1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan virus-c:\windows\system32\drivers\mrxsmb.sys

Discussion in 'Virus & Other Malware Removal' started by Onodrimm, Dec 17, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Onodrimm

    Onodrimm Thread Starter

    Joined:
    Dec 17, 2011
    Messages:
    4
  2. Onodrimm

    Onodrimm Thread Starter

    Joined:
    Dec 17, 2011
    Messages:
    4
    here is my combofix report:

    ComboFix 11-12-17.02 - jimm 12/17/2011 13:57:16.1.4 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1557 [GMT -6:00]
    Running from: c:\documents and settings\jimm\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\jimm\Application Data\completescan
    c:\documents and settings\jimm\Application Data\install
    c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}
    c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}\chrome\content\_cfg.js
    c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}\chrome\content\overlay.xul
    c:\documents and settings\jimm\Local Settings\Application Data\{D7F7DE3F-0ACA-4796-9D84-FB743DEA81F7}\install.rdf
    c:\documents and settings\jimm\Local Settings\Application Data\jqq.exe
    C:\Install.exe
    c:\windows\$NtUninstallKB37933$\2404632685
    c:\windows\$NtUninstallKB37933$\318736082\@
    c:\windows\$NtUninstallKB37933$\318736082\bckfg.tmp
    c:\windows\$NtUninstallKB37933$\318736082\cfg.ini
    c:\windows\$NtUninstallKB37933$\318736082\Desktop.ini
    c:\windows\$NtUninstallKB37933$\318736082\keywords
    c:\windows\$NtUninstallKB37933$\318736082\kwrd.dll
    c:\windows\$NtUninstallKB37933$\318736082\L\lpcjoloj
    c:\windows\$NtUninstallKB37933$\318736082\lsflt7.ver
    c:\windows\$NtUninstallKB37933$\318736082\U\[email protected]
    c:\windows\$NtUninstallKB37933$\318736082\U\[email protected]
    c:\windows\$NtUninstallKB37933$\318736082\U\[email protected]
    c:\windows\$NtUninstallKB37933$\318736082\U\[email protected]
    c:\windows\$NtUninstallKB37933$\318736082\U\[email protected]
    c:\windows\$NtUninstallKB37933$\318736082\U\[email protected]
    c:\windows\system32\ctfmonxjl.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    c:\windows\$NtUninstallKB37933$ . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-17 to 2011-12-17 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-17 03:57 . 2011-04-25 05:13 147856 ----a-w- c:\program files\Mozilla Firefox\extensions\[email protected]_bak2\components\kavlinkfilter.dll
    2011-12-07 23:40 . 2011-12-07 23:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-12-07 23:40 . 2011-12-07 23:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-11-30 02:47 . 2011-11-30 02:47 -------- d-----w- c:\program files\iPod
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-21 17:15 . 2011-05-14 14:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-04 19:20 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2004-08-04 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-10-10 14:22 . 2010-07-18 12:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-25 13:07 . 2010-09-25 21:02 7304 ----a-w- c:\windows\TMP0001.TMP
    2011-11-10 03:23 . 2011-10-04 00:54 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "kmw_run.exe"="kmw_run.exe" [2005-09-01 118784]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-08-03 13892200]
    "NvMediaCenter"="NvMCTray.dll" [2011-08-03 111208]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-07-05 1632360]
    "LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
    "avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe" [2011-04-25 202296]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Steam\\steamapps\\onodrimm\\team fortress 2\\hl2.exe"=
    "c:\\Program Files\\Kensington\\MouseWorks\\k_update.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\back to the future trailer\\smp.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Steam\\steamapps\\treebeard77\\team fortress 2\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\mocha0range\\team fortress 2\\hl2.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\portal 2\\portal2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\deus ex - human revolution\\dxhr.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
    .
    R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [3/4/2011 1:23 PM 11352]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [6/6/2011 10:28 AM 2255464]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 34608]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-10 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: microsoft.com \update
    TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
    FF - ProfilePath - c:\documents and settings\jimm\Application Data\Mozilla\Firefox\Profiles\2iw9crjf.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-MSWheel - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-12-17 14:17
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(6924)
    c:\windows\system32\WININET.dll
    c:\windows\TEMP\logishrd\LVPrcInj01.dll
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\windows\system32\SearchIndexer.exe
    c:\windows\system32\kmw_run.exe
    c:\windows\system32\RunDLL32.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Java\Java Update\jucheck.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-17 14:21:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-17 20:21
    .
    Pre-Run: 2,181,001,216 bytes free
    Post-Run: 5,037,608,960 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 3D9E0BDA426277226D7CF7F1EE42725E
     
  3. Onodrimm

    Onodrimm Thread Starter

    Joined:
    Dec 17, 2011
    Messages:
    4
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8388

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/17/2011 2:55:13 PM
    mbam-log-2011-12-17 (14-55-13).txt

    Scan type: Quick scan
    Objects scanned: 188050
    Time elapsed: 3 minute(s), 5 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 3
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_XMLLookup (Hijacker.XMLLookup) -> Value: bak_XMLLookup -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_intl (Hijacker.intl) -> Value: bak_intl -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\XMLLookup (Hijacker.XMLLookup) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\intl (Hijacker.intl) -> Bad: (http://www.helpmeopen.com/?n=app&l=x&ext=%s) Good: (http://shell.windows.com/fileassoc/fileassoc.asp?LangID=x&Ext=%s) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. Onodrimm

    Onodrimm Thread Starter

    Joined:
    Dec 17, 2011
    Messages:
    4
    Kaspersky still says I have a generic trojan that I can not remove.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1031664

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice