Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus in NDIS.SYS


  • This topic is locked This topic is locked
13 replies to this topic

#1 icku86

icku86

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 04:56 AM

I have a trojan in my NDIS.SYS. The trojan initially changed my desktop wallpaper and started something like a spyware removal tool, but fake one. I've run Trojan remover, Anti trojan elite, malwarebytes, spyware dostor and windolws protection tool. Some of the progarms detected the trojan, but none of them removed it. Only malwarebytes removed something like a virus. The desktop wallpaper I fixed myself by deleting all files in the Temp directory. But still the NOD32 detects trojan in NDIS.SYS and can't remove it. The IE8 behave strange - sometimes it opens, sometimes it start multiple IE process in Taskmanager, but no windows is open at all.
Help?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:50 AM

Posted 20 July 2009 - 05:45 AM

Would you post that MBAM log?
Chewy

No. Try not. Do... or do not. There is no try.

#3 icku86

icku86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 06:00 AM

Malwarebytes' Anti-Malware 1.39
Database version: 2464
Windows 5.1.2600 Service Pack 2

20.7.2009 г. 04:08:40
mbam-log-2009-07-20 (04-08-40).txt

Scan type: Quick Scan
Objects scanned: 111172
Time elapsed: 50 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\reader_s.exe.vir (Trojan.GamesThief) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\msxml71.dll.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\igfxtray.exe170 (Trojan.GamesThief) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN1660.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN18.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN3.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN4.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN4C.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN5.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN6.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN63.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN79.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BNB.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BNC.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\4V2V6LYL\bb090621[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\9C4J5XOX\aasuper2[1].htm (Trojan.GamesThief) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\CHQJ85YR\aasuper1[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\HBJ391GA\aasuper0[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\HBJ391GA\isgtklct[1].htm (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\JNJS5M9D\dailybucks_install[1].exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\YPZO9GN6\setup[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\temporary internet files\Content.IE5\Z6OZ3X0L\install.48349[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:50 AM

Posted 20 July 2009 - 06:25 AM

I am refering this to one of our HJT experts

In the meantime run a complete scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 20 July 2009 - 10:10 AM

Hello.

First off, there is a backdoor related trojan on your system. A good option here would be to format. Take a read below:

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

---

Did you run Combofix on this computer?


But still the NOD32 detects trojan in NDIS.SYS and can't remove it.

Anti-virus softwares will not quarantine or remove system files that are crucial to the system and is required for system's next boot-up and if that file is gone, your internet will mal-function as well.

Please scan a few system files for me.

Submit Files to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Browse to the following file(s) and scan them one at a time.
  • C:\WINDOWS\system32\winlogon.exe
  • C:\WINDOWS\SYSTEM32\lsass.exe
  • C:\WINDOWS\explorer.exe
  • C:\Windows\system32\userinit.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Please run GMER next.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

GMER may take a while, so please be paitent until it completes.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 icku86

icku86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 12:52 PM

Thanks fo the quick reply. Here is the Combofix log:

ComboFix 09-07-19.04 - Administrator 07.2009 г. 11:19.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.1015.544 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\bcrypt.html
c:\windows\system32\drivers\OCA_LOG.TXT

