malfy Posted February 27, 2009 ID:60169 Share Posted February 27, 2009 mrxdavv.syskwave.sysCommon problem that seems to be surfacing everywhere lately. I have searched for many hours for a solution and it seems as if it isn't going to be easy. I love malwarebytes and hope that they're close to a solution, I have seen more than 1 moderator on these forums hint toward false positives, and made assurances that in the next version of mbam, it wont be an issue. Well I hope they weren't seriously suggesting something as absurd as them being false positives because those two 'files' are definately related to some issue. I am of course unable to rid myslef of these phantom files and I am hoping someone out there knows what to do.Not sure if it helps but, the reason I ran mbam in the first place was when I noticed (today) all of the sudden I could no longer use the 'task manager.' I remeber this being the case with a virus or malware I had once in the distant past so I assumed it was related, and that is when I discovered these files.As of right now, if I run mbam those 2 files will remain persistantly, I dont really have/use other malware cleaning software on my computer as this is rarely ever a problem for me. Here are my log files:Malwarebytes' Anti-Malware 1.34Database version: 1809Windows 5.1.2600 Service Pack 32/27/2009 6:36:23 AMmbam-log-2009-02-27 (06-36-23).txtScan type: Quick ScanObjects scanned: 58667Time elapsed: 2 minute(s), 35 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.//////////////////////////////////////////////////////////////////////////////////////////////////Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:48:55 AM, on 2/27/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\Program Files\NETGEAR\WG311v3\wlancfg5.exeC:\Apache2.2\bin\httpd.exeC:\mysql\bin\mysqld-nt.exeC:\WINDOWS\system32\nvsvc32.exeC:\Apache2.2\bin\httpd.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imAppO4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exeO16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cabO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cabO18 - Filter hijack: text/html - {7d9a5b50-346d-420b-a94f-82c94e931453} - (no file)O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache2.2\bin\httpd.exeO23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 3783 bytes**note: just a list of other files which were removed that could be related....system32\a9k.bin...system32\proto.dll...Application Data\Microsoft\Windows\mas32.dll Link to post Share on other sites More sharing options...
Tigger93 Posted February 27, 2009 ID:60226 Share Posted February 27, 2009 You appear to be running this computer as a server? If possible, it might be a good idea to take the server offline for a bit to prevent people from getting infected.Download ComboFix from one of the locations below, and save it to your Desktop. Link 1Link 2 Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.When finished, it shall produce a log for you. Post that log and a HijackThis log in your next replyNote: Do not mouseclick Combofix's window while its running. That may cause it to stall Link to post Share on other sites More sharing options...
malfy Posted February 27, 2009 Author ID:60242 Share Posted February 27, 2009 OK ummm, my computer isn't running as an online server, that was just a local setup I have to test web content before I put it online. However I went ahead and disabled my apache/mysql services to avoid any confusion. After that I followed your posts instructions to the letter and here are the logs:ComboFix 09-02-26.02 - malfy 2009-02-27 13:28:46.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1682 [GMT -6:00]Running from: c:\documents and settings\malfy\Desktop\ComboFix.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\LocalService\Application Data\twain_32c:\documents and settings\LocalService\Application Data\twain_32\user.dsC:\install.exec:\windows\system32\drivers\mrxdavv.sysc:\windows\system32\drivers\npf.sysc:\windows\system32\KSAIOqss.inic:\windows\system32\KSAIOqss.ini2c:\windows\system32\kwave.sysc:\windows\system32\kyscfmxr.inic:\windows\system32\omnrswok.inic:\windows\system32\packet.dllc:\windows\system32\wpcap.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_NPF((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 ))))))))))))))))))))))))))))))).2009-02-27 05:29 . 2009-02-27 05:29 <DIR> d-------- c:\program files\Trend Micro2009-02-27 04:47 . 2009-02-27 04:47 <DIR> d-------- c:\documents and settings\malfy\DoctorWeb2009-02-27 04:15 . 2009-02-27 04:15 61,440 --a------ c:\windows\system32\drivers\llqp.sys2009-02-27 04:11 . 2009-02-27 04:11 61,440 --a------ c:\windows\system32\drivers\gdhw.sys2009-02-26 02:04 . 2009-02-17 10:59 2,794,234 --a------ c:\windows\system32\GameMon.des2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\malfy\Application Data\Malwarebytes2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-02-19 13:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-02-19 13:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-02-19 01:29 . 2009-02-19 01:29 336 --a------ c:\windows\system32\ikhcore.cfg2009-02-19 00:16 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Common Files\Download Manager2009-02-17 14:54 . 2009-02-17 16:58 145 --a-s---- c:\windows\system32\582960402.dat2009-02-16 18:49 . 2009-02-26 22:23 7 --a------ c:\windows\system32\nar.bin2009-02-16 10:21 . 2009-02-16 10:21 8,768 --a------ c:\windows\system32\drivers\bcmwl5.sys2009-02-16 10:21 . 2009-02-16 10:21 50 --a------ c:\windows\system32\wdh.bin2009-02-09 17:04 . 2009-02-26 23:46 <DIR> d-------- c:\program files\Full Tilt Poker2009-02-06 11:21 . 2009-02-06 11:21 <DIR> d-------- c:\program files\Common2009-02-02 21:40 . 2009-02-02 21:40 <DIR> d-------- c:\program files\Sony.