Jump to content

infecteduser

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Great, thanks again for the information. Unfortunately, this is a work laptop so until they decide to roll out SP3 to everyone I am stuck with SP2. Guess I will have to be more careful Thanks again
  2. Hi screen317, I followed your advise with the uninstalls - thanks. Things seem to have been stable for the past couple days - MBAM comes back clean which is good. Again, thank you so very much for you help resolving my problem Malwarebytes' Anti-Malware 1.40 Database version: 2684 Windows 5.1.2600 Service Pack 2 03/09/2009 15:27:53 mbam-log-2009-09-03 (15-27-53).txt Scan type: Quick Scan Objects scanned: 99906 Time elapsed: 9 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
  3. Hi screen317, I ran the ComboFix script as instructed (log below). Things look alot better now I think - I ran MBAM and the report came back clean Fantastic! Thank you so much for your help. If you need me to run any more checks to show this system is clean, please let me know - otherwise, thank you so very much for your help, greatly appreciated Malwarebytes' Anti-Malware 1.40 Database version: 2684 Windows 5.1.2600 Service Pack 2 01/09/2009 10:07:44 mbam-log-2009-09-01 (10-07-44).txt Scan type: Quick Scan Objects scanned: 99676 Time elapsed: 10 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ___________________________________________________________ ComboFix 09-08-31.03 - thompsjo 01/09/2009 9:30.6.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1527.898 [GMT 1:00] Running from: c:\documents and settings\thompsjo\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\thompsjo\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} FILE :: "c:\windows\system32\drivers\AFGMp50.sys" "c:\windows\system32\drivers\mrxdavv.sys" "c:\windows\system32\kwave.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_AFGMP50 ((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 ))))))))))))))))))))))))))))))) . 2009-08-28 08:26 . 2009-08-28 08:26 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2009-08-23 16:14 . 2009-08-23 16:14 0 ----a-w- C:\backup.reg 2009-08-23 12:25 . 2009-08-23 21:50 574 ----a-w- C:\cleanup.bat 2009-08-23 12:25 . 2009-08-23 21:50 135168 ----a-w- C:\zip.exe 2009-08-21 13:50 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-21 13:50 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-21 13:50 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-21 13:50 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-21 13:49 . 2009-08-21 13:49 -------- d-----w- c:\program files\Avira 2009-08-21 13:49 . 2009-08-21 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-21 13:13 . 2009-08-23 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-21 13:13 . 2009-08-21 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-21 12:12 . 2009-08-21 12:12 -------- d-----w- C:\!KillBox 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\documents and settings\thompsjo\Application Data\Malwarebytes 2009-08-21 08:50 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-21 08:50 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-21 08:20 . 2009-08-21 11:50 16 ----a-w- c:\windows\pxydb.dat 2009-08-18 21:23 . 2009-08-21 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-13 13:58 . 2009-08-13 13:58 -------- d-----w- c:\documents and settings\thompsjo\Local Settings\Application Data\Identities 2009-08-07 13:19 . 2009-08-07 13:19 -------- d-----w- c:\documents and settings\thompsjo\Local Settings\Application Data\Hewlett-Packard_Company 2009-08-07 13:12 . 2008-03-10 14:01 274432 ----a-w- c:\windows\system32\hpmpm081.dll 2009-08-07 13:12 . 2008-03-10 14:01 208896 ----a-w- c:\windows\system32\hpmpw081.dll 2009-08-07 13:12 . 2008-03-10 14:00 233472 ----a-w- c:\windows\system32\hpmtp081.dll 2009-08-07 13:12 . 2008-03-10 13:53 290816 ----a-w- c:\windows\system32\hpmml081.dll 2009-08-07 13:12 . 2008-03-10 13:51 188416 ----a-w- c:\windows\system32\hpmja081.dll 2009-08-07 13:12 . 2008-03-10 14:30 149504 ----a-w- c:\windows\system32\hpcpn081.dll 2009-08-07 13:12 . 2007-07-25 13:05 59928 ----a-w- c:\windows\system32\fxcompchannel.dll 2009-08-07 13:12 . 2007-05-16 19:53 49252 ----a-w- c:\windows\system32\HPMNQUE.DLL 2009-08-07 13:12 . 2007-05-16 19:53 49250 ----a-w- c:\windows\system32\HPMNNDPS.DLL 2009-08-07 12:48 . 2009-08-07 12:48 -------- d-----w- c:\program files\Common Files\Hewlett-Packard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-01 08:46 . 2008-12-05 16:43 -------- d-----w- c:\program files\ScreenshotCaptor 2009-08-28 14:27 . 2008-12-11 08:58 -------- d-----w- c:\program files\RA2HP 2009-08-26 07:33 . 2007-09-17 15:27 -------- d-----w- c:\program files\symantec antivirus 2009-08-23 21:12 . 2008-12-09 11:55 -------- d-----w- c:\program files\Opera 10 Preview 2009-08-23 21:12 . 2009-04-06 11:23 -------- d-----w- c:\documents and settings\thompsjo\Application Data\Samsung 2009-08-23 20:21 . 2008-12-04 07:55 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-23 16:08 . 2009-01-22 12:03 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-08-23 15:23 . 2009-08-23 15:23 716 ----a-w- c:\program files\sbmnhy.txt 2009-08-07 13:07 . 2008-12-04 12:47 50704 ----a-w- c:\documents and settings\thompsjo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-07 12:59 . 2007-09-14 13:39 -------- d-----w- c:\program files\Hewlett-Packard 2009-07-06 14:20 . 2009-06-29 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\inFlow Inventory 2009-06-11 12:12 . 