\program files\Trend Micro

2009-02-27 04:47 . 2009-02-27 04:47 <DIR> d-------- c:\documents and settings\malfy\DoctorWeb

2009-02-26 02:04 . 2009-02-17 10:59 2,794,234 --a------ c:\windows\system32\GameMon.des

2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\malfy\Application Data\Malwarebytes

2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-02-19 13:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-19 13:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-19 00:16 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Common Files\Download Manager

2009-02-09 17:04 . 2009-02-26 23:46 <DIR> d-------- c:\program files\Full Tilt Poker

2009-02-06 11:21 . 2009-02-06 11:21 <DIR> d-------- c:\program files\Common

2009-02-02 21:40 . 2009-02-02 21:40 <DIR> d-------- c:\program files\Sony

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-27 10:02 --------- d-----w c:\program files\PokerStars

2009-02-27 04:23 --------- d-----w c:\program files\Steam

2009-02-27 01:12 --------- d-----w c:\program files\Warcraft III

2009-02-19 19:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-19 19:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment

2009-02-17 00:56 --------- d-----w c:\program files\World of Warcraft

2009-02-17 00:55 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-17 00:54 --------- d-----w c:\documents and settings\malfy\Application Data\Orbit

2009-02-17 00:53 --------- d-----w c:\program files\AddOn Studio for World of Warcraft

2009-01-19 05:09 --------- d-----w c:\program files\mIRC

2009-01-02 21:04 --------- d--h--w c:\documents and settings\malfy\Application Data\ijjigame

2008-12-29 13:13 --------- d-----w c:\documents and settings\malfy\Application Data\Apple Computer

2007-07-26 19:32 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2007-07-26 19:32 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2007-07-26 19:32 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2007-07-26 19:32 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2007-07-26 19:32 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-08-12 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat

.

------- Sigcheck -------

2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys

2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

2008-06-20 05:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

2008-08-10 07:26 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\$NtServicePackUninstall$\tcpip.sys

2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys

2003-03-31 06:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys

2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys

2008-04-13 13:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys

2008-04-13 13:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys

2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys

2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys

2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll

2006-07-05 04:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

2007-04-16 10:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll

2007-04-16 09:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\$NtServicePackUninstall$\kernel32.dll

2004-08-04 01:56 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll

2003-03-31 06:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtUninstallKB917422_0$\kernel32.dll

2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll

2008-04-13 18:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll

2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\kernel32.dll

2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\dllcache\kernel32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]

"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

"VIDC.RUD0"= rududu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcmwl5.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk

backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^malfy^Start Menu^Programs^Startup^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

--a------ 2008-11-11 11:55 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2007-04-27 15:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2007-04-12 23:44 8429568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2007-04-12 23:44 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

--a------ 2008-11-02 02:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

--a------ 2008-10-10 18:20 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]

-ra------ 2006-12-14 20:58 208896 c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]

-ra------ 2006-12-14 20:58 69632 c:\windows\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]

-ra------ 2006-12-14 20:59 217088 c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2007-04-12 23:44 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

"Adobe LM Service"=3 (0x3)

"aawservice"=2 (0x2)

"FLEXnet Licensing Service"=3 (0x3)

"Bonjour Service"=2 (0x2)

"MySQL"=2 (0x2)

"Apache2.2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Steam\\Steam.exe"=

"c:\\Program Files\\Steam\\steamapps\\malfunktion@prodigy.net\\counter-strike\\hl.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5999:UDP"= 5999:UDP:*:Disabled:MaxiVista Server

S2 aspnet_stateEventSystem;ASP.NET State Service aspnet_stateEventSystem; srv --> srv [?]

S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]

S4 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [2008-06-13 24635]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e1ece4-cce7-11dd-85f3-00044b032701}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s

.

Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath -

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-27 15:32:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateEventSystem]

"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]

"ImagePath"="c:\mysql\bin\mysqld-nt MySQL"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C11AF94B-CD15-D6B5-087F-DECB344D0DD3}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"nanhmlnghhidgnkgcjaegkpjbelm"=hex:69,61,67,6d,65,63,68,67,63,6e,69,66,67,68,

66,62,6c,65,00,00

"mahhddllgmncbgnkckpciinekj"=hex:6a,61,6a,6d,6e,66,61,66,61,64,6d,65,62,63,6c,

6c,68,6e,69,70,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)

c:\windows\system32\MrvGINA.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\wdfmgr.exe

.

**************************************************************************

.

Completion time: 2009-02-27 15:35:31 - machine was rebooted [malfy]

ComboFix-quarantined-files.txt 2009-02-27 21:35:28

ComboFix2.txt 2009-02-27 19:33:26

Pre-Run: 52,420,685,824 bytes free

Post-Run: 52,405,874,688 bytes free

225 --- E O F --- 2009-02-25 09:00:23

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:40:38 PM, on 2/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe

O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab

O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 2697 bytes

Link to post
Share on other sites

haha well you never asked me to run mbam again so I didn't do it until just now. The problem files appear to have been removed! If you see any other problems of mention in those updated logs let me know. Otherwise thank you very much for helping me so quickly and effectively.

Malwarebytes' Anti-Malware 1.34

Database version: 1810

Windows 5.1.2600 Service Pack 3

2/27/2009 4:08:39 PM

mbam-log-2009-02-27 (16-08-39).txt

Scan type: Quick Scan

Objects scanned: 57442

Time elapsed: 1 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

:rolleyes:

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.