Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Still seeing Antivirus Live after ComboFix

Still seeing Antivirus Live after ComboFix

Still seeing Antivirus Live after ComboFix

Had Internet Security 2010 and other trojans on a friend's PC. MalwareByte's got rid of almost everything EXCEPT a Google search redirection problem. Couldn't find any trace of the source using Process Explorer, HijackThis or GMER.

I decided to run Combofix. When I ran it, it said "ComboFix has detected the following real time scanner(s) to be active: Antivirus Live".

So I canceled the Combofix scan and tried RKill to kill the process, but it still said the same thing. So, I ran Combofix despite the warning. It ran, completed successfully and fixed some items.


Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

The redirection issue is GONE, but I launched ComboFix again and it still said "ComboFix has detected the following real time scanner(s) to be active: Antivirus Live" and AVG 9.0" (because I had re-enabled AVG). I did NOT run ComboFix for a second time, but I launched it to see if that first warning had gone away.

]So, here's my question - redirection is gone, but yet Combofix still detects some running process belonging to Antivirus Live. So what to do????

I don't have physical access to the PC, but I can give you HijackThis logs from before and after combofix as well as the combofix log itself unless you have another suggestion or just say not to worry about the message.

RE: Still seeing Antivirus Live after ComboFix

You sure it isn't a startup/service item that can be disabled?  It kinda sounds like some process is starting, but apparently has nothing left to connect to - that'd be my guess.


"If to err is human, then I must be some kind of human!" -Me

RE: Still seeing Antivirus Live after ComboFix

But I can't find it anywhere and no scan can either.  For sure it's something starting from somewhere.

The brainiacs over at BleepingComputer haven't responded to my post, even though they are the purveyors of Combofix.

RE: Still seeing Antivirus Live after ComboFix

Hmm, is it possible that Combofix is detecting that from AVG's quarantine (Vault)?  If you empty the AVG vault, does that make the message go away?


"If to err is human, then I must be some kind of human!" -Me

RE: Still seeing Antivirus Live after ComboFix

No - AVG never found the Antivirus Live.  It wasn't even installed until after I started doing all the scanning/removing.  Besides, if it were in the Quarantine, it's effectively neutralized and prevented from running.

This is something  that is actively running/loading in memory in order for ComboFix to ask me to shut it down before continuing its scan.

The infection symptoms are gone, but some piece is obviously still running.

RE: Still seeing Antivirus Live after ComboFix

My guess is it'd have to be a registry entry being kicked off by something in the startup/service items, regardless.  Does it show up if in safe mode, or do you remember?  If it didn't, then I'd suspect you can find the trigger by process of elimination...

Well, anyway, it's a really interesting situation there.  It's one of those things that if I had my hands on the machine, I could find myself spending hours trying to find the solution.  Hopefully you'll get it started - for you, the computer owner, and anyone else who reads this at a later date.


"If to err is human, then I must be some kind of human!" -Me

RE: Still seeing Antivirus Live after ComboFix

And I thought about (kind of doubtful it'd end up working) using a program like SearchMyFiles to search through the actual text of the file.  You can search the text as well as the binary code of files for a match, besides name, size, etc... it's really quick, got lots of options, and it's portable.


"If to err is human, then I must be some kind of human!" -Me

RE: Still seeing Antivirus Live after ComboFix

Look at my first post ElectronicsFreak - it says specifically that it cannot be seen in Process Explorer.

It has to be a rootkit that has taken over a driver (.sys) even though ComboFix removed and replaced the atapi.sys file already which it found to be infected.

RE: Still seeing Antivirus Live after ComboFix

My bad, did not see that.  Was in a hurry this mornign when I read that lol.   

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

RE: Still seeing Antivirus Live after ComboFix

Did you run super anti spyware as well?  And yes, please post the hijack log after the scans.   

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

RE: Still seeing Antivirus Live after ComboFix

I don't know if this is going to help - I don't see anything bad here in the HJ log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:45 PM, on 1/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190665742687
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.closetcad.net/cortona/cortvrml42.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

End of file - 8543 bytes

RE: Still seeing Antivirus Live after ComboFix

Yeah it looks clean.  Well it was worth a try lol.  I honestly have no clue.  Too bad penchegs seems to be away.  I figure he would have an answer for this.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

RE: Still seeing Antivirus Live after ComboFix

Clutter is the least of my worries at this point.

RE: Still seeing Antivirus Live after ComboFix

It would be interesting to find out what ComboFix sees when it detects that. It is really a process or is it a program or a key in the registry. Have you run any root kit detectors (see FAQ760-6534: What is a rootkit and how do I get rid of it? for some dated info)?