2009-06-11 12:12 152576 ----a-w- c:\documents and settings\thompsjo\Application Data\Sun\Java\jre1.6.0_13\lzma.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-26_09.16.30 ))))))))))))))))))))))))))))))))))))))))) . + 2009-09-01 08:41 . 2009-09-01 08:41 16384 c:\windows\Temp\Perflib_Perfdata_780.dat + 2009-09-01 08:41 . 2009-09-01 08:41 16384 c:\windows\Temp\Perflib_Perfdata_308.dat + 2009-07-10 09:39 . 2009-07-10 09:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Advanced Proxy Manager"="c:\program files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe" [2007-03-17 184320] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "Screenshot Captor"="c:\program files\ScreenshotCaptor\ScreenshotCaptor.exe" [2009-06-23 6321664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624] "QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280] "IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-30 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-30 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-30 118784] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-20 159744] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946] "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-05 5720072] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "GetITIcon"="c:\program files\Hewlett-Packard\GetITIcon\GetITShell.exe" [2009-05-05 864256] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-08-24 88363] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) "DisableNT4Policy"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [26/06/2007 23:06 53248] R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [26/06/2007 23:06 143360] R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [12/12/2008 17:39 238080] R2 MSSQL$INFLOWSQL;SQL Server (INFLOWSQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [10/02/2007 14:29 29178224] R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe [20/02/2007 14:59 270510] R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe [22/03/2007 18:19 172205] R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe [03/07/2008 09:28 315570] R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [06/04/2007 10:46 13619] R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [27/06/2007 16:10 9493] R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [06/04/2007 10:46 13647] R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [27/06/2007 16:10 10161] R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [04/12/2008 16:30 26137] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/02/2009 14:32 101936] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [06/04/2006 15:49 88192] R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [03/08/2007 11:31 23424] S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [26/06/2007 23:06 47660] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [08/07/2008 18:45 23888] S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [04/12/2008 16:30 155152] S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?] S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/08/2009 14:50 108289] --- Other Services/Drivers In Memory --- *Deregistered* - uphcleanhlp [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{922E8525-AC7E-4294-ACAA-43712D4423C0}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9AC2D554-AC12-4F1F-AAB9-E6363ADE5381}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" . Contents of the 'Scheduled Tasks' folder 2009-09-01 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 16:35] 2009-09-01 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 16:35] 2009-09-01 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job - c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 17:06] 2009-09-01 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job - c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-23 22:27] 2009-09-01 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job - c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 16:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://athp.hp.com/ uInternet Settings,ProxyServer = web-proxy:8080 uInternet Settings,ProxyOverride = ;<local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: hp.com Trusted Zone: tandem.com\ie.config Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: tandem.com\ie.config DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {00100000-2004-0003-85AA-828F11E00F28} FF - ProfilePath - c:\documents and settings\thompsjo\Application Data\Mozilla\Firefox\Profiles\99x4bupo.default\ FF - prefs.js: network.proxy.type - 2 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-01 09:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(444) c:\windows\system32\accsp.dll c:\windows\system32\acerrmes.dll c:\windows\system32\asphat32.dll c:\windows\system32\acpinto.dll c:\windows\system32\aspcom.dll c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll c:\windows\system32\acaccess.dll c:\program files\ActivCard\ActivCard Gold\resources\acaccrc.dll - - - - - - - > 'explorer.exe'(3376) c:\windows\system32\btmmhook.dll c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL c:\program files\WinZip\WZSHLSTB.DLL c:\program files\Avira\AntiVir Desktop\shlext.dll c:\program files\Malwarebytes' Anti-Malware\mbamext.dll c:\windows\system32\browselc.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\UPHClean\uphclean.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\progra~1\HPQ\Shared\HPQTOA~1.EXE c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE c:\program files\Microsoft Office\OFFICE11\OUTLOOK.EXE . ************************************************************************** . Completion time: 2009-09-01 9:49 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-01 08:48 ComboFix2.txt 2009-08-27 08:11 ComboFix3.txt 2009-08-26 09:20 Pre-Run: 36,328,329,216 bytes free Post-Run: 36,461,539,328 bytes free 262
