Jump to content

mbam can't delete mrxdavv.sys

v.tew

By v.tew
in Resolved Malware Removal Logs

 Share

Recommended Posts

v.tew

v.tew

Posted
Posted

I've been fighting a virus for a couple of days and have one last thing.

Mbam says that <win sys32>/drivers/mrxdavv.sys (with two v's) is a threat, yet it cannot kill it. After reboot, it says it's still a threat. Also, I cannot file this file anyway on disk.

Is this a problem or a false positive? What should I do next?

Any info helps. Thanks.

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted

That looks like the core rootkit , it could be being reinstalled by another infection that we are missing . I need three things from you to know for sure .

Please download and run Hijackthis :

http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Choose the "Do a system scan and save a logfile" option .

Copy and paste the contenets of that log into your next post .

Download , unzip and run GMER :

http://www.gmer.net/gmer.zip

Do NOT click scan . GMER does an automatic quick scan when run . Click the copy button on the right side of GMER and then paste into your next post .

I also need a MBAM scan log .

Link to post
Share on other sites
v.tew

v.tew

Posted
  • Author
Posted

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:18:49 AM, on 9/24/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\sistray.EXE

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\RunDll32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Users\Tim\SysInternals\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [userFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlc.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176293796919

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx

O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: biugwl.dll tujznm.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: RIBV - Unknown owner - C:\DOCUME~1\betsy\LOCALS~1\Temp\RIBV.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

O23 - Service: YPNMBCSLC - Unknown owner - C:\DOCUME~1\admin\LOCALS~1\Temp\YPNMBCSLC.exe (file missing)

--

End of file - 7924 bytes

HJT also gave an error:

post-4144-1222264622_thumb.jpg

post-4144-1222264622_thumb.jpg

Link to post
Share on other sites
v.tew

v.tew

Posted
  • Author
Posted

mbam log

Malwarebytes' Anti-Malware 1.28

Database version: 1194

Windows 5.1.2600 Service Pack 1

9/24/2008 8:50:13 AM

mbam-log-2008-09-24 (08-49-40).txt

Scan type: Quick Scan

Objects scanned: 60569

Time elapsed: 8 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\System32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted

I am very familiar with that error and it does indicate a major rootkit infection in your system (the rootkit knows what I am going to do with GMER and is blocking it) .

It would be a good idea to avoid doing anything that involves banking or passwords on this system for now . Once we get you clear it would be a good idea to change your existing passwords .

Download , unzip and run the attached application .

The drivers tab should be selected by default , click scan and then save report , name the file drivers (on your desktop) .

Click the processes tab , click scan and save report , name this one processes .

Click the SSDT tab , click scan and save report , name this one SSDT .

These logs will be to long to post to instead zip them and attach them to your next post .

I know you wont get back for a while so also send me a PM when you have the logs ready , otherwise you might be waiting for a while .

RootRepeal.zip

RootRepeal.zip

Link to post
Share on other sites
v.tew

v.tew

Posted
  • Author
Posted
While I look this over , I need to know why service pack 2 or 3 are not installed , it is a HUGE security risk not to have them installed .

I don't know. Gramps set up the machine for us and I haven't been paying attention to it. It's used mostly for email and surfing...and banking.

Norton was the gatekeeper, but it might have been disabled when we caught this.

The machine was offline as soon as we got infected. I've been online twice since and got reinfected instantly.

Link to post
Share on other sites
v.tew

v.tew

Posted
  • Author
Posted
I need to know why service pack 2 or 3 are not installed , it is a HUGE security risk not to have them installed .

As part fighting this infection, I repaired the OS last week from CD. That was SP 1a. The computer hasn't been online since the repair.

We were probably at SP2 when we got infected.

Link to post
Share on other sites
JeanInMontana

JeanInMontana

Posted
Posted

Hi since you have stated you used this machine for banking etc, please be sure to notify those entities that your identity could have been stolen. The best option for you is to do a total reformat at this stage. If that is impossible then please do the requested steps below.

I've been asked to request you use the program below, I realize if the machine is offline you can't follow all instructions, get the log for us above all else. This is the last ditch effort to fix the machine and a total reformat is the best option.

Review this article here how to use ComboFix

Be sure you cover the section on How to install and use the Windows XP Recovery Console and make sure it is installed on your machine. This is important should anything go wrong and we need to recover your PC and not lose all the data.

1. Download this file :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe save it to your desktop.

2. Double click combofix.exe. It will be a red icon with a white X on your desktop.

Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter.

3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt.

Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello v.tew

I will be taking over for Jean due to other commitments she has to attend to.

Please run the following since it has been a few days now.

STEP 1

Run MB and go to the UPDATE tab and update the program

STEP 2

Remove your network connection to the Internet

STEP 3

Run a Quick Scan with MB and make sure you allow it to fix anything it finds and reboot.

STEP 4

Run HJT and do a Scan only

STEP 5

Re-connect your network connection and post back the MB and HJT logs.

Link to post
Share on other sites
v.tew

v.tew

Posted
  • Author
Posted

Just going online, I get reinfected with 3-4 more things.

Updated, ran mbam, reboot, ran mbam again. Everything get deleted except mrxdavv.sys.

Here's the log:

========================================================

mbam log

========================================================

Malwarebytes' Anti-Malware 1.28

Database version: 1222

Windows 5.1.2600 Service Pack 1

9/30/2008 9:20:32 PM

mbam-log-2008-09-30 (21-20-32).txt

Scan type: Quick Scan

Objects scanned: 61410

Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\System32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

========================================================

HJT log

========================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:21:21 PM, on 9/30/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\sistray.EXE

C:\WINDOWS\System32\khooker.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Users\Tim\SysInternals\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [userFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlc.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176293796919

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx

O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: biugwl.dll tujznm.dll

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: RIBV - Unknown owner - C:\DOCUME~1\betsy\LOCALS~1\Temp\RIBV.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: YPNMBCSLC - Unknown owner - C:\DOCUME~1\admin\LOCALS~1\Temp\YPNMBCSLC.exe (file missing)

--

End of file - 8124 bytes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Close any open browsers and shut down any other running applications.

You may want to save or print this out for review while offline

STEP 01

Disconnect your Internet connection

STEP 02

Start HJT and do a Scan only and place a check mark on the following items
  • O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

  • O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

  • O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} -
    http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

  • O20 - AppInit_DLLs: biugwl.dll tujznm.dll

    Then click on
    Fix selected

Then click on
Config
, then
Misc Tools,
and then press the
Delete an
NT
service
.. button.

When it opens you should then enter the service name
YPNMBCSLC
and press OK.

Then do the same thing for this one
RIBV

It may or may not find either one but that's okay for now.

STEP 03

Open notepad and copy/paste the text in the code box below into it:

Save this as
CFScript.txt
, in the same location as
ComboFix.exe
on the
Desktop
File::

C:\WINDOWS\SETB0.tmp

C:\WINDOWS\SETBC.tmp

C:\WINDOWS\system32\B.tmp

C:\WINDOWS\system32\uxFiPXbc.ini2

C:\WINDOWS\system32\SET646.tmp

C:\WINDOWS\system32\SET856.tmp

C:\WINDOWS\system32\SET9C1.tmp

C:\WINDOWS\Installer\{88D0E768-CD6A-42A9-97F9-2B12CF740019}\NewShortcut1.exe

C:\DOCUME~1\betsy\LOCALS~1\Temp\RIBV.exe

C:\DOCUME~1\admin\LOCALS~1\Temp\YPNMBCSLC.exe

CFScript.gif

Refering to the picture above, drag
CFScript.txt
on to
ComboFix.exe

When finished, it will produce a log for you at
C:\ComboFix.txt

Note: Do not mouse click combofix's window while it's running. That may cause it to stall

STEP 04

Re-connect your Internet connection

STEP 05

Start MB and UPDATE it and do a Quick Scan and again fix anything it finds and then reboot again

STEP 06

Do another HJT Scan only and post back all 3 logs. ComboFix, MB, HJT

.

Link to post
Share on other sites
v.tew

v.tew

Posted
  • Author
Posted

ComboFix 08-09-30.03 - admin 2008-10-01 8:41:28.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.699 [GMT -5:00]

Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\admin\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_LSIVS

-------\Legacy_MCHINJDRV

-------\Legacy_RESTORE

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))

.

