Jump to content

Multiple problems


squeeze
 Share

Recommended Posts

Hi,

I've suffered multiple Malware problems over the last 2 weeks and have tried to resolve them myself without success.

I think I have Antivirus 2009 amongst other problems.

kwave.sys and mrxdavv.sys are not being cleaned from the system32 folder on rebooting as prompted by MBAM

IE did not work at all for several days but now bizzarely works again

Firefox in the meantime has been launching new tabs related to my sessions topic

I've tried a combination of Spybot S&D/Bazooka Scanner/MBAM/A Squared but still have sporadic issues (although this evening has been a 'good day' in terms of issues), I'm also running McAfee VirusScan Enterprise 8.

I've followed the Pre-HJT Post Instructions, so here goes with the logs...

Malwarebytes' Anti-Malware 1.31

Database version: 1477

Windows 5.0.2195 Service Pack 4

09/12/2008 21:27:59

mbam-log-2008-12-09 (21-27-59).txt

Scan type: Quick Scan

Objects scanned: 60676

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\posibali.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

C:\WINNT\system32\Drivers\mrxdavv.sys (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Panda ActiveScan 2.0 Log

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-09 23:05:44

PROTECTIONS: 1

MALWARE: 9

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan Enterprise 8.0.0.912 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00020994 W32/Bagle.pwdzip Virus No 0 Yes No C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent31.zip

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.9

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.8

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.7

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.6

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.5

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.4

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.0

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.1

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.10

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.11

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.12

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.13

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.14

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.15

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.16

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.17

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.18

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.19

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.2

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.20

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.21

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.22

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.23

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.24

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.25

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.26

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.27

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.28

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.29

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.3

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.30

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.31

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.32

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.33

00123976 Exploit/ByteVerify HackTools No 0 Yes No C:\QUARANTINE\Worker.class.Vir.34

00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Paul\Cookies\paul@adtech[1].txt

00199231 HackTool/EvID HackTools No 0 No No C:\Program Files\PPLive TV\SynaLiveSetup.exe[EvID4226Patch.exe]

00367297 HackTool/EvID4226 HackTools No 0 Yes No C:\Program Files\PPLive TV\SynaLiveSetup.exe

01048936 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\a-squared Free\Quarantine\63AB0E3A03CC3B990811F2F73C47BF5374F4CB05.A2Q[program files/gamespy arcade/Services/_common/PortraitLoader.dll]

02832567 Generic Trojan Virus/Trojan No 0 Yes No C:\QUARANTINE\enter1[1].htm.Vir[enter1[1].htm.Vir]

03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\WINNT\system32\drivers\tknnlqic.sys

04288942 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KJE5CJS1\go[1].exe

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location vC5

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description vC5

;===============================================================================

================================================================================

=

===================

141034 HIGH MS06-076 vC5

;===============================================================================

================================================================================

=

===================

Link to post
Share on other sites

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:11:31, on 09/12/2008

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\lxdbcoms.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\WINNT\system32\mgabg.exe

C:\WINNT\system32\regsvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\hkcmd.exe

C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\WINNT\system32\PDesk\PDesk.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O1 - Hosts: 155.108.50.130 qawad1 my.qa.globallink.com

O1 - Hosts: 167.76.11.87 txadmin

O1 - Hosts: 192.250.53.132 maint.globallink.com

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe

O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [LXDBCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXDBtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe

O10 - Unknown file in Winsock LSP: prxernsp.dll

O10 - Unknown file in Winsock LSP: prxerdrv.dll

O10 - Unknown file in Winsock LSP: prxerdrv.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.statestr.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{3CC15972-C7A5-402B-A25B-61241487CA3B}: NameServer = 192.168.0.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.statestr.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.statestr.com

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: c:\winnt\system32\jizimuzi.dll ,

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe

O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: lxdb_device - - C:\WINNT\system32\lxdbcoms.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe

O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--

End of file - 7372 bytes

Link to post
Share on other sites

Hi,

I've suffered multiple Malware problems over the last 2 weeks and have tried to resolve them myself without success.

I think I have Antivirus 2009 amongst other problems.

kwave.sys and mrxdavv.sys are not being cleaned from the system32 folder on rebooting as prompted by MBAM

IE did not work at all for several days but now bizzarely works again

Firefox in the meantime has been launching new tabs related to my sessions topic

I've tried a combination of Spybot S&D/Bazooka Scanner/MBAM/A Squared but still have sporadic issues (although this evening has been a 'good day' in terms of issues), I'm also running McAfee VirusScan Enterprise 8.

I've followed the Pre-HJT Post Instructions, so here goes with the logs...

BUMP .... Can Someone Please Take A Look At My Logs

Malwarebytes' Anti-Malware 1.31

Database version: 1477

Windows 5.0.2195 Service Pack 4

09/12/2008 21:27:59

mbam-log-2008-12-09 (21-27-59).txt

Scan type: Quick Scan

Objects scanned: 60676

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\posibali.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINNT\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

C:\WINNT\system32\Drivers\mrxdavv.sys (Trojan.Agent) -> Delete on reboot.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.