  4. Hello, OK, here are the logs from the F-Secure run and the SecurityCheck run. I also ran a quick MBAM scan and pasted the results below. Scanning Report Friday, August 28, 2009 09:26:17 - 13:57:15 Computer name: JTHOMPSON1 Scanning type: Scan system for malware, spyware and rootkits Target: C:\ -------------------------------------------------------------------------------- 4 malware found Gen:Rootkit.Heur.auW@tqYAl1l (spyware) System (Disinfected) Trojan.Generic.IS (spyware) System (Disinfected) Gen:Rootkit.Heur.auW@tqYAl1l (virus) C:\WINDOWS\SYSTEM32\DRIVERS\AFGMP50.SYS (Not cleaned) Trojan.Generic.IS.544304 (virus) C:\PROGRAM FILES\HEWLETT-PACKARD\PC COE\IDAUPD.DLL (Not cleaned) -------------------------------------------------------------------------------- Statistics Scanned: Files: 51292 System: 4214 Not scanned: 6 Actions: Disinfected: 2 Renamed: 0 Deleted: 0 Not cleaned: 2 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM -------------------------------------------------------------------------------- Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics ________________________________________________________________ Results of screen317's Security Check version 0.98.9 Windows XP Service Pack 2 Out of date service pack!! `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled! Avira AntiVir Personal - Free Antivirus Symantec Endpoint Protection Antivirus out of date! (On Access scanning disabled!) `````````````````````````````` Anti-malware/Other Utilities Check: Spybot - Search & Destroy Malwarebytes' Anti-Malware HijackThis 2.0.2 CCleaner (remove only) Java 6 Update 16 Adobe Flash Player 10 Adobe Reader 7.0.9 Adobe Reader Chinese Simplified Fonts Adobe Reader Chinese Traditional Fonts Adobe Reader Korean Fonts Adobe Reader Japanese Fonts `````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` _________________________________________________________ Malwarebytes' Anti-Malware 1.40 Database version: 2684 Windows 5.1.2600 Service Pack 2 28/08/2009 14:39:22 mbam-log-2009-08-28 (14-39-19).txt Scan type: Quick Scan Objects scanned: 101588 Time elapsed: 17 minute(s), 44 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken. C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken.
  5. Hello, Thanks for the help. I ran the script in ComboFix as you requested - here is the log after the script finished running and the layest HijackThis log. ComboFix 09-08-22.06 - thompsjo 27/08/2009 8:54.5.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1527.954 [GMT 1:00] Running from: c:\documents and settings\thompsjo\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\thompsjo\Desktop\CFScript.txt AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} FILE :: "c:\windows\system32\drivers\mikmfgk.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\mrxdavv.sys c:\windows\system32\kwave.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_twhiaiag ((((((((((((((((((((((((( Files Created from 2009-07-27 to 2009-08-27 ))))))))))))))))))))))))))))))) . 2009-08-23 16:14 . 2009-08-23 16:14 0 ----a-w- C:\backup.reg 2009-08-23 12:25 . 2009-08-23 21:50 574 ----a-w- C:\cleanup.bat 2009-08-23 12:25 . 2009-08-23 21:50 135168 ----a-w- C:\zip.exe 2009-08-21 13:50 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-21 13:50 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-21 13:50 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-21 13:50 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-21 13:49 . 2009-08-21 13:49 -------- d-----w- c:\program files\Avira 2009-08-21 13:49 . 2009-08-21 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-21 13:13 . 2009-08-23 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-21 13:13 . 2009-08-21 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-21 12:12 . 2009-08-21 12:12 -------- d-----w- C:\!KillBox 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\documents and settings\thompsjo\Application Data\Malwarebytes 2009-08-21 08:50 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-21 08:50 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-21 08:20 . 2009-08-21 11:50 16 ----a-w- c:\windows\pxydb.dat 2009-08-21 08:18 . 2009-08-21 08:18 8432 ----a-w- c:\windows\system32\drivers\AFGMp50.sys 2009-08-18 21:23 . 2009-08-21 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-13 13:58 . 2009-08-13 13:58 -------- d-----w- c:\documents and settings\thompsjo\Local Settings\Application Data\Identities 2009-08-13 13:33 . 2009-08-13 13:33 -------- d-----w- c:\program files\PST Walker 2009-08-07 13:19 . 2009-08-07 13:19 -------- d-----w- c:\documents and settings\thompsjo\Local Settings\Application Data\Hewlett-Packard_Company 2009-08-07 13:12 . 2008-03-10 14:01 274432 ----a-w- c:\windows\system32\hpmpm081.dll 2009-08-07 13:12 . 2008-03-10 14:01 208896 ----a-w- c:\windows\system32\hpmpw081.dll 2009-08-07 13:12 . 2008-03-10 14:00 233472 ----a-w- c:\windows\system32\hpmtp081.dll 2009-08-07 13:12 . 2008-03-10 13:53 290816 ----a-w- c:\windows\system32\hpmml081.dll 2009-08-07 13:12 . 