2008-09-29 12:35 . 2002-05-22 03:11 27,392 -ra------ C:\WINDOWS\system32\drivers\SISAGP.SYS

2008-09-29 12:35 . 2002-05-22 03:11 27,392 --a--c--- C:\WINDOWS\system32\dllcache\sisagp.sys

2008-09-28 22:10 . 2008-09-28 22:10 <DIR> d-------- C:\Documents and Settings\admin\Application Data\AdobeUM

2008-09-24 20:11 . 2008-09-24 20:11 26,624 --a------ C:\WINDOWS\system32\drivers\RootRepeal.sys

2008-09-24 08:22 . 2008-09-24 08:22 250 --a------ C:\WINDOWS\gmer.ini

2008-09-23 10:16 . 2003-03-31 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll

2008-09-23 10:15 . 2001-08-17 22:36 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_smtpsnap.dll

2008-09-23 10:14 . 2001-08-17 22:36 176,640 --a------ C:\WINDOWS\system32\LXACSUI.DLL

2008-09-23 10:11 . 2003-03-31 07:00 1,174,016 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll

2008-09-23 10:10 . 2003-03-31 07:00 1,267,712 --a--c--- C:\WINDOWS\system32\dllcache\cimwin32.dll

2008-09-23 10:09 . 2002-08-29 01:06 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys

2008-09-23 10:06 . 2002-08-29 01:27 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys

2008-09-23 10:06 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys

2008-09-23 10:06 . 2002-08-29 01:32 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys

2008-09-23 09:23 . 2001-08-17 12:12 31,232 --a------ C:\WINDOWS\system32\drivers\sisnic.sys

2008-09-23 09:22 . 2001-08-17 22:37 117,248 --------- C:\WINDOWS\system32\ksproxy.ax

2008-09-23 09:22 . 2002-08-29 03:46 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys

2008-09-23 09:22 . 2001-08-17 22:36 4,096 --------- C:\WINDOWS\system32\ksuser.dll

2008-09-23 09:21 . 2003-03-31 07:00 696,320 --a--c--- C:\WINDOWS\system32\dllcache\sapi.dll

2008-09-23 09:21 . 2003-03-31 07:00 147,456 --a--c--- C:\WINDOWS\system32\dllcache\sapi.cpl

2008-09-23 09:21 . 2003-03-31 07:00 132,096 --a------ C:\WINDOWS\system\WINSPOOL.DRV

2008-09-23 09:21 . 2002-08-29 03:41 71,168 --a------ C:\WINDOWS\system32\storprop.dll

2008-09-23 09:21 . 2003-03-31 07:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll

2008-09-23 09:21 . 2003-03-31 07:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll

2008-09-23 09:21 . 2003-03-31 07:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll

2008-09-23 09:21 . 2003-03-31 07:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll

2008-09-23 09:21 . 2003-03-31 07:00 10,496 --a------ C:\WINDOWS\system32\drivers\irenum.sys

2008-09-23 09:21 . 2003-03-31 07:00 10,496 --a--c--- C:\WINDOWS\system32\dllcache\irenum.sys

2008-09-23 09:20 . 2003-03-31 07:00 1,086,182 -ra------ C:\WINDOWS\SETB0.tmp

2008-09-23 09:20 . 2003-03-31 07:00 13,608 -ra------ C:\WINDOWS\SETBC.tmp

2008-09-22 13:20 . 2008-09-22 13:20 <DIR> d-------- C:\Documents and Settings\betsy\Application Data\Malwarebytes

2008-09-21 21:47 . 2008-09-17 23:24 8,592 --a------ C:\WINDOWS\system32\PCAMPR5.SYS

2008-09-19 23:17 . 2008-09-22 13:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-09-19 23:17 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-09-19 23:17 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-09-19 23:14 . 2008-09-19 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-09-19 23:14 . 2008-09-19 23:14 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes

2008-09-17 23:25 . 2008-09-17 23:25 0 --a------ C:\WINDOWS\system32\nxg.bin

2008-09-17 23:24 . 2008-09-17 23:24 8,592 --a------ C:\WINDOWS\system32\dplx.sys

2008-09-17 23:24 . 2008-09-17 23:24 2,921 --a------ C:\WINDOWS\system32\rtc.dat

2008-09-17 23:24 . 2008-09-17 23:24 0 --a------ C:\WINDOWS\system32\B.tmp

2008-09-17 23:12 . 2008-09-17 23:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\funsxity

2008-09-17 08:08 . 2008-09-17 08:08 <DIR> d-------- C:\Documents and Settings\Safe User

2008-09-14 21:22 . 2008-09-16 10:11 798,902 --ahs---- C:\WINDOWS\system32\uxFiPXbc.ini2

2008-09-14 21:16 . 2008-09-17 23:12 2 --a------ C:\-267091641

2008-09-09 11:01 . 2008-09-09 11:58 <DIR> d-------- C:\WINDOWS\system32\scripting

2008-09-09 11:01 . 2008-09-09 11:58 <DIR> d-------- C:\WINDOWS\system32\en

2008-09-09 11:01 . 2008-09-09 11:58 <DIR> d-------- C:\WINDOWS\l2schemas

2008-09-09 10:43 . 2004-08-04 00:07 59,264 --a------ C:\WINDOWS\system32\drivers\usbaudio.sys

2008-09-09 10:43 . 2004-08-03 23:10 51,328 --a------ C:\WINDOWS\system32\drivers\msdv.sys

2008-09-09 10:43 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys

2008-09-09 10:43 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys

2008-09-04 04:20 . 2008-04-13 19:12 8,461,312 --a------ C:\WINDOWS\system32\SET646.tmp

2008-09-04 04:19 . 2008-04-13 19:11 2,843,136 --a------ C:\WINDOWS\system32\SET856.tmp

2008-09-04 04:18 . 2008-04-13 19:11 1,267,200 --a------ C:\WINDOWS\system32\SET9C1.tmp

2008-09-04 03:46 . 2008-09-09 11:02 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-29 17:39 --------- d-----w C:\Program Files\C-Media

2008-09-29 03:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-09-23 04:26 86,016 ----a-w C:\WINDOWS\unvise32.exe

2008-09-23 04:26 299,520 ----a-w C:\WINDOWS\uninst.exe

2008-09-23 02:08 624,640 ----a-w C:\Program Files\Soldat.exe

2008-09-23 02:00 732,160 ----a-w C:\Program Files\Config.exe

2008-09-23 01:28 796,672 ----a-w C:\WINDOWS\GPInstall.exe

2008-09-23 01:28 72,192 ----a-w C:\WINDOWS\unlite3.exe

2008-09-23 01:28 46,080 ----a-w C:\WINDOWS\setdebug.exe

2008-09-23 01:28 33,792 ----a-w C:\WINDOWS\Q330994.exe

2008-09-23 01:28 33,792 ----a-w C:\WINDOWS\oeuninst.exe

2008-09-23 01:28 33,792 ----a-w C:\WINDOWS\ieuninst.exe

2008-09-23 01:28 32,768 ----a-w C:\WINDOWS\slrundll.exe

2008-09-23 01:28 286,720 ----a-w C:\WINDOWS\PATCH.EXE

2008-09-23 01:28 171,520 -c--a-w C:\WINDOWS\tsc.exe

2008-09-23 01:28 107,008 -c--a-w C:\WINDOWS\UninstallFirefox.exe

2008-09-22 18:30 --------- d-----w C:\Program Files\Bonjour

2008-09-22 18:28 102,400 ----a-r C:\WINDOWS\SiSUSBrg.exe

2008-09-15 17:15 --------- d-----w C:\Program Files\Norton SystemWorks

2008-09-02 12:39 --------- d-----w C:\Program Files\Common Files\Adobe

2008-09-02 12:37 --------- d-----w C:\Documents and Settings\betsy\Application Data\AdobeUM

2008-08-31 15:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec

2008-08-16 23:57 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF

2008-08-16 23:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2008-08-16 23:57 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT

2008-08-16 23:57 --------- d-----w C:\Program Files\Symantec

2008-01-15 13:50 5,120 --sha-w C:\Program Files\Thumbs.db

2007-05-16 23:28 3,371 ----a-w C:\Program Files\soldat.ini

2007-05-16 23:27 39,938 ----a-w C:\Program Files\unins000.dat

2007-05-16 23:26 683,801 ----a-w C:\Program Files\unins000.exe

2007-04-28 19:57 7,873 ----a-w C:\Program Files\readonly.txt

2007-04-25 16:49 749,215 ----a-w C:\Program Files\start.exe

2007-04-25 16:21 170,666 ----a-w C:\Program Files\startbg.bmp

2007-04-14 00:55 33,978,253 ----a-w C:\Program Files\TaxCut05.zip

2007-04-13 01:15 5,693 ----a-w C:\Program Files\weapons.ini

2007-04-13 01:11 587,776 ----a-w C:\Program Files\Monsoonix.dll

2007-03-27 17:23 4,079 ----a-w C:\Program Files\weapons_realistic.ini

2007-03-02 19:26 12 ----a-w C:\Program Files\lobby_servers.txt

2007-02-15 20:47 3,184 ----a-w C:\Program Files\readme.txt

2006-09-21 18:19 43,008 ----a-w C:\Program Files\SKControl.dll

2005-01-31 20:06 12,653,296 -c--a-w C:\Documents and Settings\All Users\MP10Setup.exe

2005-01-31 19:55 1,835,893 -c--a-w C:\Documents and Settings\papaw\winmail.dat

2004-04-13 13:44 1,760,378 -c--a-w C:\Program Files\aaw6.exe

2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

((((((((((((((((((((((((((((( snapshot_2008-09-25_22.23.21.16 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-09-23 02:18:18 166,912 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE

+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE

- 2008-09-23 01:28:35 86,016 ----a-w C:\WINDOWS\fdsv.exe

+ 2000-08-31 13:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe

- 2008-09-23 01:28:36 80,384 ----a-w C:\WINDOWS\grep.exe

+ 2000-08-31 13:00:00 80,412 ----a-w C:\WINDOWS\grep.exe

- 2008-09-23 01:28:36 306,688 ----a-w C:\WINDOWS\IsUninst.exe

+ 2002-04-25 13:42:30 316,416 ----a-w C:\WINDOWS\IsUninst.exe

+ 2000-10-20 10:28:00 765,952 ----a-r C:\WINDOWS\LastGood.Tmp\system\crlds3d.dll

+ 2001-11-23 04:08:20 712,704 ----a-r C:\WINDOWS\LastGood.Tmp\System32\a3d.dll

+ 2001-11-23 04:08:20 712,704 ----a-r C:\WINDOWS\LastGood.Tmp\System32\Audio3D.dll

+ 2002-03-06 06:27:02 389,135 ----a-r C:\WINDOWS\LastGood.Tmp\System32\drivers\cmuda.sys

+ 2003-03-31 12:00:00 57,856 ----a-w C:\WINDOWS\LastGood.Tmp\System32\drivers\drmk.sys

+ 2003-03-31 12:00:00 131,712 ----a-w C:\WINDOWS\LastGood.Tmp\System32\drivers\ks.sys

+ 2003-03-31 12:00:00 134,272 ----a-w C:\WINDOWS\LastGood.Tmp\System32\drivers\portcls.sys

+ 2003-03-31 12:00:00 44,416 ----a-w C:\WINDOWS\LastGood.Tmp\System32\drivers\stream.sys

+ 2001-08-18 03:36:18 4,096 ----a-w C:\WINDOWS\LastGood.Tmp\System32\ksuser.dll

+ 2001-09-24 04:23:42 28,672 ----a-r C:\WINDOWS\LastGood.Tmp\System32\udaprop.dll

