View Full Version : Can't remove mrxdavv.sys and kwave.sys
Hi there and thanks for reading.
I've have some rootkit/virus/malware on my pc that malwarebytes cant remove and I just wonder if some of you can take a look at my reports.
When I started my pc one day a week ago I suddently coudnt run windows update, I just got an error telling me it coudn't find a file, so I installed malwarebytes.
MWB found three or four files that they called Rootkit.agent.H and MWB was unable to remove them, so I started googleing around and found out that someone with the similar problem had fixed it with Combofix. I ran Combofix (after reading some easy guides) and when it was finished it had deleted 5-6 files and everything looked good. Windows update worked again, and I was so happy.
(A big problem is that I didn't store logfiles from Combofix after I did this)
But when I ran MWB again it showed two infections (mrxdavv.sys and kwave.sys) and I can't delete those. They come back everytime and both MWB and Combofix is unable to fix it.
Here are reports from Hijackthis(post 2), Combofix(post 3) and MBW(post 4) created today. Logs are created it that order, first hijack then Combofix adt then MWB.
I understand that I maybe messed up when I started analyzing myself and didn't store logfiles, but I hope somebody can take a quick look at those logs and see if you see anything wrong.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:56:41, on 03.08.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\setrysvc.exe
C:\WINDOWS\System32\semwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe
C:\Programfiler\Java\jre6\bin\jqs.exe
C:\Programfiler\McAfee\Common Framework\FrameworkService.exe
C:\Programfiler\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Programfiler\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
C:\Programfiler\SigmaTel\C-dur-lyd\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Programfiler\Dell\QuickSet\quickset.exe
C:\WINDOWS\stsystra.exe
C:\Programfiler\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Programfiler\Wave Systems Corp\SecureUpgrade.exe
C:\Programfiler\Apoint\ApMsgFwd.exe
C:\Programfiler\Apoint\HidFind.exe
C:\Programfiler\Apoint\Apntex.exe
C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe
C:\Programfiler\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Programfiler\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Programfiler\McAfee\Common Framework\UdaterUI.exe
C:\Programfiler\Sierra Wireless Inc\3G Watcher\WaHelper.exe
C:\Programfiler\Sierra Wireless Inc\3G Watcher\Watcher.exe
C:\WINDOWS\system32\semwltray.exe
C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe
C:\Programfiler\McAfee\Common Framework\McTray.exe
C:\Programfiler\Java\jre6\bin\jusched.exe
C:\Programfiler\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Programfiler\DAEMON Tools Lite\daemon.exe
C:\Programfiler\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Sierra Wireless Inc\3G Watcher\SwiApiMux.exe
C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe
C:\Programfiler\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Programfiler\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://10.232.231.31/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.no/ig/dell?hl=no&client=dell-row-rel&channel=no&ibd=4070816
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programfiler\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Programfiler\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programfiler\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Document Manager] C:\Programfiler\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Programfiler\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programfiler\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programfiler\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programfiler\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Programfiler\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programfiler\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WatcherHelper] "C:\Programfiler\Sierra Wireless Inc\3G Watcher\WaHelper.exe"
O4 - HKLM\..\Run: [Watcher3G] "C:\Programfiler\Sierra Wireless Inc\3G Watcher\Watcher.exe" /minimized
O4 - HKLM\..\Run: [GCXX-Manager-Class] "C:\Programfiler\Sony Ericsson\Wireless Manager\GCXXManager.exe" -startup
O4 - HKLM\..\Run: [Sony Ericsson Wireless Manager UI] C:\WINDOWS\system32\semwltray
O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Programfiler\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programfiler\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programfiler\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programfiler\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Append to existing PDF - res://C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Programfiler\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programfiler\Fellesfiler\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GtFlashSwitch - OptionNV - C:\Programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programfiler\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Programfiler\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Programfiler\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programfiler\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programfiler\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Programfiler\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programfiler\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony Ericsson Wireless LAN Tray Service (setrysvc) - Unknown owner - C:\WINDOWS\System32\setrysvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Programfiler\SigmaTel\C-dur-lyd\WDM\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Programfiler\Fellesfiler\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.12 TCS (tcsd_win32.exe) - Unknown owner - C:\Programfiler\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programfiler\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10835 bytes
ComboFix 09-08-02.04 - Relacom 03.08.2009 18:59.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.47.1044.18.2038.1423 [GMT 2:00]
Kjører fra: c:\documents and settings\Relacom\Skrivebord\CoFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2009-07-03 til 2009-08-03 )))))))))))))))))))))))))))))))))
.