2008-03-10 13:51 188416 ----a-w- c:\windows\system32\hpmja081.dll 2009-08-07 13:12 . 2008-03-10 14:30 149504 ----a-w- c:\windows\system32\hpcpn081.dll 2009-08-07 13:12 . 2007-07-25 13:05 59928 ----a-w- c:\windows\system32\fxcompchannel.dll 2009-08-07 13:12 . 2007-05-16 19:53 49252 ----a-w- c:\windows\system32\HPMNQUE.DLL 2009-08-07 13:12 . 2007-05-16 19:53 49250 ----a-w- c:\windows\system32\HPMNNDPS.DLL 2009-08-07 12:48 . 2009-08-07 12:48 -------- d-----w- c:\program files\Common Files\Hewlett-Packard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-27 08:08 . 2008-12-05 16:43 -------- d-----w- c:\program files\ScreenshotCaptor 2009-08-26 07:33 . 2007-09-17 15:27 -------- d-----w- c:\program files\symantec antivirus 2009-08-23 21:12 . 2008-12-09 11:55 -------- d-----w- c:\program files\Opera 10 Preview 2009-08-23 21:12 . 2009-04-06 11:23 -------- d-----w- c:\documents and settings\thompsjo\Application Data\Samsung 2009-08-23 20:21 . 2008-12-04 07:55 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-23 16:08 . 2009-01-22 12:03 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-08-23 15:23 . 2009-08-23 15:23 716 ----a-w- c:\program files\sbmnhy.txt 2009-08-21 08:10 . 2008-12-11 08:58 -------- d-----w- c:\program files\RA2HP 2009-08-07 13:07 . 2008-12-04 12:47 50704 ----a-w- c:\documents and settings\thompsjo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-07 12:59 . 2007-09-14 13:39 -------- d-----w- c:\program files\Hewlett-Packard 2009-07-06 14:20 . 2009-06-29 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\inFlow Inventory 2009-06-29 17:25 . 2009-06-29 17:02 -------- d-----w- c:\program files\inFlow Inventory 2009-06-29 17:25 . 2009-06-29 17:25 -------- d-----w- c:\program files\Business Objects 2009-06-29 17:24 . 2009-06-29 17:24 -------- d-----w- c:\program files\Common Files\Business Objects 2009-06-29 17:17 . 2007-09-17 11:04 -------- d-----w- c:\program files\Microsoft.NET 2009-06-29 17:17 . 2009-06-29 17:03 -------- d-----w- c:\program files\Microsoft SQL Server 2009-06-11 12:12 . 2009-06-11 12:12 152576 ----a-w- c:\documents and settings\thompsjo\Application Data\Sun\Java\jre1.6.0_13\lzma.dll . ((((((((((((((((((((((((((((( SnapShot@2009-08-26_09.16.30 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-27 08:04 . 2009-08-27 08:04 16384 c:\windows\Temp\Perflib_Perfdata_79c.dat + 2009-08-27 08:04 . 2009-08-27 08:04 16384 c:\windows\Temp\Perflib_Perfdata_33c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Advanced Proxy Manager"="c:\program files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe" [2007-03-17 184320] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "Screenshot Captor"="c:\program files\ScreenshotCaptor\ScreenshotCaptor.exe" [2009-06-23 6321664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624] "QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280] "IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-30 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-30 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-30 118784] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-20 159744] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946] "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-05 5720072] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "GetITIcon"="c:\program files\Hewlett-Packard\GetITIcon\GetITShell.exe" [2009-05-05 864256] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-08-24 88363] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) "DisableNT4Policy"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [26/06/2007 23:06 53248] R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [26/06/2007 23:06 143360] R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [12/12/2008 17:39 238080] R2 MSSQL$INFLOWSQL;SQL Server (INFLOWSQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [10/02/2007 14:29 29178224] R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe [20/02/2007 14:59 270510] R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe [22/03/2007 18:19 172205] R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe [03/07/2008 09:28 315570] R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [06/04/2007 10:46 13619] R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [27/06/2007 16:10 9493] R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [06/04/2007 10:46 13647] R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [27/06/2007 16:10 10161] R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [04/12/2008 16:30 26137] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/02/2009 14:32 101936] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [06/04/2006 15:49 88192] R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [03/08/2007 11:31 23424] S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [26/06/2007 23:06 47660] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [08/07/2008 18:45 23888] S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [04/12/2008 16:30 155152] S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?] S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/08/2009 14:50 108289] --- Other Services/Drivers In Memory --- *Deregistered* - uphcleanhlp [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{922E8525-AC7E-4294-ACAA-43712D4423C0}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9AC2D554-AC12-4F1F-AAB9-E6363ADE5381}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" . Contents of the 'Scheduled Tasks' folder 2009-08-27 