Protools954
2009-01-04, 22:10
I must have downloaded a worm/virus a couple days ago. I had good luck in the past with removing viruses such as windows antivirus 2008 from friends pc and antivirus 2009 from mine in the past so I have been lurking around the forums following some advise.
at first I could not get malwarebytes to run I had to go into safe mode now it works in regular mode but still cant get rid of 2 viruses Rootkit.Agent.H Trojan.Agent
I also ran some scripts with combofix I found on forums
please help!!!!!!!!
here are some scans
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/4/2009 2:25:18 PM
mbam-log-2009-01-04 (14-25-18).txt
Scan type: Quick Scan
Objects scanned: 57203
Time elapsed: 6 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.[/SIZE]
ComboFix 08-12-31.01 - Owner 2009-01-04 14:26:29.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.664 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Unused Desktop Shortcuts\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys
.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.
2009-01-01 21:19 . 2009-01-01 21:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 21:14 . 2009-01-01 21:14 126,976 --a------ c:\windows\system32\InstallAVg_77015105.exe
2009-01-01 19:30 . 2009-01-01 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-01 19:28 . 2004-04-01 04:03 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-01-01 19:28 . 2004-04-02 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-01 19:28 . 2004-04-01 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-01-01 19:28 . 2009-01-01 19:28 <DIR> d-------- c:\documents and settings\Administrator
2009-01-01 18:57 . 2009-01-01 18:57 25,600 --ahs---- c:\windows\system32\mss.dll
2009-01-01 18:55 . 2009-01-01 18:55 <DIR> d-------- c:\program files\IESurfBar
2009-01-01 18:55 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\d5c1be17.sys
2009-01-01 18:54 . 2009-01-01 18:54 43,750 --a------ C:\mnmx.exe
2009-01-01 18:42 . 2009-01-01 18:42 0 --a------ c:\windows\system32\tmcontrol.bin
2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\system32xp.exe.tmp
2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\.tmp
2009-01-01 18:02 . 2009-01-01 21:19 24,576 --a------ c:\windows\system32\tempexec.exe
2009-01-01 18:01 . 2009-01-01 18:01 108,336 --a------ c:\windows\system32\mswinsck.ocx
2009-01-01 18:00 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\6266c5bf.sys
2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\swapm.sys
2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\drivers\mafw.sys
2009-01-01 18:00 . 2009-01-01 18:00 4,707 --a------ c:\windows\system32\aidb.dat
2009-01-01 18:00 . 2009-01-01 18:54 2 --a------ C:\1077971964
2008-12-23 01:26 . 2008-12-23 01:26 410,984 --a------ c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 19:16 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-01-02 04:26 --------- d-----w c:\program files\Vuze
2009-01-02 03:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-01 23:04 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2009-01-01 23:00 8,512 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-01 22:59 --------- d-----w c:\program files\Common Files\Real
2008-12-23 06:26 --------- d-----w c:\program files\Java
2008-12-04 00:54 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:54 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-20 20:11 --------- d-----w c:\program files\free-downloads.net
2008-11-20 20:11 --------- d-----w c:\program files\Conduit
2008-11-20 20:11 --------- d-----w c:\program files\Alcohol Soft
2008-11-04 22:17 --------- d-----w c:\documents and settings\Owner\Application Data\Digidesign
2006-12-16 20:09 251,883 ----a-w c:\program files\uninstal.log
2004-12-05 06:24 184,808 -c--a-w c:\documents and settings\Owner\Application Data\shb.dat
2008-12-24 13:07 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-24 13:07 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-24 13:07 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-24 13:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-24 13:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-04-14 00:12 62,991 --sh--r c:\windows\system32\lssa.exe