+ 2003-03-31 12:00:00 22,016 ----a-w C:\WINDOWS\LastGood.Tmp\System32\wdmaud.drv

- 2008-09-23 01:28:33 98,816 ----a-w C:\WINDOWS\sed.exe

+ 2000-08-31 13:00:00 98,816 ----a-w C:\WINDOWS\sed.exe

- 2008-09-23 01:28:30 137,728 ----a-w C:\WINDOWS\SWSC.exe

+ 2000-08-31 13:00:00 136,704 ----a-w C:\WINDOWS\SWSC.exe

- 2008-09-23 01:28:30 212,480 ----a-w C:\WINDOWS\swxcacls.exe

+ 2000-08-31 13:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe

- 2008-09-26 03:18:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

+ 2008-10-01 13:26:55 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat

- 2008-09-26 03:18:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2008-10-01 13:26:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2008-09-26 03:18:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2008-10-01 13:26:55 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2005-01-18 21:00:29 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat

+ 2008-10-01 13:41:15 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat

+ 2002-08-29 06:32:34 57,856 -c--a-w C:\WINDOWS\system32\dllcache\drmk.sys

+ 2002-08-29 07:13:42 131,712 -c--a-w C:\WINDOWS\system32\dllcache\ks.sys

+ 2002-08-29 07:01:00 134,272 -c--a-w C:\WINDOWS\system32\dllcache\portcls.sys

+ 2002-08-29 06:32:34 44,416 -c--a-w C:\WINDOWS\system32\dllcache\stream.sys

- 2003-03-31 12:00:00 57,856 ----a-w C:\WINDOWS\system32\drivers\drmk.sys

+ 2002-08-29 06:32:34 57,856 ----a-w C:\WINDOWS\system32\drivers\drmk.sys

- 2003-03-31 12:00:00 131,712 ----a-w C:\WINDOWS\system32\drivers\ks.sys

+ 2002-08-29 07:13:42 131,712 ----a-w C:\WINDOWS\system32\drivers\ks.sys

- 2003-03-31 12:00:00 134,272 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

+ 2002-08-29 07:01:00 134,272 ----a-w C:\WINDOWS\system32\drivers\portcls.sys

- 2003-03-31 12:00:00 44,416 ----a-w C:\WINDOWS\system32\drivers\stream.sys

+ 2002-08-29 06:32:34 44,416 ----a-w C:\WINDOWS\system32\drivers\stream.sys

+ 2001-11-23 04:08:20 712,704 ----a-r C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\Audio3D.dll

+ 2002-03-06 06:27:02 389,135 ----a-r C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\cmuda.sys

+ 2000-10-20 10:28:00 765,952 ----a-r C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\crlds3d.dll

+ 2003-03-31 12:00:00 57,856 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\drmk.sys

+ 2003-03-31 12:00:00 131,712 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\ks.sys

+ 2001-08-18 03:36:18 4,096 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\ksuser.dll

+ 2003-03-31 12:00:00 134,272 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\portcls.sys

+ 2003-03-31 12:00:00 44,416 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\stream.sys

+ 2003-03-31 12:00:00 22,016 ----a-w C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\i386\wdmaud.drv

+ 2001-09-24 04:23:42 28,672 ----a-r C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\udaprop.dll

- 2008-09-23 01:28:30 52,804 ----a-w C:\WINDOWS\VFind.exe

+ 2000-08-31 13:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe

- 2008-09-23 01:28:29 68,096 ----a-w C:\WINDOWS\zip.exe

+ 2000-08-31 13:00:00 68,096 ----a-w C:\WINDOWS\zip.exe

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 13312]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-09-22 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]

"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2008-09-22 102400]

"SiS Tray"="C:\WINDOWS\System32\sistray.EXE" [2008-09-22 319488]

"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [2008-09-22 286720]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-22 413696]

"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]

"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2008-09-22 155648]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]

"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2008-09-22 1126400]

"Cmaudio"="cmicnfg.cpl" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 443968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2003-03-31 40960]

C:\Documents and Settings\betsy\Start Menu\Programs\Startup\

Reboot.exe [2002-03-20 382464]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2004-02-15 49152]

Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-15 113664]

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-08-17 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dplx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"msupdate"=2 (0x2)

"YPNMBCSLC"=3 (0x3)

"RIBV"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"C:\\WINDOWS\\system32\\ftp.exe"=

