6 replies to this topic

[malfy]

mrxdavv.sys
kwave.sys

Common problem that seems to be surfacing everywhere lately. I have searched for many hours for a solution and it seems as if it isn't going to be easy. I love malwarebytes and hope that they're close to a solution, I have seen more than 1 moderator on these forums hint toward false positives, and made assurances that in the next version of mbam, it wont be an issue. Well I hope they weren't seriously suggesting something as absurd as them being false positives because those two 'files' are definately related to some issue. I am of course unable to rid myslef of these phantom files and I am hoping someone out there knows what to do.

Not sure if it helps but, the reason I ran mbam in the first place was when I noticed (today) all of the sudden I could no longer use the 'task manager.' I remeber this being the case with a virus or malware I had once in the distant past so I assumed it was related, and that is when I discovered these files.

As of right now, if I run mbam those 2 files will remain persistantly, I dont really have/use other malware cleaning software on my computer as this is rarely ever a problem for me. Here are my log files:

Malwarebytes' Anti-Malware 1.34
Database version: 1809
Windows 5.1.2600 Service Pack 3

2/27/2009 6:36:23 AM
mbam-log-2009-02-27 (06-36-23).txt

Scan type: Quick Scan
Objects scanned: 58667
Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

//////////////////////////////////////////////////////////////////////////////////////////////////

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:55 AM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Apache2.2\bin\httpd.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Apache2.2\bin\httpd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O18 - Filter hijack: text/html - {7d9a5b50-346d-420b-a94f-82c94e931453} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Apache2.2\bin\httpd.exe
O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3783 bytes


**note: just a list of other files which were removed that could be related.
...system32\a9k.bin
...system32\proto.dll
...Application Data\Microsoft\Windows\mas32.dll

[Tigger93]

You appear to be running this computer as a server? If possible, it might be a good idea to take the server offline for a bit to prevent people from getting infected.

Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

[malfy]

OK ummm, my computer isn't running as an online server, that was just a local setup I have to test web content before I put it online. However I went ahead and disabled my apache/mysql services to avoid any confusion. After that I followed your posts instructions to the letter and here are the logs:

ComboFix 09-02-26.02 - malfy 2009-02-27 13:28:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1682 [GMT -6:00]
Running from: c:\documents and settings\malfy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
C:\install.exe
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\drivers\npf.sys
c:\windows\system32\KSAIOqss.ini
c:\windows\system32\KSAIOqss.ini2
c:\windows\system32\kwave.sys
c:\windows\system32\kyscfmxr.ini
c:\windows\system32\omnrswok.ini
c:\windows\system32\packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-27 05:29 . 2009-02-27 05:29 <DIR> d-------- c:\program files\Trend Micro
2009-02-27 04:47 . 2009-02-27 04:47 <DIR> d-------- c:\documents and settings\malfy\DoctorWeb
2009-02-27 04:15 . 2009-02-27 04:15 61,440 --a------ c:\windows\system32\drivers\llqp.sys
2009-02-27 04:11 . 2009-02-27 04:11 61,440 --a------ c:\windows\system32\drivers\gdhw.sys
2009-02-26 02:04 . 2009-02-17 10:59 2,794,234 --a------ c:\windows\system32\GameMon.des
2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\malfy\Application Data\Malwarebytes
2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-19 13:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 13:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 01:29 . 2009-02-19 01:29 336 --a------ c:\windows\system32\ikhcore.cfg
2009-02-19 00:16 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-17 14:54 . 2009-02-17 16:58 145 --a-s---- c:\windows\system32\582960402.dat
2009-02-16 18:49 . 2009-02-26 22:23 7 --a------ c:\windows\system32\nar.bin
2009-02-16 10:21 . 2009-02-16 10:21 8,768 --a------ c:\windows\system32\drivers\bcmwl5.sys
2009-02-16 10:21 . 2009-02-16 10:21 50 --a------ c:\windows\system32\wdh.bin
2009-02-09 17:04 . 2009-02-26 23:46 <DIR> d-------- c:\program files\Full Tilt Poker
2009-02-06 11:21 . 2009-02-06 11:21 <DIR> d-------- c:\program files\Common
2009-02-02 21:40 . 2009-02-02 21:40 <DIR> d-------- c:\program files\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 10:15 324 ----a-w c:\program files\bpxmss.txt
2009-02-27 10:02 --------- d-----w c:\program files\PokerStars
2009-02-27 04:23 --------- d-----w c:\program files\Steam
2009-02-27 01:12 --------- d-----w c:\program files\Warcraft III
2009-02-19 19:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-19 19:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-02-17 00:56 --------- d-----w c:\program files\World of Warcraft
2009-02-17 00:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-19 05:09 --------- d-----w c:\program files\mIRC
2009-01-02 21:04 --------- d--h--w c:\documents and settings\malfy\Application Data\ijjigame
2008-12-29 13:13 --------- d-----w c:\documents and settings\malfy\Application Data\Apple Computer
2007-07-26 19:32 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-07-26 19:32 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-07-26 19:32 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-07-26 19:32 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-07-26 19:32 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-12 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat
.