2008-09-24 17:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-01_21.43.36.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-13 18:32:44 180,608 -c--a-w c:\windows\system32\dllcache\mrxdav.sys
+ 2009-01-04 19:32:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-29 66912]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-20 4608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-12-03 1265296]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
"WD Button Manager"="WDBtnMgr.exe" [2007-02-16 c:\windows\system32\WDBtnMgr.exe]
"Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mss.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave10"= Digi32.dll
"Midi1"= BCR2000.DLL
"Midi2"= usbkt1x1.dll
"Midi3"= diomidi.dll
"Midi4"= mbx2midu.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mafw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DriveSelect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DriveSelect.lnk
backup=c:\windows\pss\DriveSelect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MFWAKeys.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MFWAKeys.lnk
backup=c:\windows\pss\MFWAKeys.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=c:\windows\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2004-01-09 04:34 32768 c:\program files\HP\Digital Imaging\bin\BackupNotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 18:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-27 04:34 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 06:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 22:02 61440 c:\hp\KBD\kbd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
--a------ 2004-11-09 03:29 286786 c:\program files\NZSearch\nzspc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"ÿ[ë|į"= ÿ[ë|į:Windows Service Processor
"ÿ[ë|į"= ÿ[ë|į:Windows Service Processor
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-08-09 16384]
R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2006-01-20 11264]
R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
R1 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2008-08-09 21648]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2008-08-09 16400]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2008-08-09 97808]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2008-08-09 21904]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus.sys [2004-10-18 15488]
S1 FW;Service for M-Audio Firewire Driver (WDM);c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]
S1 swapm;DRAM Cash Driver;c:\windows\system32\swapm.sys [2009-01-01 8512]
S2 mrtRate;mrtRate; []
S3 BCR2000;B-Control Rotary/Fader 2000 (08/04/2004,1.1.1.0);c:\windows\system32\drivers\bcr2000.sys [2004-08-13 21024]
S3 Duende;Duende Firewire Driver;c:\windows\system32\DRIVERS\Duende.sys [2007-05-24 54320]
S3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
S3 L6BODP;Bass PODxt Pro Service;c:\windows\system32\Drivers\L6BODP.sys [2004-10-05 114048]
S3 MAFW;%FW.SvcDesc%;c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2004-10-18 18816]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWAVE.sys [2004-10-18 24320]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2004-10-18 120576]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2006-01-15 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2006-01-15 22304]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\autorun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa894a6c-da92-11dd-81f7-00112f2dc419}]
\shell\autorun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-04 c:\windows\Tasks\hoagvhxs.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
2009-01-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-01-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.yahoo.com/
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFAlert.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 14:32:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6266c5bf]
"ImagePath"="\SystemRoot\System32\drivers\6266c5bf.sys"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d5c1be17]
"ImagePath"="\SystemRoot\System32\drivers\d5c1be17.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,07,98,47,78,0a,\
78,8d,d2,e2,63,26,f1,3f,c8,ff,68,1e,2b,5b,19,e1,2f,6c,f9,e2,63,26,f1,3f,c8,\