"C:\\Program Files\\HyPerformix\\License\\ses.exe"=

"C:\\Program Files\\HyPerformix\\License\\lmgrd.exe"=

"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=

"C:\\Program Files\\UrbanTerror\\ioUrbanTerror.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 PQV2i;PQV2i;C:\WINDOWS\System32\drivers\PQV2i.sys [2004-11-22 138801]

R1 PQIMount;PQIMount;C:\WINDOWS\System32\drivers\PQIMount.sys [2004-11-22 46800]

R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 91136]

R2 BCMNTIO;BCMNTIO;C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-05 3744]

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 149864]

R2 MAPMEM;MAPMEM;C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-05 3904]

R3 DniVap;Deterministic Networks WAN Miniport (Virtual);C:\WINDOWS\System32\DRIVERS\vap.sys [2001-12-14 36188]

S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

S3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\System32\DRIVERS\rcvpn.sys [2003-08-20 23180]

.

Contents of the 'Scheduled Tasks' folder

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-01 08:48:34

Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\ComboFix\pv.cfexe

.

**************************************************************************

.

Completion time: 2008-10-01 8:52:27 - machine was rebooted

ComboFix-quarantined-files.txt 2008-10-01 13:52:21

ComboFix2.txt 2008-09-26 03:23:53

ComboFix3.txt 2008-09-23 01:22:34

ComboFix4.txt 2008-09-22 03:15:52

ComboFix5.txt 2008-10-01 13:40:45

Pre-Run: 209,908,428,800 bytes free

Post-Run: 209,904,701,440 bytes free

293 --- E O F --- 2008-09-10 12:57:14

=======================================================

Malwarebytes' Anti-Malware 1.28

Database version: 1222

Windows 5.1.2600 Service Pack 1

10/1/2008 9:05:00 AM

mbam-log-2008-10-01 (09-04-54).txt

Scan type: Quick Scan

Objects scanned: 61434

Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\System32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.

=======================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:12:28 AM, on 10/1/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\sistray.EXE

C:\WINDOWS\System32\khooker.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Users\Tim\SysInternals\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [userFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlc.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176293796919

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 7604 bytes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download Avenger 2.0 from here

Open or extract the program file avenger.exe then double click to start it.

Copy the following text from the code box below into the main window of Avenger.

Files to delete:
C:\WINDOWS\System32\drivers\mrxdavv.sys
  • Place a check mark on the "Scan for rootkits"
  • Close all other running applications
  • Paste the text into the main window and then click on Execute

Once Avenger is done run MB go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer.

Then run a new HJT scan only and post back all the logs.

.

Link to post
Share on other sites
v.tew

v.tew

Posted
  • Author
Posted

Logfile of The Avenger Version 2.0, © by Swandog46 http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\System32\drivers\mrxdavv.sys" not found!

Deletion of file "C:\WINDOWS\System32\drivers\mrxdavv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.28

Database version: 1225

Windows 5.1.2600 Service Pack 1

10/2/2008 8:09:56 AM

mbam-log-2008-10-02 (08-09-48).txt

Scan type: Quick Scan

Objects scanned: 61485

Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\System32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:10:23 AM, on 10/2/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\sistray.EXE

C:\WINDOWS\System32\khooker.exe

C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Users\Tim\SysInternals\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [userFaultCheck] C:\WINDOWS\system32\dumprep 0 -u

O4 - HKLM\..\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe

O4 - HKLM\..\Run: [siS Tray] C:\WINDOWS\System32\sistray.EXE

O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

...

O16 - DPF: {3B0EA9E6-7003-4B38-B398-9B1B6DF439C5} - http://download.answers.com/pub/AnswersSetup.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176293796919

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--

End of file - 7299 bytes

Here's the entry causing the 'cannot reply' problem. I inserted the space before etc in the URL to be able to post it:

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwlc.ops.placeware.com/ etc/ place/LIMA/SCLpws-c2/5.1.7.413/lib/quicksilver.cab

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Well aside from seeing the entry in the MB log {which I think is a FP and I've reported it} I don't see anything else in the logs to indicate the system is infected.

So aside from the entry by MB what is the box doing that makes you think it's still infected?

Did you run the CCleaner program and remove all the TEMP files and delete all the cookies ?

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.