------- Sigcheck -------

2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-08-10 07:26 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2003-03-31 06:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 13:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 13:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys

2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll
2006-07-05 04:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 10:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 09:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-04 01:56 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll
2003-03-31 06:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtUninstallKB917422_0$\kernel32.dll
2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 18:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\kernel32.dll
2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"VIDC.RUD0"= rududu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcmwl5.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^malfy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-11 11:55 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 15:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-12 23:44 8429568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-12 23:44 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 02:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-10 18:20 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
-ra------ 2006-12-14 20:58 208896 c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
-ra------ 2006-12-14 20:58 69632 c:\windows\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
-ra------ 2006-12-14 20:59 217088 c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-12 23:44 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"MySQL"=2 (0x2)
"Apache2.2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\malfunktion@prodigy.net\\counter-strike\\hl.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5999:UDP"= 5999:UDP:*:Disabled:MaxiVista Server

S2 aspnet_stateEventSystem;ASP.NET State Service aspnet_stateEventSystem; srv --> srv [?]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]
S4 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [2008-06-13 24635]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e1ece4-cce7-11dd-85f3-00044b032701}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Microsoft Windows Sound - svuhost.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 13:30:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateEventSystem]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld-nt MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C11AF94B-CD15-D6B5-087F-DECB344D0DD3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"nanhmlnghhidgnkgcjaegkpjbelm"=hex:69,61,67,6d,65,63,68,67,63,6e,69,66,67,68,
66,62,6c,65,00,00
"mahhddllgmncbgnkckpciinekj"=hex:6a,61,6a,6d,6e,66,61,66,61,64,6d,65,62,63,6c,
6c,68,6e,69,70,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\MrvGINA.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-27 13:33:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-27 19:33:23

Pre-Run: 51,932,557,312 bytes free
Post-Run: 52,429,914,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

242 --- E O F --- 2009-02-25 09:00:23

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:27 PM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2664 bytes

**note: I am going to be moving from one apartment to another shortly so I may be on and offline irregularly, please do not think I have abandonded this problem and lock the thread. I will be here!

[Tigger93]

Since your sever is just for your own testing purposes, feel free to enable it again. I just wanted to make sure it wasn't one for a real website as it could infect others.

1. Please open Notepad

• Click Start , then Run
  
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\windows\system32\582960402.dat
c:\program files\bpxmss.txt

Collect::
c:\windows\system32\drivers\llqp.sys
c:\windows\system32\drivers\gdhw.sys
c:\windows\system32\drivers\bcmwl5.sys
c:\windows\system32\nar.bin
c:\windows\system32\wdh.bin
c:\windows\system32\ikhcore.cfg

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.

[malfy]

Ok ran the script for ComboFix, also when ComboFix loaded this time it ran a self-update, which didn't appear to interfere with the script running. So here are my new logs:

ComboFix 09-02-27.01 - 2009-02-27 15:30:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1616 [GMT -6:00]
Running from: c:\documents and settings\malfy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\malfy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\program files\bpxmss.txt
c:\windows\system32\582960402.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\bpxmss.txt
c:\windows\system32\582960402.dat
c:\windows\system32\drivers\bcmwl5.sys
c:\windows\system32\drivers\gdhw.sys
c:\windows\system32\drivers\llqp.sys
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\ikhcore.cfg
c:\windows\system32\kwave.sys
c:\windows\system32\nar.bin
c:\windows\system32\wdh.bin

.
((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-27 05:29 . 2009-02-27 05:29 <DIR> d-------- c:\program files\Trend Micro
2009-02-27 04:47 . 2009-02-27 04:47 <DIR> d-------- c:\documents and settings\malfy\DoctorWeb
2009-02-26 02:04 . 2009-02-17 10:59 2,794,234 --a------ c:\windows\system32\GameMon.des
2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\malfy\Application Data\Malwarebytes
2009-02-19 13:42 . 2009-02-19 13:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-19 13:42 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-19 13:42 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 00:16 . 2009-02-19 00:16 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-09 17:04 . 2009-02-26 23:46 <DIR> d-------- c:\program files\Full Tilt Poker
2009-02-06 11:21 . 2009-02-06 11:21 <DIR> d-------- c:\program files\Common
2009-02-02 21:40 . 2009-02-02 21:40 <DIR> d-------- c:\program files\Sony

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 10:02 --------- d-----w c:\program files\PokerStars
2009-02-27 04:23 --------- d-----w c:\program files\Steam
2009-02-27 01:12 --------- d-----w c:\program files\Warcraft III
2009-02-19 19:51 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-19 19:49 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-02-17 00:56 --------- d-----w c:\program files\World of Warcraft
2009-02-17 00:55 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-17 00:54 --------- d-----w c:\documents and settings\malfy\Application Data\Orbit
2009-02-17 00:53 --------- d-----w c:\program files\AddOn Studio for World of Warcraft
2009-01-19 05:09 --------- d-----w c:\program files\mIRC
2009-01-02 21:04 --------- d--h--w c:\documents and settings\malfy\Application Data\ijjigame
2008-12-29 13:13 --------- d-----w c:\documents and settings\malfy\Application Data\Apple Computer
2007-07-26 19:32 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-07-26 19:32 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-07-26 19:32 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-07-26 19:32 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-07-26 19:32 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-08-12 23:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081220080813\index.dat
.