2009-08-03 16:09 . 2009-08-03 16:09 -------- d-----w- c:\documents and settings\Relacom\Programdata\simon4
2009-08-03 16:06 . 2006-12-08 10:02 251672 ----a-w- c:\windows\system32\xactengine2_5.dll
2009-08-03 16:06 . 2006-11-29 11:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-08-03 16:06 . 2006-11-15 09:38 15128 ----a-w- c:\windows\system32\x3daudio1_1.dll
2009-08-03 16:06 . 2006-09-28 14:05 237848 ----a-w- c:\windows\system32\xactengine2_4.dll
2009-08-03 16:06 . 2006-09-28 14:04 68888 ----a-w- c:\windows\system32\xinput1_3.dll
2009-08-03 16:06 . 2006-09-28 14:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-08-03 16:06 . 2006-07-28 07:30 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2009-08-03 16:06 . 2006-07-28 07:30 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2009-08-03 16:05 . 2005-05-26 13:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-03 16:05 . 2009-08-03 16:05 278728 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-08-03 16:05 . 2009-08-03 16:05 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-08-03 16:04 . 2009-08-03 16:04 -------- d-----w- c:\programfiler\Trend Micro
2009-08-03 15:55 . 2009-08-03 16:08 -------- d-----w- c:\programfiler\Simon the Sorcerer - Chaos happens
2009-08-03 09:32 . 2009-02-27 10:55 111992 ----a-w- c:\windows\system32\acaptuser32.dll
2009-08-03 08:43 . 2009-08-03 08:43 -------- d-----w- c:\programfiler\Fellesfiler\Macrovision Shared
2009-08-03 08:43 . 2008-04-07 03:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-08-03 08:43 . 2008-04-07 03:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll
2009-08-03 08:25 . 2009-08-03 08:25 -------- d-----w- C:\QUARANTINE
2009-08-01 13:56 . 2009-08-01 13:56 -------- d-----w- c:\documents and settings\Relacom\Programdata\ScummVM
2009-08-01 10:02 . 2009-08-01 10:02 -------- d-----w- c:\documents and settings\All Users\Programdata\DAEMON Tools Lite
2009-08-01 10:02 . 2009-08-01 10:02 -------- d-----w- c:\programfiler\DAEMON Tools Toolbar
2009-08-01 10:02 . 2009-08-01 10:58 -------- d-----w- c:\programfiler\DAEMON Tools Lite
2009-08-01 09:52 . 2009-08-01 09:52 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-01 09:52 . 2009-08-01 10:03 -------- d-----w- c:\documents and settings\Relacom\Programdata\DAEMON Tools Lite
2009-07-28 09:00 . 2009-08-03 16:36 -------- d-----w- c:\programfiler\Spybot - Search & Destroy
2009-07-28 09:00 . 2009-08-03 16:36 -------- d-----w- c:\documents and settings\All Users\Programdata\Spybot - Search & Destroy
2009-07-27 15:44 . 2009-07-27 15:55 -------- d-----w- c:\documents and settings\All Users\AdobeTemp
2009-07-27 13:57 . 2009-07-27 13:57 -------- d-----w- c:\documents and settings\All Users\Programdata\SUPERAntiSpyware.com
2009-07-27 13:56 . 2009-07-27 16:01 -------- d-----w- c:\programfiler\SUPERAntiSpyware
2009-07-27 07:02 . 2009-07-27 07:02 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-07-27 06:47 . 2009-07-27 06:47 -------- d-----w- c:\documents and settings\Administrator\Lokale innstillinger\Programdata\Mozilla
2009-07-21 23:11 . 2009-07-21 23:11 8416 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-07-21 23:11 . 2009-07-21 23:11 8416 ----a-w- c:\windows\system32\drivers\swumx20.sys
2009-07-21 21:09 . 2009-07-21 21:09 -------- d-----w- c:\programfiler\Ashampoo
2009-07-21 20:58 . 2009-07-28 12:18 -------- d-----w- c:\programfiler\Unlocker
2009-07-20 21:48 . 2009-07-20 21:48 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-20 21:31 . 2009-07-20 21:31 -------- d-----w- c:\documents and settings\Administrator\Programdata\Malwarebytes
2009-07-20 21:31 . 2009-07-20 21:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-20 21:26 . 2009-07-13 11:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 20:55 . 2009-07-20 20:55 -------- d-----w- c:\documents and settings\All Users\Programdata\12756714
2009-07-20 20:49 . 2004-08-04 11:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-15 06:24 . 2009-07-15 06:24 -------- d-----w- c:\programfiler\MSECache
2009-07-14 11:49 . 2009-07-14 11:49 83144 ----a-w- c:\documents and settings\LocalService\Lokale innstillinger\Programdata\FontCache3.0.0.0.dat
2009-07-07 18:58 . 2009-07-07 18:58 -------- d-----w- c:\windows\SHELLNEW