.
((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-20 00:36 . 2009-07-20 00:36 -------- d-----w- c:\program files\Enigma Software Group
2009-07-20 00:16 . 2009-07-20 00:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-20 00:16 . 2009-07-13 10:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 00:16 . 2009-07-20 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-20 00:16 . 2009-07-20 00:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-20 00:16 . 2009-07-13 10:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-20 00:14 . 2009-07-20 00:14 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-20 00:03 . 2009-07-20 00:03 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-07-19 22:18 . 2009-07-19 22:18 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-07-19 22:18 . 2009-07-19 22:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-19 22:17 . 2009-07-19 22:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-19 22:16 . 2009-07-19 22:16 -------- d-----w- c:\windows\ie8updates
2009-07-19 22:13 . 2009-07-19 22:15 -------- dc-h--w- c:\windows\ie8
2009-07-19 22:10 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-19 22:10 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-19 22:10 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-19 22:10 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-19 22:10 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 21:44 . 2004-08-03 21:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-19 21:44 . 2001-08-17 19:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-19 21:44 . 2001-08-17 19:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-07-19 21:44 . 2001-08-17 19:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2009-07-19 21:44 . 2001-08-17 19:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2009-07-19 21:43 . 2001-08-17 19:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2009-07-19 21:43 . 2001-08-17 09:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2009-07-19 21:43 . 2004-08-03 19:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2009-07-19 21:43 . 2004-08-03 20:10 19328 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys
2009-07-19 21:43 . 2004-08-03 19:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2009-07-19 21:41 . 2004-08-03 20:04 13568 -c--a-w- c:\windows\system32\dllcache\wacompen.sys
2009-07-19 21:41 . 2001-08-17 09:13 16925 -c--a-w- c:\windows\system32\dllcache\w940nd.sys
2009-07-19 21:41 . 2001-08-17 09:13 19016 -c--a-w- c:\windows\system32\dllcache\w926nd.sys
2009-07-19 21:41 . 2001-08-17 09:13 19528 -c--a-w- c:\windows\system32\dllcache\w840nd.sys
2009-07-19 21:41 . 2001-08-17 10:28 64605 -c--a-w- c:\windows\system32\dllcache\vvoice.sys
2009-07-19 21:41 . 2001-08-17 10:28 397502 -c--a-w- c:\windows\system32\dllcache\vpctcom.sys
2009-07-19 21:41 . 2001-08-17 10:28 604253 -c--a-w- c:\windows\system32\dllcache\vmodem.sys
2009-07-19 21:41 . 2001-08-17 09:14 249402 -c--a-w- c:\windows\system32\dllcache\vinwm.sys
2009-07-19 21:41 . 2001-08-17 10:49 24576 -c--a-w- c:\windows\system32\dllcache\viairda.sys
2009-07-19 21:41 . 2004-08-03 19:59 5376 -c--a-w- c:\windows\system32\dllcache\viaide.sys
2009-07-19 21:41 . 2004-08-03 20:07 42240 -c--a-w- c:\windows\system32\dllcache\viaagp.sys
2009-07-19 21:41 . 2004-08-03 21:56 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2009-07-19 21:41 . 2004-08-03 21:56 11325 -c--a-w- c:\windows\system32\dllcache\vchnt5.dll
2009-07-19 21:39 . 2001-08-17 19:36 26624 -c--a-w- c:\windows\system32\dllcache\umaxu22.dll
2009-07-19 21:38 . 2001-08-17 11:56 440576 -c--a-w- c:\windows\system32\dllcache\tridkb.dll
2009-07-19 21:38 . 2001-08-17 09:51 222336 -c--a-w- c:\windows\system32\dllcache\trid3dm.sys
2009-07-19 21:38 . 2001-08-17 11:56 315520 -c--a-w- c:\windows\system32\dllcache\trid3d.dll
2009-07-19 21:38 . 2001-08-17 09:12 34375 -c--a-w- c:\windows\system32\dllcache\tpro4.sys
2009-07-19 21:38 . 2001-08-17 19:35 42496 -c--a-w- c:\windows\system32\dllcache\tp4res.dll
2009-07-19 21:38 . 2004-08-03 21:56 82432 -c--a-w- c:\windows\system32\dllcache\tp4mon.exe
2009-07-19 21:38 . 2001-08-17 19:36 31744 -c--a-w- c:\windows\system32\dllcache\tp4.dll
2009-07-19 21:38 . 2001-08-17 10:51 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2009-07-19 21:38 . 2001-08-17 11:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2009-07-19 21:38 . 2001-08-17 11:01 241664 -c--a-w- c:\windows\system32\dllcache\tosdvd02.sys
2009-07-19 21:38 . 2001-08-17 09:10 28232 -c--a-w- c:\windows\system32\dllcache\tos4mo.sys
2009-07-19 21:38 . 2001-08-17 09:14 123995 -c--a-w- c:\windows\system32\dllcache\tjisdn.sys
2009-07-19 21:38 . 2001-08-17 09:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2009-07-19 21:36 . 2001-08-17 10:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2009-07-19 21:35 . 2001-08-17 10:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2009-07-19 21:35 . 2001-08-17 19:36 106584 -c--a-w- c:\windows\system32\dllcache\spdports.dll
2009-07-19 21:35 . 2001-08-17 11:07 19072 -c--a-w- c:\windows\system32\dllcache\sparrow.sys
2009-07-19 21:35 . 2001-08-17 10:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2009-07-19 21:35 . 2001-08-17 09:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2009-07-19 21:35 . 2001-08-17 19:36 114688 -c--a-w- c:\windows\system32\dllcache\sonypi.dll
2009-07-19 21:35 . 2001-08-17 09:51 20752 -c--a-w- c:\windows\system32\dllcache\sonync.sys
2009-07-19 21:35 . 2004-08-03 20:00 7552 -c--a-w- c:\windows\system32\dllcache\sonyait.sys
2009-07-19 21:35 . 2001-08-17 10:53 9600 -c--a-w- c:\windows\system32\dllcache\sonymc.sys
2009-07-19 21:35 . 2001-08-17 10:53 7040 -c--a-w- c:\windows\system32\dllcache\snyaitmc.sys
2009-07-19 21:35 . 2001-08-17 09:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2009-07-19 21:35 . 2001-08-17 11:56 147200 -c--a-w- c:\windows\system32\dllcache\smidispb.dll
2009-07-19 21:35 . 2001-08-17 09:12 25034 -c--a-w- c:\windows\system32\dllcache\smcpwr2n.sys
2009-07-19 21:33 . 2001-08-17 09:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2009-07-19 21:32 . 2001-08-17 10:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-07-19 21:31 . 2001-08-17 11:56 210496 -c--a-w- c:\windows\system32\dllcache\s3mvirge.dll
2009-07-19 21:30 . 2004-08-03 19:59 79104 -c--a-w- c:\windows\system32\dllcache\rocket.sys
2009-07-19 21:30 . 2004-08-03 20:04 30080 -c--a-w- c:\windows\system32\dllcache\rndismpx.sys
2009-07-19 21:30 . 2001-08-17 09:12 37563 -c--a-w- c:\windows\system32\dllcache\rlnet5.sys
2009-07-19 21:30 . 2004-08-03 20:10 59648 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2009-07-19 21:30 . 2001-08-17 19:36 86097 -c--a-w- c:\windows\system32\dllcache\reslog32.dll
2009-07-19 21:30 . 2004-08-03 19:41 13776 -c--a-w- c:\windows\system32\dllcache\recagent.sys
2009-07-19 21:30 . 2001-08-17 10:28 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys
2009-07-19 21:30 . 2001-08-17 10:28 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys
2009-07-19 21:30 . 2001-08-17 19:36 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll
2009-07-19 21:30 . 2001-08-17 10:53 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys
2009-07-19 21:30 . 2001-08-17 10:52 49024 -c--a-w- c:\windows\system32\dllcache\ql1280.sys
2009-07-19 21:30 . 2001-08-17 10:52 40448 -c--a-w- c:\windows\system32\dllcache\ql1240.sys
2009-07-19 21:30 . 2001-08-17 10:52 45312 -c--a-w- c:\windows\system32\dllcache\ql12160.sys
2009-07-19 21:28 . 2001-08-17 19:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2009-07-19 21:27 . 2001-08-17 09:12 30495 -c--a-w- c:\windows\system32\dllcache\pc100nds.sys
2009-07-19 21:26 . 2004-08-03 20:10 61056 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2009-07-19 21:26 . 2004-08-03 19:29 1897408 -c--a-w- c:\windows\system32\dllcache\nv4_mini.sys
2009-07-19 21:26 . 2004-08-03 21:56 4274816 -c--a-w- c:\windows\system32\dllcache\nv4_disp.dll
2009-07-19 21:26 . 2001-08-17 09:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2009-07-19 21:26 . 2001-08-17 19:36 123776 -c--a-w- c:\windows\system32\dllcache\nv3.dll
2009-07-19 21:26 . 2004-08-03 19:41 180360 -c--a-w- c:\windows\system32\dllcache\ntmtlfax.sys
2009-07-19 21:26 . 2001-08-17 09:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-07-19 21:26 . 2001-08-17 10:47 9344 -c--a-w- c:\windows\system32\dllcache\ntapm.sys
2009-07-19 21:26 . 2001-08-17 10:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-07-19 21:26 . 2004-08-03 20:00 28672 -c--a-w- c:\windows\system32\dllcache\nscirda.sys
2009-07-19 21:26 . 2001-08-17 09:20 87040 -c--a-w- c:\windows\system32\dllcache\nm6wdm.sys
2009-07-19 21:26 . 2001-08-17 09:20 126080 -c--a-w- c:\windows\system32\dllcache\nm5a2wdm.sys
2009-07-19 21:26 . 2001-08-17 09:12 32840 -c--a-w- c:\windows\system32\dllcache\ngrpci.sys
2009-07-19 21:24 . 2001-08-17 19:36 7168 -c--a-w- c:\windows\system32\dllcache\mxport.dll
2009-07-19 21:23 . 2001-08-17 11:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2009-07-19 21:23 . 2001-08-17 10:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2009-07-19 21:23 . 2004-08-03 20:10 51328 -c--a-w- c:\windows\system32\dllcache\msdv.sys
2009-07-19 21:23 . 2001-08-17 10:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2009-07-19 21:23 . 2004-08-03 20:10 15360 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-07-19 21:23 . 2001-08-17 10:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-07-19 21:23 . 2001-08-17 10:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2009-07-19 21:23 . 2001-08-17 09:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2009-07-19 21:23 . 2001-08-17 11:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2009-07-19 21:23 . 2004-08-03 20:00 26112 -c--a-w- c:\windows\system32\dllcache\memstpci.sys
2009-07-19 21:23 . 2001-08-17 19:36 47616 -c--a-w- c:\windows\system32\dllcache\memgrp.dll
2009-07-19 21:23 . 2001-08-17 10:58 8320 -c--a-w- c:\windows\system32\dllcache\memcard.sys
2009-07-19 21:23 . 2001-08-17 09:12 164586 -c--a-w- c:\windows\system32\dllcache\mdgndis5.sys
2009-07-19 21:21 . 2004-08-03 19:59 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2009-07-19 21:21 . 2001-08-17 09:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2009-07-19 21:21 . 2001-08-17 09:12 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys
2009-07-19 21:21 . 2001-08-17 19:36 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll
2009-07-19 21:21 . 2001-08-17 19:36 242176 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2009-07-19 21:21 . 2001-08-17 19:36 45568 -c--a-w- c:\windows\system32\dllcache\kdsui.dll
2009-07-19 21:21 . 2004-08-03 19:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2009-07-19 21:20 . 2001-08-17 10:49 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys
2009-07-19 21:20 . 2001-08-17 10:51 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys
2009-07-19 21:20 . 2001-08-17 10:49 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys
2009-07-19 21:20 . 2004-08-03 20:08 40832 -c--a-w- c:\windows\system32\dllcache\irbus.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 01:26 . 2009-06-22 17:24 43336 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-18 23:14 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-15 22:40 . 2009-06-22 16:42 -------- d-----w- c:\program files\Intel
2009-07-15 19:50 . 2009-06-22 16:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-08 11:47 . 2009-06-22 17:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Netscape
2009-06-22 18:37 . 2009-06-22 18:37 -------- d-----w- c:\program files\ESET
2009-06-22 18:37 . 2009-06-22 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-22 17:18 . 2009-06-22 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Backup
2009-06-22 17:06 . 2009-06-22 17:06 0 ----a-w- c:\windows\nsreg.dat
2009-06-22 17:03 . 2009-06-22 17:03 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{6815FCDD-401D-481E-BA88-31B4754C2B46}\ARPPRODUCTICON.exe
2009-06-22 16:48 . 2009-06-22 16:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intel
2009-06-22 16:48 . 2009-06-22 16:48 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Intel
2009-06-22 16:48 . 2009-06-22 16:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\Intel
2009-06-22 16:48 . 2009-06-22 16:48 -------- d-----w- c:\documents and settings\hristo\Application Data\Intel
2009-06-22 16:48 . 2009-06-22 16:48 -------- d-----w- c:\documents and settings\Default User\Application Data\Intel
2009-06-22 16:48 . 2009-06-22 16:48 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Intel
2009-06-22 16:47 . 2009-06-22 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Intel
2009-06-22 16:45 . 2009-06-22 16:19 -------- d-----w- c:\program files\HPQ
2009-06-22 16:42 . 2009-06-22 16:16 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-22 16:23 . 2009-06-22 16:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-06-22 16:23 . 2009-06-22 16:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-22 16:22 . 2009-06-22 16:22 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-22 16:22 . 2009-06-22 16:22 -------- d-----w- c:\documents and settings\hristo\Application Data\InstallShield
2009-06-22 16:20 . 2009-06-22 16:20 -------- d-----w- c:\program files\WIDCOMM
2009-06-22 16:17 . 2009-06-22 16:17 -------- d-----w- c:\program files\Analog Devices
2009-06-22 16:16 . 2009-06-22 16:16 -------- d-----w- c:\program files\Synaptics
2009-06-22 16:07 . 2009-06-22 15:38 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-22 15:39 . 2009-06-22 15:39 -------- d-----w- c:\program files\microsoft frontpage
2009-06-22 15:35 . 2009-06-22 15:35 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-16 14:55 . 2004-08-04 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:27 . 2004-08-04 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2004-08-04 12:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-06-23 08:08 . 2009-06-23 08:08 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-06-23 08:08 . 2009-06-23 08:08 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-06-23 08:08 . 2009-06-23 08:08 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys
[-] 2009-07-18 23:14 212480 4E8B4F9E5CD6EB7042F726D1DEAD2DB7 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Uniblue RegistryBooster 2009"="c:\program files\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 1443072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-14 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
FlexType 2K.lnk - c:\program files\Datecs\FlexType 2K\FType2K.exe [2009-6-23 95232]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [19.7.2009 і. 19:41 130936]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21.12.2007 і. 08:21 33800]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [06.12.2007 і. 21:03 660768]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [21.12.2007 і. 08:21 468224]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [22.6.2009 і. 19:43 97280]
S2 gupdate1c9fe61c82afab4;Усуі Google Update (gupdate1c9fe61c82afab4);c:\program files\Google\Update\GoogleUpdate.exe [06.7.2009 і. 20:47 133104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [19.7.2009 і. 19:41 348752]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [25.6.2009 і. 15:16 25472]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-06 17:46]

2009-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]

2009-07-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-06 17:47]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{c95a4e8e-816d-4655-8c79-d736da1adb6d} - (no file)
Toolbar-{c95a4e8e-816d-4655-8c79-d736da1adb6d} - (no file)
Notify-avldr - avldr.dll
SafeBoot-PskSvcRetail


.
------- Supplementary Scan -------
.
uStart Page = www.google.bg/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Е&кспортирай в Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\htg0qj9d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561552&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561552&SearchSource=2&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 11:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\HTT681.tmp 7845 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,a4,d8,aa,3c,3b,33,4d,a8,0c,0e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,a4,d8,aa,3c,3b,33,4d,a8,0c,0e,\

[HKEY_USERS\S-1-5-21-1409082233-362288127-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,37,a2,13,ef,27,61,43,b1,35,a9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,96,37,a2,13,ef,27,61,43,b1,35,a9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-07-20 11:26
ComboFix-quarantined-files.txt 2009-07-20 08:26

Pre-Run: 7 990 046 720 bytes free
Post-Run: 8 739 610 624 bytes free

293 --- E O F --- 2009-07-20 07:21

#7 icku86

icku86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 12:54 PM

For the winlogon.exe

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.20 -
AhnLab-V3 5.0.0.2 2009.07.20 -
AntiVir 7.9.0.222 2009.07.20 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.20 -
Avast 4.8.1335.0 2009.07.19 -
AVG 8.5.0.387 2009.07.20 -
BitDefender 7.2 2009.07.20 -
CAT-QuickHeal 10.00 2009.07.20 -
ClamAV 0.94.1 2009.07.19 -
Comodo 1714 2009.07.20 -
DrWeb 5.0.0.12182 2009.07.20 -
eSafe 7.0.17.0 2009.07.19 -
eTrust-Vet 31.6.6628 2009.07.20 -
F-Prot 4.4.4.56 2009.07.20 -
F-Secure 8.0.14470.0 2009.07.20 -
Fortinet 3.120.0.0 2009.07.20 -
GData 19 2009.07.20 -
Ikarus T3.1.1.64.0 2009.07.20 -
Jiangmin 11.0.800 2009.07.20 -
K7AntiVirus 7.10.796 2009.07.18 -
Kaspersky 7.0.0.125 2009.07.20 -
McAfee 5681 2009.07.19 -
McAfee+Artemis 5681 2009.07.19 -
McAfee-GW-Edition 6.8.5 2009.07.20 -
Microsoft 1.4803 2009.07.20 -
NOD32 4261 2009.07.20 -
Norman 6.01.09 2009.07.20 -
nProtect 2009.1.8.0 2009.07.20 -
Panda 10.0.0.14 2009.07.19 -
PCTools 4.4.2.0 2009.07.20 -
Prevx 3.0 2009.07.20 -
Rising 21.39.04.00 2009.07.20 -
Sophos 4.43.0 2009.07.20 -
Sunbelt 3.2.1858.2 2009.07.19 -
Symantec 1.4.4.12 2009.07.20 -
TheHacker 6.3.4.3.370 2009.07.17 -
TrendMicro 8.950.0.1094 2009.07.20 -
VBA32 3.12.10.8 2009.07.19 -
ViRobot 2009.7.20.1843 2009.07.20 -
VirusBuster 4.6.5.0 2009.07.16 -
Additional information
File size: 502272 bytes
MD5 : 01c3346c241652f43aed8e2149881bfe
SHA1 : a5396141cab8b22d9d88b28a814089537dce366a
SHA256: affd0973cd3128083417d407f62bc4a635fc25b65dbf52e91d3ab4ae2f9c1b4a
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3D353
timedatestamp.....: 0x41107EDC (Wed Aug 4 08:14:52 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x6F288 0x6F400 6.82 5a133ab60f38b5d739d86c8290fa5a3c
.data 0x71000 0x4D90 0x2000 6.20 baa64d00a5f8a540a38a60d2aff66f30
.rsrc 0x76000 0x9030 0x9200 3.62 b93cbbc049130e1bad3ea13d7512c074

( 0 imports )


( 0 exports )
TrID : File type identification
Win64 Executable Generic (80.9%)
Win32 Executable Generic (8.0%)
Win32 Dynamic Link Library (generic) (7.1%)
Generic Win/DOS Executable (1.8%)
DOS Executable Generic (1.8%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...aed8e2149881bfe
ssdeep: 6144:2YuZlm8LRlBw662R1pqrc7FmxSqVw/T+SN1TrSnmhPnpdcrFIzdFz/N5WjyfTNQG:2VLBhic7Qy1vSneJFDNhp8
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: WINLOGON.EXE, winlogon.exe
( Microsoft )

MSDN Disc 2428.4: winlogon.exeMSDN Disc 2428.5: winlogon.exeMSDN Disc 2428.8: winlogon.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: winlogon.exeVirtual PC for Mac Windows XP Home Edition: winlogon.exeVirtual PC for Mac Windows XP Professional Edition: winlogon.exe

#8 icku86

icku86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 12:58 PM

For the lsass.exe
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.20 -
AhnLab-V3 5.0.0.2 2009.07.20 -
AntiVir 7.9.0.222 2009.07.20 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.20 -
Avast 4.8.1335.0 2009.07.20 -
AVG 8.5.0.387 2009.07.20 -
BitDefender 7.2 2009.07.20 -
CAT-QuickHeal 10.00 2009.07.20 -
ClamAV 0.94.1 2009.07.20 -
Comodo 1716 2009.07.20 -
DrWeb 5.0.0.12182 2009.07.20 -
eSafe 7.0.17.0 2009.07.20 -
eTrust-Vet 31.6.6628 2009.07.20 -
F-Prot 4.4.4.56 2009.07.20 -
F-Secure 8.0.14470.0 2009.07.20 -
Fortinet 3.120.0.0 2009.07.20 -
GData 19 2009.07.20 -
Ikarus T3.1.1.64.0 2009.07.20 -
Jiangmin 11.0.800 2009.07.20 -
K7AntiVirus 7.10.797 2009.07.20 -
Kaspersky 7.0.0.125 2009.07.20 -
McAfee 5682 2009.07.20 -
McAfee+Artemis 5682 2009.07.20 -
McAfee-GW-Edition 6.8.5 2009.07.20 -
Microsoft 1.4803 2009.07.20 -
NOD32 4262 2009.07.20 -
Norman 6.01.09 2009.07.20 -
nProtect 2009.1.8.0 2009.07.20 -
Panda 10.0.0.14 2009.07.20 -
PCTools 4.4.2.0 2009.07.20 -
Prevx 3.0 2009.07.20 -
Rising 21.39.04.00 2009.07.20 -
Sophos 4.43.0 2009.07.20 -
Sunbelt 3.2.1858.2 2009.07.19 -
Symantec 1.4.4.12 2009.07.20 -
TheHacker 6.3.4.3.370 2009.07.17 -
TrendMicro 8.950.0.1094 2009.07.20 -
VBA32 3.12.10.8 2009.07.19 -
ViRobot 2009.7.20.1843 2009.07.20 -
VirusBuster 4.6.5.0 2009.07.20 -
Additional information
File size: 13312 bytes
MD5...: 84885f9b82f4d55c6146ebf6065d75d2
SHA1..: 6473b34c05bc63eb0d66cad83355e6938cbe97e9
SHA256: 76fe1b6c432b6c74fc283de52d14ef668f8c4aad0d139f362635efb30482b4ed
ssdeep: 384:zbY9gHUJemIeSbWC8iLW74a8WfMptsN0BhgO49:PjsiQzRfMpy0BF4
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x14bd
timedatestamp.....: 0x41107b4d (Wed Aug 04 05:59:41 2004)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10d0 0x1200 6.01 d107b4f218abee66665545859fb9cc89
.data 0x3000 0x6c 0x200 0.20 86a789a893c60d5e207d053188cdc250
.rsrc 0x4000 0x1b40 0x1c00 7.16 e4a0d77578ef1aa0158f6be8dfc6d37a

( 5 imports )
> ADVAPI32.dll: FreeSid, CheckTokenMembership, AllocateAndInitializeSid, OpenThreadToken, ImpersonateSelf, RevertToSelf
> KERNEL32.dll: CloseHandle, GetCurrentThread, ExitThread, SetUnhandledExceptionFilter, SetErrorMode, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, RtlUnwind, InterlockedExchange, VirtualQuery
> ntdll.dll: NtSetInformationProcess, RtlInitUnicodeString, NtCreateEvent, NtOpenEvent, NtSetEvent, NtClose, NtRaiseHardError, RtlAdjustPrivilege, NtShutdownSystem, RtlUnhandledExceptionFilter
> LSASRV.dll: LsaISetupWasRun, LsapDsDebugInitialize, LsapAuOpenSam, LsapCheckBootMode, ServiceInit, LsapInitLsa, LsapDsInitializePromoteInterface, LsapDsInitializeDsStateInfo
> SAMSRV.dll: SamIInitialize, SampUsingDsData

( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set

( Microsoft )

> MSDN Disc 2428.5: lsass.exe
> MSDN Disc 2428.4: lsass.exe
> MSDN Disc 2428.8: lsass.exe
> Operating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: lsass.exe
> Virtual PC for Mac Windows XP Professional Edition: lsass.exe
> Virtual PC for Mac Windows XP Home Edition: lsass.exe

( Gateway )

> Gateway Operating System Windows XP Pro Edition SP2: LSASS.EXE,lsass.exe

ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=84885f9b82f4d55c6146ebf6065d75d2' target='_blank'>http://www.threatexpert.com/report.aspx?md5=84885f9b82f4d55c6146ebf6065d75d2</a>

#9 icku86

icku86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 01:00 PM

For the explorer.exe

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.20 -
AntiVir 7.9.0.222 2009.07.20 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.20 -
Avast 4.8.1335.0 2009.07.19 -
AVG 8.5.0.387 2009.07.20 -
BitDefender 7.2 2009.07.20 -
CAT-QuickHeal 10.00 2009.07.20 -
ClamAV 0.94.1 2009.07.19 -
Comodo 1715 2009.07.20 -
DrWeb 5.0.0.12182 2009.07.20 -
eTrust-Vet 31.6.6628 2009.07.20 -
F-Prot 4.4.4.56 2009.07.20 -
Fortinet 3.120.0.0 2009.07.20 -
GData 19 2009.07.20 -
Ikarus T3.1.1.64.0 2009.07.20 -
Jiangmin 11.0.800 2009.07.20 -
K7AntiVirus 7.10.796 2009.07.18 -
Kaspersky 7.0.0.125 2009.07.20 -
McAfee 5681 2009.07.19 -
McAfee+Artemis 5681 2009.07.19 -
McAfee-GW-Edition 6.8.5 2009.07.20 Heuristic.LooksLike.Trojan.Luder.Patched.K
Microsoft 1.4803 2009.07.20 -
PCTools 4.4.2.0 2009.07.20 -
Prevx 3.0 2009.07.20 -
Rising 21.39.04.00 2009.07.20 -
Sophos 4.43.0 2009.07.20 -
Sunbelt 3.2.1858.2 2009.07.19 -
TheHacker 6.3.4.3.370 2009.07.17 -
TrendMicro 8.950.0.1094 2009.07.20 -
VBA32 3.12.10.8 2009.07.19 -
ViRobot 2009.7.20.1843 2009.07.20 -
VirusBuster 4.6.5.0 2009.07.20 -
Additional information
File size: 1032192 bytes
MD5 : a0732187050030ae399b241436565e64
SHA1 : 69f33740413da112630be73ebb805a23b69f2f7f
SHA256: cbfbcc43b18deca5619706fc134d25e0dcebcd5257d0a70f5782c42e5c2fcec9
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1E24E
timedatestamp.....: 0x41107ECE (Wed Aug 4 08:14:38 2004)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x44689 0x44800 6.38 b257b3cd7102cece46cd7366aff0f34b
.data 0x46000 0x1D90 0x1800 1.29 d0b87d8ce5a34731be197efb73b5d7bf
.rsrc 0x48000 0xB2278 0xB2400 6.63 abf6dc1befe1a4a4c7f6ef51d1a6f907
.reloc 0xFB000 0x36DC 0x3800 6.75 ee49ce3a409d6d28c1d63eabd34499b3

( 0 imports )


( 0 exports )
TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...99b241436565e64
ssdeep: 12288:izEut4RuAwGgc7fNuIEGpPoHWr2Rkf8I+skzan1/g/J/v5nn:izEuAwj2fNuIhakf8I+sk81/g/J/Jn
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: explorer.exe
( Microsoft )

MSDN Disc 2428.4: explorer.exeMSDN Disc 2428.5: explorer.exeMSDN Disc 2428.7: explorer.exeMSDN Disc 2428.8: explorer.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: explorer.exeVirtual PC for Mac Windows XP Home Edition: explorer.exeVirtual PC for Mac Windows XP Professional Edition: explorer.exe