ff,68,39,a6,e3,f1,8f,dd,d0,f5,e2,63,26,f1,3f,c8,ff,68,67,dd,69,9f,58,79,7b,\
c8,20,b0,12,7b
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,d0,70,ec,cf,a3,\
52,bf,1a,6a,9c,d6,61,af,45,84,18,94,be,41,0b,9c,55,ee,14,6a,9c,d6,61,af,45,\
84,18,e7,cc,0a,41,fe,d7,85,0d,71,3b,04,66,8b,46,0d,96,b4,fa,0c,d1,09,76,ec,\
ac,af,7f,10,32
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,d9,df,9a,c7,3b,\
fe,fe,70,ff,7c,85,e0,43,d4,0e,fe,d1,57,d4,eb,55,f4,4e,04,ff,7c,85,e0,43,d4,\
0e,fe,66,98,af,60,07,45,a2,fe,ff,7c,85,e0,43,d4,0e,fe,93,73,7c,67,27,5a,83,\
db,e8,49,96,12
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,17,b8,8f,4b,8c,\
7a,38,9b,86,8c,21,01,be,91,eb,e7,84,18,24,7c,cc,77,9d,b5,86,8c,21,01,be,91,\
eb,e7,a9,72,27,17,fc,c8,12,55,86,8c,21,01,be,91,eb,e7,75,e0,63,30,cd,94,74,\
91,df,cc,d1,41
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,72,98,fe,94,8e,\
39,91,a9,f5,1d,4d,73,a8,13,5c,05,a5,97,cc,bd,1a,1a,40,ab,f5,1d,4d,73,a8,13,\
5c,05,0e,d1,24,d0,99,f6,41,c0,cd,44,cd,b9,a6,33,6c,cd,b8,49,40,df,e8,0f,60,\
b2,45,15,9f,06
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,d8,a5,3b,f9,7d,\
c0,21,8c,df,20,58,62,78,6b,cf,c8,e0,0d,50,49,a6,85,b5,ad,df,20,58,62,78,6b,\
cf,c8,7e,82,24,be,60,fd,48,ec,b0,18,ed,a7,3f,8d,37,a4,79,35,61,f4,f5,ed,b9,\
80,c6,73,3f,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,a7,bf,7f,13,ac,\
a6,46,aa,fb,a7,78,e6,12,2f,9a,ea,37,19,d7,99,6b,6b,58,fa,fb,a7,78,e6,12,2f,\
9a,ea,08,8d,67,c7,ab,d5,4d,39,97,20,4e,9a,c7,f1,35,ee,71,33,1e,db,ae,ac,ff,\
09,08,e2,da,37
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,86,ea,e7,95,ee,\
99,16,2a,01,3a,48,fc,e8,04,4a,f1,8a,f7,99,79,45,ea,b6,21,01,3a,48,fc,e8,04,\
4a,f1,13,48,a0,7f,3c,75,43,1b,aa,52,c6,00,84,3c,26,64,eb,e9,e1,02,9b,d3,ff,\
66,c6,1a,e6,39
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,69,26,c1,69,c4,\
78,60,12,f6,0f,4e,58,98,5b,89,c9,ea,8c,20,e9,a3,99,d4,ce,f6,0f,4e,58,98,5b,\
89,c9,78,fb,50,2c,52,7d,5e,93,b2,46,9a,e2,1b,fe,1b,94,bb,d3,6c,fc,17,20,52,\
68,ae,88,15,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,40,68,95,ea,56,\
62,74,a4,3d,ce,ea,26,2d,45,aa,78,f6,00,87,62,58,0e,f0,92,3d,ce,ea,26,2d,45,\
aa,78,87,d4,2d,2b,63,68,14,bc,b1,cd,45,5a,a8,c4,f8,b9,c5,28,16,5d,69,20,73,\
66,66,46,8e,e9
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,44,62,b8,4a,6e,\
b6,6b,05,2a,b7,cc,b5,b9,7f,41,e7,e5,61,d8,d9,be,93,a2,cf,2a,b7,cc,b5,b9,7f,\
41,e7,c4,0b,ae,a1,03,eb,25,ae,2a,b7,cc,b5,b9,7f,41,e7,d3,4a,13,1b,cf,ca,d8,\
eb,30,92,31,be
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,cf,47,64,f8,b4,\
c9,90,45,6c,43,2d,1e,aa,22,2f,9c,08,ff,49,47,c8,de,39,67,6c,43,2d,1e,aa,22,\
2f,9c,a7,43,97,53,d2,50,aa,1b,05,73,21,dd,54,d8,4a,c5,6b,38,bc,0f,9e,33,a3,\
d4,3a,69,09,92
[HKEY_LOCAL_MACHINE\software\Digidesign]
@Owner=S-1-5-21-3718370760-455776615-2973682036-1003
@Denied: (A C D) (S-1-5-21-3718370760-455776615-2973682036-1014)
@Allowed: (Full) (S-1-5-21-3718370760-455776615-2973682036-1014)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\mbx2midu.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\mbx2midu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ewido anti-malware\ewidoctrl.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-04 14:37:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 19:37:24
ComboFix2.txt 2009-01-03 02:22:51
ComboFix3.txt 2009-01-02 05:10:26
ComboFix4.txt 2009-01-02 04:49:39
ComboFix5.txt 2009-01-04 19:26:08
Pre-Run: 29,507,047,424 bytes free
Post-Run: 29,493,268,480 bytes free
364 --- E O F --- 2008-12-29 22:10:58
at first I could not get malwarebytes to run I had to go into safe mode now it works in regular mode but still cant get rid of 2 viruses Rootkit.Agent.H Trojan.Agent
I also ran some scripts with combofix I found on forums
please help!!!!!!!!
here are some scans
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3
1/4/2009 2:25:18 PM
mbam-log-2009-01-04 (14-25-18).txt
Scan type: Quick Scan
Objects scanned: 57203
Time elapsed: 6 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.[/SIZE]
ComboFix 08-12-31.01 - Owner 2009-01-04 14:26:29.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.664 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Unused Desktop Shortcuts\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys
.