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 16:35] 2009-08-27 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 16:35] 2009-08-27 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job - c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 17:06] 2009-08-27 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job - c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-23 22:27] 2009-08-27 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job - c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 16:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://athp.hp.com/ uInternet Settings,ProxyServer = web-proxy:8080 uInternet Settings,ProxyOverride = ;<local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: hp.com Trusted Zone: tandem.com\ie.config Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: tandem.com\ie.config DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {00100000-2004-0003-85AA-828F11E00F28} FF - ProfilePath - c:\documents and settings\thompsjo\Application Data\Mozilla\Firefox\Profiles\99x4bupo.default\ FF - prefs.js: network.proxy.type - 2 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-27 09:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(440) c:\windows\system32\accsp.dll c:\windows\system32\acerrmes.dll c:\windows\system32\asphat32.dll c:\windows\system32\acpinto.dll c:\windows\system32\aspcom.dll c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll c:\windows\system32\acaccess.dll c:\program files\ActivCard\ActivCard Gold\resources\acaccrc.dll - - - - - - - > 'explorer.exe'(3452) c:\windows\system32\btmmhook.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\UPHClean\uphclean.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\progra~1\HPQ\Shared\HPQTOA~1.EXE c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE . ************************************************************************** . Completion time: 2009-08-27 9:11 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-27 08:11 ComboFix2.txt 2009-08-26 09:20 Pre-Run: 36,632,977,408 bytes free Post-Run: 36,536,537,088 bytes free 261 __________________________________________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:13:32, on 27/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\ActivCard\acautoreg.exe C:\Program Files\Common Files\ActivCard\accoca.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\HPAVAD~1\avChgSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Microsoft Office Communicator\communicator.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\thompsjo\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe O4 - HKLM\..\Run: [iDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GetITIcon] C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Advanced Proxy Manager] C:\Program Files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [screenshot Captor] "C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe" /autorun O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com O15 - Trusted Zone: http://ie.config.asia.compaq.com O15 - Trusted Zone: http://ie.config.eur.compaq.com O15 - Trusted Zone: http://ie.config.im.hou.compaq.com O15 - Trusted Zone: http://ie.config.jp.compaq.com O15 - Trusted Zone: http://ie.config.ecom.dec.com O15 - Trusted Zone: http://ie.config.tandem.com O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM) O15 - Trusted Zone: http://ie.config.tandem.com (HKLM) O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab O16 - DPF: {00100000-2004-0003-85AA-828F11E00F28} - O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175 O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net O17 - HKLM\Software\..\Telephony: DomainName = emea.hpqcorp.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing) O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) -- End of file - 9599 bytes
  6. Hi screen317, Thanks very much for helping me with this - it is greatly appreciated. Combo fix says that mrxdavv.sys was deleted but MBAM says it is still present. Let me know if you need any further logs from MBAM or other Here are the ComboFix and HijackThis logs: ComboFix 09-08-22.06 - thompsjo 26/08/2009 10:02.4.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1527.798 [GMT 1:00] Running from: c:\documents and settings\thompsjo\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\drivers\mrxdavv.sys c:\windows\system32\kwave.sys . ((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 ))))))))))))))))))))))))))))))) . 2009-08-23 16:14 . 2009-08-23 16:14 0 ----a-w- C:\backup.reg 2009-08-23 12:25 . 2009-08-23 21:50 574 ----a-w- C:\cleanup.bat 2009-08-23 12:25 . 2009-08-23 21:50 135168 ----a-w- C:\zip.exe 2009-08-21 13:50 . 2009-07-28 15:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-21 13:50 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-08-21 13:50 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-08-21 13:50 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-08-21 13:49 . 2009-08-21 13:49 -------- d-----w- c:\program files\Avira 2009-08-21 13:49 . 2009-08-21 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-08-21 13:13 . 2009-08-23 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-08-21 13:13 . 2009-08-21 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-08-21 12:12 . 2009-08-21 12:12 -------- d-----w- C:\!KillBox 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\documents and settings\thompsjo\Application Data\Malwarebytes 2009-08-21 08:50 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-08-21 08:50 . 2009-08-21 08:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-21 08:50 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-21 08:20 . 2009-08-21 11:50 16 ----a-w- c:\windows\pxydb.dat 2009-08-21 08:18 . 2009-08-21 08:18 8432 ----a-w- c:\windows\system32\drivers\AFGMp50.sys 2009-08-18 21:23 . 2009-08-21 09:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-08-13 13:58 . 2009-08-13 13:58 -------- d-----w- c:\documents and settings\thompsjo\Local Settings\Application Data\Identities 2009-08-13 13:33 . 2009-08-13 13:33 -------- d-----w- c:\program files\PST Walker 2009-08-07 13:19 . 2009-08-07 13:19 -------- d-----w- c:\documents and settings\thompsjo\Local Settings\Application Data\Hewlett-Packard_Company 2009-08-07 13:12 . 2008-03-10 14:01 274432 ----a-w- c:\windows\system32\hpmpm081.dll 2009-08-07 13:12 . 2008-03-10 14:01 208896 ----a-w- c:\windows\system32\hpmpw081.dll 2009-08-07 13:12 . 2008-03-10 14:00 233472 ----a-w- c:\windows\system32\hpmtp081.dll 2009-08-07 13:12 . 2008-03-10 13:53 290816 ----a-w- c:\windows\system32\hpmml081.dll 2009-08-07 13:12 . 2008-03-10 13:51 188416 ----a-w- c:\windows\system32\hpmja081.dll 2009-08-07 13:12 . 2008-03-10 14:30 149504 ----a-w- c:\windows\system32\hpcpn081.dll 2009-08-07 13:12 . 2007-07-25 13:05 59928 ----a-w- c:\windows\system32\fxcompchannel.dll 2009-08-07 13:12 . 2007-05-16 19:53 49252 ----a-w- c:\windows\system32\HPMNQUE.DLL 2009-08-07 13:12 . 2007-05-16 19:53 49250 ----a-w- c:\windows\system32\HPMNNDPS.DLL 2009-08-07 12:48 . 2009-08-07 12:48 -------- d-----w- c:\program files\Common Files\Hewlett-Packard . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-26 09:16 . 2008-12-05 16:43 -------- d-----w- c:\program files\ScreenshotCaptor 2009-08-26 07:33 . 2007-09-17 15:27 -------- d-----w- c:\program files\symantec antivirus 2009-08-23 21:12 . 2008-12-09 11:55 -------- d-----w- c:\program files\Opera 10 Preview 2009-08-23 21:12 . 2009-04-06 11:23 -------- d-----w- c:\documents and settings\thompsjo\Application Data\Samsung 2009-08-23 20:21 . 2008-12-04 07:55 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-23 16:08 . 2009-01-22 12:03 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-08-23 15:23 . 2009-08-23 15:23 716 ----a-w- c:\program files\sbmnhy.txt 2009-08-21 08:10 . 2008-12-11 08:58 -------- d-----w- c:\program files\RA2HP 2009-08-07 13:07 . 2008-12-04 12:47 50704 ----a-w- c:\documents and settings\thompsjo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-07 12:59 . 2007-09-14 13:39 -------- d-----w- c:\program files\Hewlett-Packard 2009-07-06 14:20 . 2009-06-29 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\inFlow Inventory 2009-06-29 17:25 . 2009-06-29 17:02 -------- d-----w- c:\program files\inFlow Inventory 2009-06-29 17:25 . 2009-06-29 17:25 -------- d-----w- c:\program files\Business Objects 2009-06-29 17:24 . 2009-06-29 17:24 -------- d-----w- c:\program files\Common Files\Business Objects 2009-06-29 17:17 . 2007-09-17 11:04 -------- d-----w- c:\program files\Microsoft.NET 2009-06-29 17:17 . 2009-06-29 17:03 -------- d-----w- c:\program files\Microsoft SQL Server 2009-06-11 12:12 . 2009-06-11 12:12 152576 ----a-w- c:\documents and settings\thompsjo\Application Data\Sun\Java\jre1.6.0_13\lzma.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Advanced Proxy Manager"="c:\program files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe" [2007-03-17 184320] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "Screenshot Captor"="c:\program files\ScreenshotCaptor\ScreenshotCaptor.exe" [2009-06-23 6321664] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-11 26624] "QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2007-06-26 225280] "IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2008-08-12 176128] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-30 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-30 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-30 118784] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-20 159744] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946] "Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-12-05 5720072] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-07-08 115560] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088] "GetITIcon"="c:\program files\Hewlett-Packard\GetITIcon\GetITShell.exe" [2009-05-05 864256] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-23 149280] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-08-24 88363] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "SynchronousMachineGroupPolicy"= 0 (0x0) "SynchronousUserGroupPolicy"= 0 (0x0) "DisableNT4Policy"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoMSAppLogo5ChannelNotify"= 1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rgadta.sys] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"= "c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [26/06/2007 23:06 53248] R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [26/06/2007 23:06 143360] R2 AvChgSvc;HP-AV Change Monitor Service;c:\progra~1\HPAVAD~1\avChgSvc.exe [12/12/2008 17:39 238080] R2 MSSQL$INFLOWSQL;SQL Server (INFLOWSQL);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [10/02/2007 14:29 29178224] R2 radexecd;HP OVCM Notify Daemon;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe [20/02/2007 14:59 270510] R2 radsched;HP OVCM Scheduler Daemon;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe [22/03/2007 18:19 172205] R2 Radstgms;HP