2009-07-07 18:58 . 2009-07-07 18:58 -------- d-----w- c:\programfiler\Microsoft.NET
2009-07-07 18:55 . 2009-07-07 18:55 -------- d--h--r- C:\MSOCache
2009-07-06 17:41 . 2009-07-06 13:54 33843104 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_nor.exe
2009-07-06 17:40 . 2009-07-06 17:40 95232 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\pcswpcsi.exe
2009-07-06 17:40 . 2009-07-06 17:40 8192 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstCCD.exe
2009-07-06 17:40 . 2009-07-06 17:40 61440 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-07-06 17:40 . 2009-07-06 17:40 10240 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Installer\CommonCustomActions\UninstPCS.exe
2009-07-06 06:09 . 2009-07-06 06:09 152576 ----a-w- c:\documents and settings\Relacom\Programdata\Sun\Java\jre1.6.0_14\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-03 16:36 . 2008-03-01 12:08 -------- d-----w- c:\documents and settings\Relacom\Programdata\Desktop Sidebar
2009-08-03 09:04 . 2007-08-23 16:44 32040 ----a-w- c:\documents and settings\Relacom\Lokale innstillinger\Programdata\GDIPFONTCACHEV1.DAT
2009-08-03 08:42 . 2007-08-23 19:35 -------- d-----w- c:\programfiler\Fellesfiler\Adobe
2009-08-03 05:32 . 2007-08-23 16:44 -------- d-----w- c:\documents and settings\Relacom\Programdata\Wave Systems Corp
2009-07-28 12:37 . 2009-05-05 06:17 -------- d-----w- c:\programfiler\TeamViewer
2009-07-28 12:18 . 2009-02-20 10:20 -------- d-----w- c:\programfiler\ReNamer
2009-07-27 15:59 . 2009-03-08 20:19 -------- d-----w- c:\programfiler\Fellesfiler\3DO Shared
2009-07-27 14:55 . 2004-09-28 12:07 80868 ----a-w- c:\windows\system32\perfc014.dat
2009-07-27 14:55 . 2004-09-28 12:07 445844 ----a-w- c:\windows\system32\perfh014.dat
2009-07-20 21:27 . 2008-07-07 10:41 -------- d-----w- c:\programfiler\Malwarebytes' Anti-Malware
2009-07-20 21:25 . 2008-07-07 10:42 3775175 ----a-w- c:\documents and settings\All Users\Programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 11:36 . 2008-07-07 10:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-06 17:42 . 2009-05-04 09:44 -------- d-----w- c:\programfiler\Nokia
2009-07-06 17:42 . 2009-05-04 09:45 -------- d-----w- c:\programfiler\Fellesfiler\Nokia
2009-07-06 13:54 . 2009-05-04 09:43 -------- d-----w- c:\documents and settings\All Users\Programdata\Installations
2009-07-06 06:10 . 2007-08-16 16:57 -------- d-----w- c:\programfiler\Java
2009-07-03 17:01 . 2004-09-28 12:07 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-22 10:29 . 2007-08-24 08:37 -------- d-----w- c:\documents and settings\Relacom\Programdata\OpenOffice.org2
2009-06-22 07:08 . 2009-05-04 09:45 -------- d-----w- c:\documents and settings\Relacom\Programdata\Nokia
2009-06-22 06:58 . 2009-06-22 06:58 -------- d-----w- c:\programfiler\PC Connectivity Solution
2009-06-22 06:56 . 2009-06-22 06:56 95232 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2009-06-22 06:56 . 2009-06-22 06:56 8192 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2009-06-22 06:56 . 2009-06-22 06:56 61440 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-06-22 06:56 . 2009-06-22 06:56 10240 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2009-06-22 06:17 . 2009-06-22 06:56 33692368 ----a-w- c:\documents and settings\All Users\Programdata\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_nor.exe
2009-06-16 14:43 . 2004-09-28 12:07 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:43 . 2004-09-28 12:07 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:11 . 2004-09-28 12:07 1294336 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 09:33 . 2008-11-28 11:21 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-07 15:34 . 2004-09-28 12:07 346112 ----a-w- c:\windows\system32\localspl.dll
2008-05-25 13:09 . 2008-05-25 13:09 15574 ----a-w- c:\programfiler\messages.log
2009-08-02 18:25 . 2009-05-03 06:15 134648 ----a-w- c:\programfiler\mozilla firefox\components\brwsrcmp.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-08-03_16.48.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-03 17:03 . 2009-08-03 17:03 16384 c:\windows\Temp\Perflib_Perfdata_33c.dat
.