((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))
.
2009-01-01 21:19 . 2009-01-01 21:19 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 21:14 . 2009-01-01 21:14 126,976 --a------ c:\windows\system32\InstallAVg_77015105.exe
2009-01-01 19:30 . 2009-01-01 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-01 19:28 . 2004-04-01 04:03 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2009-01-01 19:28 . 2004-04-02 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-01 19:28 . 2004-04-01 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView
2009-01-01 19:28 . 2009-01-01 19:28 <DIR> d-------- c:\documents and settings\Administrator
2009-01-01 18:57 . 2009-01-01 18:57 25,600 --ahs---- c:\windows\system32\mss.dll
2009-01-01 18:55 . 2009-01-01 18:55 <DIR> d-------- c:\program files\IESurfBar
2009-01-01 18:55 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\d5c1be17.sys
2009-01-01 18:54 . 2009-01-01 18:54 43,750 --a------ C:\mnmx.exe
2009-01-01 18:42 . 2009-01-01 18:42 0 --a------ c:\windows\system32\tmcontrol.bin
2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\system32xp.exe.tmp
2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\.tmp
2009-01-01 18:02 . 2009-01-01 21:19 24,576 --a------ c:\windows\system32\tempexec.exe
2009-01-01 18:01 . 2009-01-01 18:01 108,336 --a------ c:\windows\system32\mswinsck.ocx
2009-01-01 18:00 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\6266c5bf.sys
2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\swapm.sys
2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\drivers\mafw.sys
2009-01-01 18:00 . 2009-01-01 18:00 4,707 --a------ c:\windows\system32\aidb.dat
2009-01-01 18:00 . 2009-01-01 18:54 2 --a------ C:\1077971964
2008-12-23 01:26 . 2008-12-23 01:26 410,984 --a------ c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-04 19:16 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-01-02 04:26 --------- d-----w c:\program files\Vuze
2009-01-02 03:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-01 23:04 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2009-01-01 23:00 8,512 ----a-w c:\windows\system32\drivers\sptd.sys
2009-01-01 22:59 --------- d-----w c:\program files\Common Files\Real
2008-12-23 06:26 --------- d-----w c:\program files\Java
2008-12-04 00:54 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:54 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-20 20:11 --------- d-----w c:\program files\free-downloads.net
2008-11-20 20:11 --------- d-----w c:\program files\Conduit
2008-11-20 20:11 --------- d-----w c:\program files\Alcohol Soft
2008-11-04 22:17 --------- d-----w c:\documents and settings\Owner\Application Data\Digidesign
2006-12-16 20:09 251,883 ----a-w c:\program files\uninstal.log
2004-12-05 06:24 184,808 -c--a-w c:\documents and settings\Owner\Application Data\shb.dat
2008-12-24 13:07 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-24 13:07 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-24 13:07 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-24 13:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-24 13:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-04-14 00:12 62,991 --sh--r c:\windows\system32\lssa.exe
2008-09-24 17:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
.