OVCM MSI Redirector;c:\progra~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe [03/07/2008 09:28 315570] R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [06/04/2007 10:46 13619] R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [27/06/2007 16:10 9493] R3 aksbus;ActivIdentity Virtual Reader Enumerator;c:\windows\system32\drivers\aksbus.sys [06/04/2007 10:46 13647] R3 akspcsc;ActivIdentity Virtual PC/SC Device Driver;c:\windows\system32\drivers\akspcsc.sys [27/06/2007 16:10 10161] R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [04/12/2008 16:30 26137] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [27/02/2009 14:32 101936] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [06/04/2006 15:49 88192] R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [03/08/2007 11:31 23424] S0 twhiaiag;twhiaiag;c:\windows\system32\drivers\mikmfgk.sys --> c:\windows\system32\drivers\mikmfgk.sys [?] S3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [26/06/2007 23:06 47660] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [08/07/2008 18:45 23888] S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [04/12/2008 16:30 155152] S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?] S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [21/08/2009 14:50 108289] --- Other Services/Drivers In Memory --- *Deregistered* - uphcleanhlp [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{922E8525-AC7E-4294-ACAA-43712D4423C0}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9AC2D554-AC12-4F1F-AAB9-E6363ADE5381}] "c:\program files\Common Files\Hewlett-Packard\ActSet\HpActSet.exe" . Contents of the 'Scheduled Tasks' folder 2009-08-26 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}000.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 16:35] 2009-08-26 c:\windows\Tasks\IDA{07A2D605-F561-11D1-BEE5-AC785AC8CD4E}001.job - c:\progra~1\HEWLET~1\PCCOE~1\Aimsi.dll [2009-03-27 16:35] 2009-08-26 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}000.job - c:\progra~1\HEWLET~1\PCCOE~1\clinvsi.dll [2008-09-07 17:06] 2009-08-26 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job - c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-23 22:27] 2009-08-26 c:\windows\Tasks\IDA{E1B2A4DD-AE06-4B97-9B55-8E8F1348E7FB}000.job - c:\progra~1\HEWLET~1\PCCOE~1\critupsi.dll [2008-09-07 16:13] . - - - - ORPHANS REMOVED - - - - Notify-NavLogon - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://athp.hp.com/ uInternet Settings,ProxyServer = web-proxy:8080 uInternet Settings,ProxyOverride = ;<local> IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: hp.com Trusted Zone: tandem.com\ie.config Trusted Zone: compaq.com\ie.config.asia Trusted Zone: compaq.com\ie.config.eur Trusted Zone: compaq.com\ie.config.im.hou Trusted Zone: compaq.com\ie.config.jp Trusted Zone: dec.com\ie.config.ecom Trusted Zone: tandem.com\ie.config DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {00100000-2004-0003-85AA-828F11E00F28} FF - ProfilePath - c:\documents and settings\thompsjo\Application Data\Mozilla\Firefox\Profiles\99x4bupo.default\ FF - prefs.js: network.proxy.type - 2 . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-26 10:15 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(440) c:\windows\system32\accsp.dll c:\windows\system32\acerrmes.dll c:\windows\system32\asphat32.dll c:\windows\system32\acpinto.dll c:\windows\system32\aspcom.dll c:\program files\ActivCard\ActivCard Gold\resources\acerrmrc.dll c:\program files\ActivCard\ActivCard Gold\resources\asphatrc.dll c:\program files\ActivCard\ActivCard Gold\resources\accsprc.dll c:\windows\system32\acaccess.dll c:\program files\ActivCard\ActivCard Gold\resources\acaccrc.dll - - - - - - - > 'explorer.exe'(264) c:\windows\system32\btmmhook.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\scardsvr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\UPHClean\uphclean.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\progra~1\HPQ\Shared\HPQTOA~1.EXE c:\progra~1\MI3AA1~1\rapimgr.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE . ************************************************************************** . Completion time: 2009-08-26 10:20 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-26 09:20 Pre-Run: 36,634,693,632 bytes free Post-Run: 36,713,820,160 bytes free 254 _________________________________________________________________________ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:41:14, on 26/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\ActivCard\acautoreg.exe C:\Program Files\Common Files\ActivCard\accoca.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\HPAVAD~1\avChgSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Microsoft Office Communicator\communicator.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\iPod\bin\iPodService.exe c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Opera\opera.exe C:\Documents and Settings\thompsjo\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = web-proxy:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local> O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe O4 - HKLM\..\Run: [iDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GetITIcon] C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Advanced Proxy Manager] C:\Program Files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [screenshot Captor] "C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe" /autorun O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com O15 - Trusted Zone: http://ie.config.asia.compaq.com O15 - Trusted Zone: http://ie.config.eur.compaq.com O15 - Trusted Zone: http://ie.config.im.hou.compaq.com O15 - Trusted Zone: http://ie.config.jp.compaq.com O15 - Trusted Zone: http://ie.config.ecom.dec.com O15 - Trusted Zone: http://ie.config.tandem.com O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM) O15 - Trusted Zone: http://ie.config.tandem.com (HKLM) O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab O16 - DPF: {00100000-2004-0003-85AA-828F11E00F28} - O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175 O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net O17 - HKLM\Software\..\Telephony: DomainName = emea.hpqcorp.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing) O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) -- End of file - 9599 bytes
  7. Hello, I was hoping someone could help me with removal of the Trojan.Agent file kwave.sys and the Rootkit.Agent mrxdavv.sys. I have run MBAM several times and each time after being prompted to reboot the files were still there. I think this seems to be a common problem, and have read about alot of people experiencing this trouble on this forum and others - however I have not been able to solve my problem. If you need any more information or any more logs producing please let me know. I hope someone is able to help me. Many thanks for reading this. MBAM and HijackThis logs below. Here is the MBAM log: Malwarebytes' Anti-Malware 1.40 Database version: 2684 Windows 5.1.2600 Service Pack 2 23/08/2009 23:11:21 mbam-log-2009-08-23 (23-11-18).txt Scan type: Quick Scan Objects scanned: 99902 Time elapsed: 10 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\rgadta.sys (Trojan.Goldun) -> No action taken. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Network\rgadta.sys (Trojan.Goldun) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken. C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken. ******************************************************************************** ************************** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:11:53, on 23/08/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Symantec AntiVirus\Smc.exe C:\Program Files\Symantec AntiVirus\SNAC.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Common Files\ActivCard\acautoreg.exe C:\Program Files\Common Files\ActivCard\accoca.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\HPAVAD~1\avChgSvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec AntiVirus\SmcGui.exe C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE C:\Program Files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\iPod\bin\iPodService.exe c:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE C:\Program Files\Opera\opera.exe C:\Documents and Settings\thompsjo\Desktop\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://athp.hp.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [COEMsgDisplay] c:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe O4 - HKLM\..\Run: [iDA] c:\Program Files\Hewlett-Packard\PC COE\IDA.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [GetITIcon] C:\Program Files\Hewlett-Packard\GetITIcon\GetITShell.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Advanced Proxy Manager] C:\Program Files\Karl Fleischmann\Advanced Proxy Manager\AdvancedProxyManager.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [screenshot Captor] "C:\Program Files\ScreenshotCaptor\ScreenshotCaptor.exe" /autorun O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com O15 - Trusted Zone: http://ie.config.asia.compaq.com O15 - Trusted Zone: http://ie.config.eur.compaq.com O15 - Trusted Zone: http://ie.config.im.hou.compaq.com O15 - Trusted Zone: http://ie.config.jp.compaq.com O15 - Trusted Zone: http://ie.config.ecom.dec.com O15 - Trusted Zone: http://ie.config.tandem.com O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM) O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM) O15 - Trusted Zone: http://ie.config.tandem.com (HKLM) O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab O16 - DPF: {00100000-2004-0003-85AA-828F11E00F28} - O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189776183175 O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - https://digitalbadge.external.hp.com/hp/HPPKI.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net O17 - HKLM\Software\..\Telephony: DomainName = emea.hpqcorp.net O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emea.cpqcorp.net O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivIdentity - C:\Program Files\Common Files\ActivCard\acautoreg.exe O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: HP-AV Change Monitor Service (AvChgSvc) - Unknown owner - C:\PROGRA~1\HPAVAD~1\avChgSvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing) O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS O23 - Service: HP OVCM Notify Daemon (radexecd) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radexecd.exe O23 - Service: HP OVCM Scheduler Daemon (radsched) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\radsched.exe O23 - Service: HP OVCM MSI Redirector (Radstgms) - Hewlett-Packard - C:\PROGRA~1\HEWLET~1\PCCOE3~1\OVCMS~1\Radstgms.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing) O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\SNAC.EXE O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 10565 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.