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Still seeing Antivirus Live after ComboFix

Brother - I got it all.  Different logs separated by ++++++++++++++++++++

ComboFix Log 1st and only time I let it run all the way:
ComboFix 10-01-17.02 - Andy 01/18/2010  15:12:48.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.639 [GMT -5:00]
Running from: c:\documents and settings\Andy\Desktop\ComboFix.exe
AV: Antivirus Live *On-access scanning enabled* (Outdated) {B316C67E-09F1-44c7-85E0-94F6DA8A4AA1}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

Logfile of The Avenger Version 2.0, (c) by Swandog46

Platform:  Windows XP


Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger


Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.


Finished!  Terminate.

DDS (Ver_09-12-01.01) - NTFSx86  
Run by Andy at 19:15:54.56 on Thu 01/21/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.494 [GMT -5:00]

AV: Antivirus Live *On-access scanning enabled* (Outdated)   {B316C67E-09F1-44c7-85E0-94F6DA8A4AA1}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Linksys\Wireless-B PCI Adapter\NICServ.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Linksys\Wireless-B PCI Adapter\WMP11Cfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Andy\Desktop\ERC-Client-3-00.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Andy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www6.comcast.net/a/
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [NBJ] "c:\progra~1\ahead\neroba~1\NBJ.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DVDTray] c:\program files\ahead\odd toolkit\DVDTray.exe
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\andy\startm~1\programs\startup\autoru~1\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-b pci adapter\WMP11Cfg.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190665742687
DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} - hxxp://www.closetcad.net/cortona/cortvrml42.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-16 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-16 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-16 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-16 285392]
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [2007-9-25 95232]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-17 135664]
S4 cpuz128;cpuz128;\??\c:\docume~1\andy\locals~1\temp\cpuz_x32.sys --> c:\docume~1\andy\locals~1\temp\cpuz_x32.sys [?]

=============== Created Last 30 ================

==================== Find3M  ====================

2009-12-14 14:35:08    1380403    ----a-w-    c:\windows\system32\avgsdk.dll
2009-11-15 18:39:15    196094    ----a-w-    c:\windows\hpoins41.dat
2009-10-29 07:46:59    832512    ------w-    c:\windows\system32\wininet.dll
2009-10-29 07:46:52    78336    ----a-w-    c:\windows\system32\ieencode.dll
2009-10-29 07:46:50    17408    ------w-    c:\windows\system32\corpol.dll
2008-05-26 23:55:42    408    ----a-w-    c:\program files\common files\System.class
2008-10-04 16:47:10    32768    --sha-w-    c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat

============= FINISH: 19:19:05.67 ===============

ROOTREPEAL (c) AD, 2007-2009
Scan Start Time:        2010/01/22 21:53
Program Version:        Version
Windows Version:        Windows XP SP3

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75C8000    Size: 187776    File Visible: -    Signed: -
Status: -

Image Path: \Driver\ACPI_HAL
Address: 0x804D7000    Size: 2189184    File Visible: -    Signed: -
Status: -

Name: aeaudio.sys
Image Path: C:\WINDOWS\system32\drivers\aeaudio.sys
Address: 0xF7B49000    Size: 4384    File Visible: -    Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEECBA000    Size: 138496    File Visible: -    Signed: -
Status: -

Name: asyncmac.sys
Image Path: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Address: 0xEE278000    Size: 14336    File Visible: -    Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7580000    Size: 96512    File Visible: -    Signed: -
Status: -

Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000    Size: 286720    File Visible: -    Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7D49000    Size: 3072    File Visible: -    Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xEEBCF000    Size: 326528    File Visible: -    Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF78EF000    Size: 21760    File Visible: -    Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xEED52000    Size: 353920    File Visible: -    Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7B5B000    Size: 4224    File Visible: -    Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7A27000    Size: 12288    File Visible: -    Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7687000    Size: 63744    File Visible: -    Signed: -
Status: -

Name: cdrbsvsd.SYS
Image Path: C:\WINDOWS\System32\Drivers\cdrbsvsd.SYS
Address: 0xF7AF7000    Size: 12736    File Visible: -    Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF76E7000    Size: 62976    File Visible: -    Signed: -
Status: -