((((((((((((((((((((((((((((( snapshot@2009-01-01_21.43.36.78 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-13 18:32:44 180,608 -c--a-w c:\windows\system32\dllcache\mrxdav.sys
+ 2009-01-04 19:32:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-29 66912]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2008-02-14 1555480]
[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]
[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-20 4608]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-12-03 1265296]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
"WD Button Manager"="WDBtnMgr.exe" [2007-02-16 c:\windows\system32\WDBtnMgr.exe]
"Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=mss.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave10"= Digi32.dll
"Midi1"= BCR2000.DLL
"Midi2"= usbkt1x1.dll
"Midi3"= diomidi.dll
"Midi4"= mbx2midu.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mafw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DriveSelect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DriveSelect.lnk
backup=c:\windows\pss\DriveSelect.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MFWAKeys.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MFWAKeys.lnk
backup=c:\windows\pss\MFWAKeys.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=c:\windows\pss\IMStart.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]
--a------ 2004-01-09 04:34 32768 c:\program files\HP\Digital Imaging\bin\BackupNotify.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 18:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2003-03-27 04:34 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 06:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2003-02-11 22:02 61440 c:\hp\KBD\kbd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]
--a------ 2004-11-09 03:29 286786 c:\program files\NZSearch\nzspc.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"ÿ[ë|į"= ÿ[ë|į:Windows Service Processor
"ÿ[ë|į"= ÿ[ë|į:Windows Service Processor
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-08-09 16384]
R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2006-01-20 11264]
R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]
R1 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2008-08-09 21648]
R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2008-08-09 16400]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
R3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2008-08-09 97808]
R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2008-08-09 21904]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus.sys [2004-10-18 15488]
S1 FW;Service for M-Audio Firewire Driver (WDM);c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]
S1 swapm;DRAM Cash Driver;c:\windows\system32\swapm.sys [2009-01-01 8512]
S2 mrtRate;mrtRate; []
S3 BCR2000;B-Control Rotary/Fader 2000 (08/04/2004,1.1.1.0);c:\windows\system32\drivers\bcr2000.sys [2004-08-13 21024]
S3 Duende;Duende Firewire Driver;c:\windows\system32\DRIVERS\Duende.sys [2007-05-24 54320]
S3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]
S3 L6BODP;Bass PODxt Pro Service;c:\windows\system32\Drivers\L6BODP.sys [2004-10-05 114048]
S3 MAFW;%FW.SvcDesc%;c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]
S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2004-10-18 18816]
S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWAVE.sys [2004-10-18 24320]
S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2004-10-18 120576]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2006-01-15 13504]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2006-01-15 22304]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\autorun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa894a6c-da92-11dd-81f7-00112f2dc419}]
\shell\autorun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-04 c:\windows\Tasks\hoagvhxs.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
2009-01-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-01-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.yahoo.com/