(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PC Suite Tray"="c:\programfiler\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]
"DAEMON Tools Lite"="c:\programfiler\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson Wireless Manager UI"="c:\windows\system32\semwltray" [X]
"Apoint"="c:\programfiler\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-18 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-18 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-18 138008]
"Dell QuickSet"="c:\programfiler\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]
"Document Manager"="c:\programfiler\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2007-01-30 102400]
"SecureUpgrade"="c:\programfiler\Wave Systems Corp\SecureUpgrade.exe" [2007-01-22 212992]
"IntelZeroConfig"="c:\programfiler\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\programfiler\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\FELLES~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\programfiler\Fellesfiler\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\programfiler\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\programfiler\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ShStatEXE"="c:\programfiler\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"McAfeeUpdaterUI"="c:\programfiler\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"WatcherHelper"="c:\programfiler\Sierra Wireless Inc\3G Watcher\WaHelper.exe" [2006-09-28 95776]
"Watcher3G"="c:\programfiler\Sierra Wireless Inc\3G Watcher\Watcher.exe" [2006-09-28 914976]
"GCXX-Manager-Class"="c:\programfiler\Sony Ericsson\Wireless Manager\GCXXManager.exe" [2005-03-12 811113]
"HP Software Update"="c:\programfiler\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\programfiler\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\programfiler\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Adobe Acrobat Speed Launcher"="c:\programfiler\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\programfiler\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2007-02-18 303104]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
Security Packages REG_SZ kerberos
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programfiler\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Programfiler\\Sierra Wireless Inc\\3G Watcher\\SwiApiMux.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Programfiler\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\igfxsrvc.exe"=
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\programfiler\Broadcom\ASFIPMon\AsfIpMon.exe -service --> c:\programfiler\Broadcom\ASFIPMon\AsfIpMon.exe -service [?]
R2 GtFlashSwitch;GtFlashSwitch;c:\programfiler\Fellesfiler\GtFlashSwitch\GtFlashSwitch.exe [09.02.2007 14:48 176128]
R2 setrysvc;Sony Ericsson Wireless LAN Tray Service;c:\windows\System32\setrysvc.exe c:\windows\System32\semwltry.exe --> c:\windows\System32\setrysvc.exe c:\windows\System32\semwltry.exe [?]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [28.09.2004 14:06 5120]
R3 ACGPRS;Sierra Wireless 3G Adapter;c:\windows\system32\drivers\acgprs.sys [12.07.2006 16:59 97920]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [02.11.2006 13:32 97536]
R3 swivsp;AC8xx Virtual Serial Port;c:\windows\system32\drivers\swivspnt.sys [15.02.2006 10:06 20736]
S1 saskutil;SASKUTIL;\??\c:\programfiler\SUPERAntiSpyware\SASKUTIL.sys --> c:\programfiler\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 SEM43XX;Driver for Sony Ericsson trådløst 802.11 LAN-kort SEM43XX;c:\windows\system32\drivers\semwl5.SYS [24.08.2007 10:21 368896]
S3 SEMWModem;Sony Ericsson SEMWModem;c:\windows\system32\drivers\GCXX.sys [23.08.2007 21:44 114944]
S3 SEMWWNIC;Sony Ericsson SEMWWNIC;c:\windows\system32\drivers\GCXXNet.sys [23.08.2007 21:44 53248]
S3 Sony_EricssonWWSC;Sony Ericsson SIM Card Reader;c:\windows\system32\drivers\GCXXSC.sys [23.08.2007 21:44 21888]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Innholdet i mappen 'Scheduled Tasks' (planlagte oppgaver)
2009-07-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programfiler\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-08-02 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]
2009-08-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 16:04]
.
.
------- Tilleggsskanning -------
.
uStart Page = hxxp://10.232.231.31/
IE: Append to existing PDF - c:\programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\biolsp.dll
FF - ProfilePath - c:\documents and settings\Relacom\Programdata\Mozilla\Firefox\Profiles\hqrxefoy.default\
FF - component: c:\programfiler\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\programfiler\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\programfiler\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-03 19:04
Windows 5.1.2600 Service Pack 3 NTFS
skanner skjulte prosesser ...
skanner skjulte autostart-oppføringer ...
skanner skjulte filer ...
skanning vellykket
skjulte filer: 0
**************************************************************************
.