------- Sigcheck -------

2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 06:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 10:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-08-10 07:26 360064 482ab7f9cd41702e8f856c11cfefb02d c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 00:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2003-03-31 06:00 332928 244a2f9816bc9b593957281ef577d976 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
2006-04-20 05:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 13:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2008-04-13 13:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 05:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys

2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll
2006-07-05 04:57 985088 0fdd84928a5dde2510761b7ec76ccec9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
2007-04-16 10:07 986112 09f7cb3687f86edaa4ca081f7ab66c03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
2007-04-16 09:52 984576 a01f9ca902a88f7ced06884174d6419d c:\windows\$NtServicePackUninstall$\kernel32.dll
2004-08-04 01:56 983552 888190e31455fad793312f8d087146eb c:\windows\$NtUninstallKB917422$\kernel32.dll
2003-03-31 06:00 930304 8f162dc91d67d87c1a481bf602a9dac8 c:\windows\$NtUninstallKB917422_0$\kernel32.dll
2006-07-05 04:55 984064 d8db5397de07577c1cb50ba6d23b3ad4 c:\windows\$NtUninstallKB935839$\kernel32.dll
2008-04-13 18:11 989696 c24b983d211c34da8fcc1ac38477971d c:\windows\ServicePackFiles\i386\kernel32.dll
2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\kernel32.dll
2008-04-13 18:11 989696 55447cd2f56d44426f9c88afe188bccc c:\windows\system32\dllcache\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll
"VIDC.RUD0"= rududu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcmwl5.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^malfy^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 03:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-11 11:55 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 15:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-12 23:44 8429568 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-12 23:44 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 02:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-10-10 18:20 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
-ra------ 2006-12-14 20:58 208896 c:\windows\system32\sw20.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
-ra------ 2006-12-14 20:58 69632 c:\windows\system32\sw24.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]
-ra------ 2006-12-14 20:59 217088 c:\windows\system32\WinSys2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-12 23:44 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"MySQL"=2 (0x2)
"Apache2.2"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\malfunktion@prodigy.net\\counter-strike\\hl.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5999:UDP"= 5999:UDP:*:Disabled:MaxiVista Server

S2 aspnet_stateEventSystem;ASP.NET State Service aspnet_stateEventSystem; srv --> srv [?]
S3 maxidemo;Maxi_Vista_Demo_Driver;c:\windows\system32\DRIVERS\maxidemo.sys --> c:\windows\system32\DRIVERS\maxidemo.sys [?]
S4 Apache2.2;Apache2.2;c:\apache2.2\bin\httpd.exe [2008-06-13 24635]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6e1ece4-cce7-11dd-85f3-00044b032701}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 15:32:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\aspnet_stateEventSystem]
"ImagePath"=" srv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="c:\mysql\bin\mysqld-nt MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-1563985344-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C11AF94B-CD15-D6B5-087F-DECB344D0DD3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"nanhmlnghhidgnkgcjaegkpjbelm"=hex:69,61,67,6d,65,63,68,67,63,6e,69,66,67,68,
66,62,6c,65,00,00
"mahhddllgmncbgnkckpciinekj"=hex:6a,61,6a,6d,6e,66,61,66,61,64,6d,65,62,63,6c,
6c,68,6e,69,70,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\windows\system32\MrvGINA.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-02-27 15:35:31 - machine was rebooted [malfy]
ComboFix-quarantined-files.txt 2009-02-27 21:35:28
ComboFix2.txt 2009-02-27 19:33:26

Pre-Run: 52,420,685,824 bytes free
Post-Run: 52,405,874,688 bytes free

225 --- E O F --- 2009-02-25 09:00:23

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:38 PM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.2.100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218583869453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1218330580531
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.2.1.cab
O23 - Service: ASP.NET State Service aspnet_stateEventSystem (aspnet_stateEventSystem) - Unknown owner - .exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2697 bytes

[malfy]

haha well you never asked me to run mbam again so I didn't do it until just now. The problem files appear to have been removed! If you see any other problems of mention in those updated logs let me know. Otherwise thank you very much for helping me so quickly and effectively.

Malwarebytes' Anti-Malware 1.34
Database version: 1810
Windows 5.1.2600 Service Pack 3

2/27/2009 4:08:39 PM
mbam-log-2009-02-27 (16-08-39).txt

Scan type: Quick Scan
Objects scanned: 57442
Time elapsed: 1 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Tigger93]

Go start -> run and type in combofix /u and press OK to remove Combofix.

Everything looks good. Are you still having any problems?