Address: 0xF7657000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7647000    Size: 36352    File Visible: -    Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF7707000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEEBB7000    Size: 98304    File Visible: No    Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BB1000    Size: 8192    File Visible: No    Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xEED42000    Size: 12288    File Visible: -    Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000    Size: 73728    File Visible: -    Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7D36000    Size: 4096    File Visible: -    Signed: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys
Address: 0xF70F9000    Size: 145408    File Visible: -    Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF79E7000    Size: 27392    File Visible: -    Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7807000    Size: 44544    File Visible: -    Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF78C7000    Size: 20480    File Visible: -    Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7560000    Size: 129792    File Visible: -    Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B59000    Size: 7936    File Visible: -    Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7598000    Size: 125056    File Visible: -    Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF7A07000    Size: 21120    File Visible: -    Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000    Size: 131840    File Visible: -    Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF711D000    Size: 680704    File Visible: -    Signed: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xF71C4000    Size: 1042432    File Visible: -    Signed: -
Status: -

Name: HSFHWBS2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Address: 0xF72E6000    Size: 212224    File Visible: -    Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEDB8C000    Size: 265728    File Visible: -    Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF76B7000    Size: 52480    File Visible: -    Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA33000    Size: 483328    File Visible: -    Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA05000    Size: 188416    File Visible: -    Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E3000    Size: 139264    File Visible: -    Signed: -
Status: -

Name: ialmkchw.sys
Image Path: C:\WINDOWS\system32\drivers\ialmkchw.sys
Address: 0xEEEF1000    Size: 78752    File Visible: -    Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ialmnt5.sys
Address: 0xF736A000    Size: 90848    File Visible: -    Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D6000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: ialmsbw.sys
Image Path: C:\WINDOWS\system32\drivers\ialmsbw.sys
Address: 0xEEED5000    Size: 113504    File Visible: -    Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF76D7000    Size: 42112    File Visible: -    Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xF76A7000    Size: 36352    File Visible: -    Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xEED04000    Size: 152832    File Visible: -    Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xEEE02000    Size: 75264    File Visible: -    Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7617000    Size: 37248    File Visible: -    Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF79EF000    Size: 24576    File Visible: -    Signed: -
Status: -

Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7B17000    Size: 8192    File Visible: -    Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xED043000    Size: 172416    File Visible: -    Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF72C3000    Size: 143360    File Visible: -    Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7537000    Size: 92928    File Visible: -    Signed: -
Status: -

Name: LSIPNDS.sys
Image Path: C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
Address: 0xF731A000    Size: 95232    File Visible: -    Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xEE646000    Size: 9920    File Visible: -    Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7B5D000    Size: 4224    File Visible: -    Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF79DF000    Size: 30080    File Visible: -    Signed: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF738D000    Size: 16128    File Visible: -    Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF79F7000    Size: 23040    File Visible: -    Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7627000    Size: 42368    File Visible: -    Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xEE72A000    Size: 180608    File Visible: -    Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xEEC1F000    Size: 455296    File Visible: -    Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF78DF000    Size: 19072    File Visible: -    Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF7747000    Size: 35072    File Visible: -    Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7B0F000    Size: 15488    File Visible: -    Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7463000    Size: 105344    File Visible: -    Signed: -
Status: -

Name: MxlW2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xF79FF000    Size: 25504    File Visible: -    Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF747D000    Size: 182656    File Visible: -    Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7AFF000    Size: 10112    File Visible: -    Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xEEA63000    Size: 14592    File Visible: -    Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF701C000    Size: 91520    File Visible: -    Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7777000    Size: 40576    File Visible: -    Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF77D7000    Size: 34688    File Visible: -    Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xEECDC000    Size: 162816    File Visible: -    Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF78E7000    Size: 30848    File Visible: -    Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF74AA000    Size: 574976    File Visible: -    Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000    Size: 2189184    File Visible: -    Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7D08000    Size: 2944    File Visible: -    Signed: -
Status: -

Address: 0xF7AC3000    Size: 12864    File Visible: -    Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF70E5000    Size: 80128    File Visible: -    Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF789F000    Size: 19712    File Visible: -    Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF7BCD000    Size: 6784    File Visible: -    Signed: -
Status: -

Image Path: C:\WINDOWS\system32\PCANDIS5.SYS
Address: 0xEDB5C000    Size: 14752&nb

RE: Still seeing Antivirus Live after ComboFix


What happens when you open the registry with regedit and search for "Antivirus Live"?


RE: Still seeing Antivirus Live after ComboFix

That is a good point.  I don't know that I did that - don't have access to the machine right at the moment, so would have to do a remote session later.

I know I searched for something in the registry - I believe it was SYSGUARD which is the normal executable (xxxsysguard.exe) that is associated with this malware.  That was NOT found.

There really aren't any symptoms of malware left and I don't think any malware is ACTIVE, but obviously something is running (a driver or a .dll) that makes ComboFix THINK that the malware is still active.

It COULD be a bug in combofix, but for the sake of thoroughness, I want to be sure.  

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close