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-27 10:15 324 ----a-w c:\program files\bpxmss.txt2009-02-27 10:02 --------- d-----w c:\program files\PokerStars2009-02-27 04:23 --------- d-----w c:\program files\Steam2009-02-27 01:12 --------- d-----w c:\program files\Warcraft III2009-02-19 19:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-02-19 19:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment2009-02-17 00:56 --------- d-----w c:\program files\World of Warcraft2009-02-17 00:55 --------- d--h--w c:\program files\InstallShield Installation Information2009-01-19 05:09 --------- d-----w c:\program files\mIRC2009-01-02 21:04 --------- d--h--w c:\documents and settings\malfy\Application Data\ijjigame2008-12-29 13:13 --------- d-----w c:\documents and settings\malfy\Application Data\Apple Computer2007-07-26 19:32 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll2007-07-26 19:32 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll2007-07-26 19:32 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll2007-07-26 19:32 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll2007-07-26 19:32 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll2008-08-12 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat.------- Sigcheck -------2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys2008-06-20 05:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys2008-08-10 07:26 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\$NtServicePackUninstall$\tcpip.sys2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys2003-03-31 06:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys2008-04-13 13:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys2008-04-13 13:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll2006-07-05 04:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll2007-04-16 10:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll2007-04-16 09:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\$NtServicePackUninstall$\kernel32.dll2004-08-04 01:56 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll2003-03-31 06:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtUninstallKB917422_0$\kernel32.dll2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll2008-04-13 18:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\kernel32.dll2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\dllcache\kernel32.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll"VIDC.RUD0"= rududu.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcmwl5.sys]@="Driver"[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnkbackup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^malfy^Start Menu^Programs^Startup^Adobe Gamma.lnk]backup=c:\windows\pss\Adobe Gamma.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]--a------ 2008-11-11 11:55 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]--a------ 2007-04-27 15:17 50736 c:\program files\AIM6\aim6.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]--a------ 2007-04-12 23:44 8429568 c:\windows\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]--a------ 2007-04-12 23:44 81920 c:\windows\system32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]--a------ 2008-11-02 02:38 167936 c:\program files\PowerISO\PWRISOVM.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]--a------ 2008-10-10 18:20 1410296 c:\program files\Steam\Steam.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]-ra------ 2006-12-14 20:58 208896 c:\windows\system32\sw20.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]-ra------ 2006-12-14 20:58 69632 c:\windows\system32\sw24.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]-ra------ 2006-12-14 20:59 217088 c:\windows\system32\WinSys2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2007-04-12 23:44 1626112 c:\windows\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"iPod Service"=3 (0x3)"Apple Mobile Device"=2 (0x2)"Adobe LM Service"=3 (0x3)"aawservice"=2 (0x2)"FLEXnet Licensing Service"=3 (0x3)"Bonjour Service"=2 (0x2)"MySQL"=2 (0x2)"Apache2.2"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Steam\\Steam.exe"="c:\\Program Files\\Steam\\steamapps\\malfunktion@prodigy.net\\counter-strike\\hl.exe"="c:\\Program Files\\Ventrilo\\Ventrilo.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5999:UDP"= 5999:UDP:*:Disabled:MaxiVista ServerS2 aspnet_stateEventSystem;ASP.NET State Service aspnet_stateEventSystem; srv --> srv [?]S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]S4 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [2008-06-13 24635][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e1ece4-cce7-11dd-85f3-00044b032701}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s.Contents of the 'Scheduled Tasks' folder2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34].- - - - ORPHANS REMOVED - - - -MSConfigStartUp-Microsoft Windows Sound - svuhost.exe.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localFF - ProfilePath - .**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-27 13:30:39Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateEventSystem]"ImagePath"=" srv"[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]"ImagePath"="c:\mysql\bin\mysqld-nt MySQL".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C11AF94B-CD15-D6B5-087F-DECB344D0DD3}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"nanhmlnghhidgnkgcjaegkpjbelm"=hex:69,61,67,6d,65,63,68,67,63,6e,69,66,67,68, 66,62,6c,65,00,00"mahhddllgmncbgnkckpciinekj"=hex:6a,61,6a,6d,6e,66,61,66,61,64,6d,65,62,63,6c, 6c,68,6e,69,70,00,00.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1000)c:\windows\system32\MrvGINA.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvsvc32.exec:\windows\system32\wdfmgr.exe.**************************************************************************.Completion time: 2009-02-27 13:33:25 - machine was rebootedComboFix-quarantined-files.txt 2009-02-27 19:33:23Pre-Run: 51,932,557,312 bytes freePost-Run: 52,429,914,112 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn242 --- E O F --- 2009-02-25 09:00:23///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:40:27 PM, on 2/27/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\NETGEAR\WG311v3\wlancfg5.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exeO16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cabO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cabO23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 2664 bytes**note: I am going to be moving from one apartment to another shortly so I may be on and offline irregularly, please do not think I have abandonded this problem and lock the thread. I will be here! Link to post Share on other sites More sharing options...
Tigger93 Posted February 27, 2009 ID:60250 Share Posted February 27, 2009 Since your sever is just for your own testing purposes, feel free to enable it again. I just wanted to make sure it wasn't one for a real website as it could infect others.1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::c:\windows\system32\582960402.datc:\program files\bpxmss.txtCollect::c:\windows\system32\drivers\llqp.sysc:\windows\system32\drivers\gdhw.sysc:\windows\system32\drivers\bcmwl5.sysc:\windows\system32\nar.binc:\windows\system32\wdh.binc:\windows\system32\ikhcore.cfg3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Link to post Share on other sites More sharing options...
malfy Posted February 27, 2009 Author ID:60282 Share Posted February 27, 2009 Ok ran the script for ComboFix, also when ComboFix loaded this time it ran a self-update, which didn't appear to interfere with the script running. So here are my new logs:ComboFix 09-02-27.01 - 2009-02-27 15:30:47.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1616 [GMT -6:00]Running from: c:\documents and settings\malfy\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\malfy\Desktop\CFScript.txt * Created a new restore pointFILE ::c:\program files\bpxmss.txtc:\windows\system32\582960402.dat.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\program files\bpxmss.txtc:\windows\system32\582960402.datc:\windows\system32\drivers\bcmwl5.sysc:\windows\system32\drivers\gdhw.sysc:\windows\system32\drivers\llqp.sysc:\windows\system32\drivers\mrxdavv.sysc:\windows\system32\ikhcore.cfgc:\windows\system32\kwave.sysc:\windows\system32\nar.binc:\windows\system32\wdh.bin.((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 ))))))))))))))))))))))))))))))).2009-02-27 05:29 . 2009-02-27 05:29 <DIR> d-------- c:\program files\Trend Micro2009-02-27 04:47 . 2009-02-27 04:47 <DIR> d-------- c:\documents and settings\malfy\DoctorWeb2009-02-26 02:04 . 2009-02-17 10:59 2,794,234 --a------ c:\windows\system32\GameMon.des2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\malfy\Application Data\Malwarebytes2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes2009-02-19 13:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys2009-02-19 13:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys2009-02-19 00:16 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Common Files\Download Manager2009-02-09 17:04 . 2009-02-26 23:46 <DIR> d-------- c:\program files\Full Tilt Poker2009-02-06 11:21 . 2009-02-06 11:21 <DIR> d-------- c:\program files\Common2009-02-02 21:40 . 2009-02-02 21:40 <DIR> d-------- c:\program files\Sony.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-02-27 10:02 --------- d-----w c:\program files\PokerStars2009-02-27 04:23 --------- d-----w c:\program files\Steam2009-02-27 01:12 --------- d-----w c:\program files\Warcraft III2009-02-19 19:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-02-19 19:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment2009-02-17 00:56 --------- d-----w c:\program files\World of Warcraft2009-02-17 00:55 --------- d--h--w c:\program files\InstallShield Installation Information2009-02-17 00:54 --------- d-----w c:\documents and settings\malfy\Application Data\Orbit2009-02-17 00:53 --------- d-----w c:\program files\AddOn Studio for World of Warcraft2009-01-19 05:09 --------- d-----w c:\program files\mIRC2009-01-02 21:04 --------- d--h--w c:\documents and settings\malfy\Application Data\ijjigame2008-12-29 13:13 --------- d-----w c:\documents and settings\malfy\Application Data\Apple Computer2007-07-26 19:32 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll2007-07-26 19:32 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll2007-07-26 19:32 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll2007-07-26 19:32 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll2007-07-26 19:32 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll2008-08-12 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat.------- Sigcheck -------2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys2008-06-20 05:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys2008-08-10 07:26 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\$NtServicePackUninstall$\tcpip.sys2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys2003-03-31 06:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys2008-04-13 13:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys2008-04-13 13:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll2006-07-05 04:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll2007-04-16 10:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll2007-04-16 09:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\$NtServicePackUninstall$\kernel32.dll2004-08-04 01:56 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll2003-03-31 06:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtUninstallKB917422_0$\kernel32.dll2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll2008-04-13 18:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\kernel32.dll2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\dllcache\kernel32.