--------------------- DLL'er Lastet Av Kjørende Prosesser ---------------------
- - - - - - - > 'winlogon.exe'(848)
c:\windows\System32\SEMLogon.dll
- - - - - - - > 'lsass.exe'(904)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\programfiler\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\programfiler\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\programfiler\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_nor.nlr
c:\programfiler\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\programfiler\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\programfiler\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andre Kjørende Prosesser ------------------------
.
c:\programfiler\Intel\Wireless\Bin\EvtEng.exe
c:\programfiler\Intel\Wireless\Bin\S24EvMon.exe
c:\programfiler\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\setrysvc.EXE
c:\windows\system32\scardsvr.exe
c:\programfiler\Broadcom\ASFIPMon\AsfIpMon.exe
c:\programfiler\Java\jre6\bin\jqs.exe
c:\programfiler\McAfee\Common Framework\FrameworkService.exe
c:\programfiler\McAfee\VirusScan Enterprise\Mcshield.exe
c:\programfiler\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\programfiler\McAfee\Common Framework\naPrdMgr.exe
c:\programfiler\Dell\QuickSet\NicConfigSvc.exe
c:\windows\system32\HPZipm12.exe
c:\programfiler\Intel\Wireless\Bin\RegSrvc.exe
c:\programfiler\SigmaTel\C-dur-lyd\WDM\stacsv.exe
c:\programfiler\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\windows\system32\igfxsrvc.exe
c:\programfiler\Apoint\ApMsgFwd.exe
c:\programfiler\Apoint\hidfind.exe
c:\programfiler\McAfee\Common Framework\Mctray.exe
c:\windows\system32\semwltray.EXE
c:\programfiler\Apoint\ApntEx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\msdtc.exe
c:\programfiler\Intel\Wireless\Bin\Dot1XCfg.exe
c:\programfiler\PC Connectivity Solution\ServiceLayer.exe
c:\programfiler\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\programfiler\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2009-08-03 19:08 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2009-08-03 17:08
ComboFix2.txt 2009-08-03 16:51
Pre-Run: 54*749*110*272 byte ledig
Post-Run: 54*643*388*416 byte ledig
Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
278 --- E O F --- 2009-07-30 06:11
Malwarebytes' Anti-Malware 1.39
Databaseversjon: 2547
Windows 5.1.2600 Service Pack 3
03.08.2009 19:54:40
mbam-log-2009-08-03 (19-54-34).txt
Skanntype: Full Skann (C:\|)
Objekter skannet: 181006
Tid tilbakelagt: 43 minute(s), 40 second(s)
Minneprosesser infisert: 0
Minnemoduler infisert: 0
Registernøkler infisert: 0
Registerverdier infisert: 0
Registerfiler infisert: 0
Mapper infisert: 0
Filer infisert: 2
Minneprosesser infisert:
(Ingen mistenkelige filer funnet)
Minnemoduler infisert:
(Ingen mistenkelige filer funnet)
Registernøkler infisert:
(Ingen mistenkelige filer funnet)
Registerverdier infisert:
(Ingen mistenkelige filer funnet)
Registerfiler infisert:
(Ingen mistenkelige filer funnet)
Mapper infisert:
(Ingen mistenkelige filer funnet)
Filer infisert:
C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> No action taken.
C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> No action taken.
I have tride to delete those two files sevral times without luck so I just took "No action" this time
The language is Norwegian, hope it isn't a problem
Another thing, this stands it the chatchme file created by Combofix
-------- 2009-08-03 - 18:58:31 -------------
read file error: C:\WINDOWS\system32\drivers\mrxdavv.sys, Ikke nok kvote tilgjengelig til å utføre denne kommandoen.
read file error: C:\WINDOWS\system32\kwave.sys, Ikke nok kvote tilgjengelig til å utføre denne kommandoen.
"Ikke nok kvote tilgjengelig til å utføre denne kommandoen"
means something like
"Not enough ****(I dont understand the next word) avalibel to excecute the command"
And BTW, don't mind my homepage on IE, http://10.232.231.31/ is correct:)
-------------------------------
Edit
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts if there is time but please do not count on itDo NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
NOTE: ComboFix is not a general purpose cleaning tool!
It should only be run under the supervision of someone who has been trained and continues their education in its use.
Hi there.
I just wonder if you can close my thread? I got my problem fixed so I don't need any help. Thanks anyway:)
http://forums.spybot.info/showthread.php?t=50504