Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Root kit --- slow internet/computer


  • This topic is locked This topic is locked
2 replies to this topic

#1 propain5000

propain5000

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 18 May 2009 - 02:10 PM

Howdy to whom helps me,

My problem is that I seem to have a root kit, amongst other problems... MBAM has been run multiple times and the silly thing keeps coming back. This little guy "netsik.sys" seems to be part of the problem, but what do I know! Thanks in advance for your help

JOSH

*******************************************************************
Malwarebytes' Anti-Malware 1.36
Database version: 2142
Windows 5.1.2600 Service Pack 3

5/18/2009 1:06:32 PM
mbam-log-2009-05-18 (13-06-32).txt

Scan type: Quick Scan
Objects scanned: 79881
Time elapsed: 1 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsik (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\systemntmi (Rootkit.Spamtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\systemntmi (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\netsik.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\systemntmi.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

*************************************************************
*************************************************************


DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 12:56:39.98 on Mon 05/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1140 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEA.EXE
svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Owner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus CX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticea.exe /fu "c:\windows\temp\E_S2EC.tmp" /EF "HKCU"
uRun: [Owner] c:\documents and settings\owner\Owner.exe /i
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techtools/dl/Comcast%20Activation%20Controls.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197690940989
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\7mfi80ce.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\plugins\npPxPlay.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-15 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
S2 MessengerRpcSs;Messenger MessengerRpcSs;c:\windows\system32\appends.exe srv --> c:\windows\system32\appends.exe srv [?]
S2 netsik;netsik;c:\windows\system32\drivers\netsik.sys [2001-8-18 30976]
S2 systemntmi;systemntmi;c:\windows\system32\drivers\systemntmi.sys [2004-8-4 30976]

=============== Created Last 30 ================

2009-05-16 13:43 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-05-16 13:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-16 13:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-16 13:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-16 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-16 11:09 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-15 06:14 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-15 06:11 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-05-15 06:11 <DIR> --d----- c:\program files\Lavasoft
2009-05-14 21:13 <DIR> --d----- c:\program files\RegScrubXP
2009-05-14 21:09 266,360 a------- c:\windows\system32\TweakUI.exe
2009-05-14 21:09 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-05-14 20:56 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-05-12 06:30 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-05-12 06:29 <DIR> --d----- c:\windows\ie8updates
2009-05-12 06:28 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-12 06:26 <DIR> -cd-h--- c:\windows\ie8
2009-05-11 16:54 197 a------- c:\windows\system32\MRT.INI
2009-05-05 04:47 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-05 04:47 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-05 04:47 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-05 04:47 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-05 04:47 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-05 04:47 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-05 04:47 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-05 04:47 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-05 04:47 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-05 04:46 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-05 04:46 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-05 04:46 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-03 10:43 32 a--s---- c:\windows\system32\4233367982.dat
2009-05-03 10:43 21,026 ----h--- c:\documents and settings\owner\Owner.exe

==================== Find3M ====================

2009-05-18 12:29 30,976 a------- c:\windows\system32\drivers\systemntmi.sys
2009-05-17 16:42 30,976 a------- c:\windows\system32\drivers\netsik.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 08:22 284,160 a------- c:\windows\system32\pdh.dll
2008-11-23 08:47 726,008 a------- c:\documents and settings\owner\gotomypc_437.exe
2009-01-08 22:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010820090109\index.dat

============= FINISH: 12:57:07.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 propain5000

propain5000
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 20 May 2009 - 03:27 PM

you can disregard, I found a solution elsewhere...

thanks anyhow...

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:01 PM

Posted 21 May 2009 - 10:48 AM

Thanks for informing us.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users