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFAlert.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-04 14:32:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6266c5bf]
"ImagePath"="\SystemRoot\System32\drivers\6266c5bf.sys"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d5c1be17]
"ImagePath"="\SystemRoot\System32\drivers\d5c1be17.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,07,98,47,78,0a,\
78,8d,d2,e2,63,26,f1,3f,c8,ff,68,1e,2b,5b,19,e1,2f,6c,f9,e2,63,26,f1,3f,c8,\
ff,68,39,a6,e3,f1,8f,dd,d0,f5,e2,63,26,f1,3f,c8,ff,68,67,dd,69,9f,58,79,7b,\
c8,20,b0,12,7b
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,d0,70,ec,cf,a3,\
52,bf,1a,6a,9c,d6,61,af,45,84,18,94,be,41,0b,9c,55,ee,14,6a,9c,d6,61,af,45,\
84,18,e7,cc,0a,41,fe,d7,85,0d,71,3b,04,66,8b,46,0d,96,b4,fa,0c,d1,09,76,ec,\
ac,af,7f,10,32
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,d9,df,9a,c7,3b,\
fe,fe,70,ff,7c,85,e0,43,d4,0e,fe,d1,57,d4,eb,55,f4,4e,04,ff,7c,85,e0,43,d4,\
0e,fe,66,98,af,60,07,45,a2,fe,ff,7c,85,e0,43,d4,0e,fe,93,73,7c,67,27,5a,83,\
db,e8,49,96,12
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,17,b8,8f,4b,8c,\
7a,38,9b,86,8c,21,01,be,91,eb,e7,84,18,24,7c,cc,77,9d,b5,86,8c,21,01,be,91,\
eb,e7,a9,72,27,17,fc,c8,12,55,86,8c,21,01,be,91,eb,e7,75,e0,63,30,cd,94,74,\
91,df,cc,d1,41
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,72,98,fe,94,8e,\
39,91,a9,f5,1d,4d,73,a8,13,5c,05,a5,97,cc,bd,1a,1a,40,ab,f5,1d,4d,73,a8,13,\
5c,05,0e,d1,24,d0,99,f6,41,c0,cd,44,cd,b9,a6,33,6c,cd,b8,49,40,df,e8,0f,60,\
b2,45,15,9f,06
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,d8,a5,3b,f9,7d,\
c0,21,8c,df,20,58,62,78,6b,cf,c8,e0,0d,50,49,a6,85,b5,ad,df,20,58,62,78,6b,\
cf,c8,7e,82,24,be,60,fd,48,ec,b0,18,ed,a7,3f,8d,37,a4,79,35,61,f4,f5,ed,b9,\
80,c6,73,3f,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,a7,bf,7f,13,ac,\
a6,46,aa,fb,a7,78,e6,12,2f,9a,ea,37,19,d7,99,6b,6b,58,fa,fb,a7,78,e6,12,2f,\
9a,ea,08,8d,67,c7,ab,d5,4d,39,97,20,4e,9a,c7,f1,35,ee,71,33,1e,db,ae,ac,ff,\
09,08,e2,da,37
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,86,ea,e7,95,ee,\
99,16,2a,01,3a,48,fc,e8,04,4a,f1,8a,f7,99,79,45,ea,b6,21,01,3a,48,fc,e8,04,\
4a,f1,13,48,a0,7f,3c,75,43,1b,aa,52,c6,00,84,3c,26,64,eb,e9,e1,02,9b,d3,ff,\
66,c6,1a,e6,39
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,69,26,c1,69,c4,\
78,60,12,f6,0f,4e,58,98,5b,89,c9,ea,8c,20,e9,a3,99,d4,ce,f6,0f,4e,58,98,5b,\
89,c9,78,fb,50,2c,52,7d,5e,93,b2,46,9a,e2,1b,fe,1b,94,bb,d3,6c,fc,17,20,52,\
68,ae,88,15,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,40,68,95,ea,56,\
62,74,a4,3d,ce,ea,26,2d,45,aa,78,f6,00,87,62,58,0e,f0,92,3d,ce,ea,26,2d,45,\
aa,78,87,d4,2d,2b,63,68,14,bc,b1,cd,45,5a,a8,c4,f8,b9,c5,28,16,5d,69,20,73,\
66,66,46,8e,e9
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,44,62,b8,4a,6e,\
b6,6b,05,2a,b7,cc,b5,b9,7f,41,e7,e5,61,d8,d9,be,93,a2,cf,2a,b7,cc,b5,b9,7f,\
41,e7,c4,0b,ae,a1,03,eb,25,ae,2a,b7,cc,b5,b9,7f,41,e7,d3,4a,13,1b,cf,ca,d8,\
eb,30,92,31,be
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]
@Security="Inherited"
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,cf,47,64,f8,b4,\
c9,90,45,6c,43,2d,1e,aa,22,2f,9c,08,ff,49,47,c8,de,39,67,6c,43,2d,1e,aa,22,\
2f,9c,a7,43,97,53,d2,50,aa,1b,05,73,21,dd,54,d8,4a,c5,6b,38,bc,0f,9e,33,a3,\
d4,3a,69,09,92
[HKEY_LOCAL_MACHINE\software\Digidesign]
@Owner=S-1-5-21-3718370760-455776615-2973682036-1003
@Denied: (A C D) (S-1-5-21-3718370760-455776615-2973682036-1014)
@Allowed: (Full) (S-1-5-21-3718370760-455776615-2973682036-1014)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\mbx2midu.dll
- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\mbx2midu.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ewido anti-malware\ewidoctrl.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-04 14:37:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-04 19:37:24
ComboFix2.txt 2009-01-03 02:22:51
ComboFix3.txt 2009-01-02 05:10:26
ComboFix4.txt 2009-01-02 04:49:39
ComboFix5.txt 2009-01-04 19:26:08
Pre-Run: 29,507,047,424 bytes free
Post-Run: 29,493,268,480 bytes free
364 --- E O F --- 2008-12-29 22:10:58