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll"VIDC.RUD0"= rududu.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcmwl5.sys]@="Driver"[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnkbackup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^malfy^Start Menu^Programs^Startup^Adobe Gamma.lnk]backup=c:\windows\pss\Adobe Gamma.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]--a------ 2008-11-11 11:55 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]--a------ 2007-04-27 15:17 50736 c:\program files\AIM6\aim6.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]--a------ 2007-04-12 23:44 8429568 c:\windows\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]--a------ 2007-04-12 23:44 81920 c:\windows\system32\nvmctray.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]--a------ 2008-11-02 02:38 167936 c:\program files\PowerISO\PWRISOVM.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]--a------ 2008-10-10 18:20 1410296 c:\program files\Steam\Steam.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]-ra------ 2006-12-14 20:58 208896 c:\windows\system32\sw20.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]-ra------ 2006-12-14 20:58 69632 c:\windows\system32\sw24.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]-ra------ 2006-12-14 20:59 217088 c:\windows\system32\WinSys2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2007-04-12 23:44 1626112 c:\windows\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"iPod Service"=3 (0x3)"Apple Mobile Device"=2 (0x2)"Adobe LM Service"=3 (0x3)"aawservice"=2 (0x2)"FLEXnet Licensing Service"=3 (0x3)"Bonjour Service"=2 (0x2)"MySQL"=2 (0x2)"Apache2.2"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\Program Files\\Steam\\Steam.exe"="c:\\Program Files\\Steam\\steamapps\\malfunktion@prodigy.net\\counter-strike\\hl.exe"="c:\\Program Files\\Ventrilo\\Ventrilo.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5999:UDP"= 5999:UDP:*:Disabled:MaxiVista ServerS2 aspnet_stateEventSystem;ASP.NET State Service aspnet_stateEventSystem; srv --> srv [?]S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]S4 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [2008-06-13 24635][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e1ece4-cce7-11dd-85f3-00044b032701}]\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s.Contents of the 'Scheduled Tasks' folder2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localFF - ProfilePath - .**************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-02-27 15:32:42Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateEventSystem]"ImagePath"=" srv"[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]"ImagePath"="c:\mysql\bin\mysqld-nt MySQL".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C11AF94B-CD15-D6B5-087F-DECB344D0DD3}*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"nanhmlnghhidgnkgcjaegkpjbelm"=hex:69,61,67,6d,65,63,68,67,63,6e,69,66,67,68, 66,62,6c,65,00,00"mahhddllgmncbgnkckpciinekj"=hex:6a,61,6a,6d,6e,66,61,66,61,64,6d,65,62,63,6c, 6c,68,6e,69,70,00,00.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1000)c:\windows\system32\MrvGINA.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\nvsvc32.exec:\windows\system32\wdfmgr.exe.**************************************************************************.Completion time: 2009-02-27 15:35:31 - machine was rebooted [malfy]ComboFix-quarantined-files.txt 2009-02-27 21:35:28ComboFix2.txt 2009-02-27 19:33:26Pre-Run: 52,420,685,824 bytes freePost-Run: 52,405,874,688 bytes free225 --- E O F --- 2009-02-25 09:00:23//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:40:38 PM, on 2/27/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\NETGEAR\WG311v3\wlancfg5.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\notepad.exeC:\WINDOWS\Explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exeO16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cabO16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cabO23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe--End of file - 2697 bytes Link to post Share on other sites More sharing options...
malfy Posted February 27, 2009 Author ID:60286 Share Posted February 27, 2009 haha well you never asked me to run mbam again so I didn't do it until just now. The problem files appear to have been removed! If you see any other problems of mention in those updated logs let me know. Otherwise thank you very much for helping me so quickly and effectively.Malwarebytes' Anti-Malware 1.34Database version: 1810Windows 5.1.2600 Service Pack 32/27/2009 4:08:39 PMmbam-log-2009-02-27 (16-08-39).txtScan type: Quick ScanObjects scanned: 57442Time elapsed: 1 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Tigger93 Posted February 27, 2009 ID:60291 Share Posted February 27, 2009 Go start -> run and type in combofix /u and press OK to remove Combofix.Everything looks good. Are you still having any problems? Link to post Share on other sites More sharing options...
Recommended Posts