#10 icku86

icku86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 01:01 PM

For the userinit.exe

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.07.20 -
AhnLab-V3 5.0.0.2 2009.07.20 -
AntiVir 7.9.0.222 2009.07.20 -
Antiy-AVL 2.0.3.7 2009.07.17 -
Authentium 5.1.2.4 2009.07.20 -
Avast 4.8.1335.0 2009.07.19 -
AVG 8.5.0.387 2009.07.19 -
BitDefender 7.2 2009.07.20 -
CAT-QuickHeal 10.00 2009.07.20 -
ClamAV 0.94.1 2009.07.19 -
Comodo 1710 2009.07.20 -
DrWeb 5.0.0.12182 2009.07.19 -
eSafe 7.0.17.0 2009.07.19 -
eTrust-Vet 31.6.6623 2009.07.18 -
F-Prot 4.4.4.56 2009.07.20 -
F-Secure 8.0.14470.0 2009.07.19 -
Fortinet 3.120.0.0 2009.07.20 -
GData 19 2009.07.20 -
Ikarus T3.1.1.64.0 2009.07.20 -
Jiangmin 11.0.800 2009.07.19 -
K7AntiVirus 7.10.796 2009.07.18 -
Kaspersky 7.0.0.125 2009.07.20 -
McAfee 5681 2009.07.19 -
McAfee+Artemis 5681 2009.07.19 -
McAfee-GW-Edition 6.8.5 2009.07.20 -
Microsoft 1.4803 2009.07.20 -
NOD32 4259 2009.07.19 -
Norman 6.01.09 2009.07.17 -
nProtect 2009.1.8.0 2009.07.20 -
PCTools 4.4.2.0 2009.07.19 -
Prevx 3.0 2009.07.20 -
Rising 21.39.00.00 2009.07.20 -
Sophos 4.43.0 2009.07.20 -
Sunbelt 3.2.1858.2 2009.07.19 -
Symantec 1.4.4.12 2009.07.20 -
TheHacker 6.3.4.3.370 2009.07.17 -
TrendMicro 8.950.0.1094 2009.07.20 -
VBA32 3.12.10.8 2009.07.19 -
ViRobot 2009.7.20.1842 2009.07.20 -
VirusBuster 4.6.5.0 2009.07.16 -
Additional information
File size: 24576 bytes
MD5 : 39b1ffb03c2296323832acbae50d2aff
SHA1 : e5aedcbe25a97c89101f1f3860ff846e94d70445
SHA256: 5b5d71718108e132d10bafb0c217f469a1e3cc13f79ff8d9cbe3bf4918aff7b7
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x50E5
timedatestamp.....: 0x41107B78 (Wed Aug 4 08:00:24 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4DB8 0x4E00 6.01 16aee663ed180007a0bf5bf24b845096
.data 0x6000 0x14C 0x200 1.86 cbb599f9267bf53209039d14a3574eb1
.rsrc 0x7000 0xB60 0xC00 3.27 b388ab1541ccd9727979fb26a23f72e1

( 7 imports )

> advapi32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
> crypt32.dll: CryptProtectData
> kernel32.dll: GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, SetEnvironmentVariableW, lstrlenW, lstrcpyW, FreeLibrary, GetProcAddress, LoadLibraryW, CompareFileTime, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, ExpandEnvironmentStringsW, SetEvent, OpenEventW, Sleep, GetLastError, SearchPathW, CreateProcessW
> msvcrt.dll: _controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, __setusermatherr, __getmainargs, _acmdln, exit, _cexit, _XcptFilter, _exit, _c_exit, _initterm, _adjust_fdiv
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, NtQueryInformationToken, RtlConvertSidToUnicodeString
> user32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
> winspool.drv: SpoolerInit

( 0 exports )
TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexpert.com/report.aspx?md...832acbae50d2aff
ssdeep: 384:DNkhB/JD1CzaxzOV6s9cKmdPGFQ273eLXVBYkkjuv1hkNLdbaLa4CwUJuUCSF4WL:gJDUaxgu5YEVBxkjuv7wbaLa4PU4b7
PEiD : -
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: USERINIT.EXE, userinit.exe
( Microsoft )

MSDN Disc 2428.4: userinit.exeMSDN Disc 2428.5: userinit.exeMSDN Disc 2428.8: userinit.exeOperating System Reinstallation CD Microsoft Windows XP Professional Service Pack 2: userinit.exeVirtual PC for Mac Windows XP Home Edition: userinit.exeVirtual PC for Mac Windows XP Professional Edition: userinit.exe

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 20 July 2009 - 01:03 PM

Hello.

Do not post the Combofix log in this forum. My question to you was "did you run Combofix". A simply answer "yes" or "no" will do.

Please refer to the blue headlines above:

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.


Could you also scan the other files with VirusTotal/VirScan, I would still like to see the results of those.

Your Ndis.sys file is indeed infected here but I would still want you to run GMER and post the log.

We can probably help fix that ndis.sys patched file, but we can not do it here as some tools are restricted here and other tools may need to be involved as well.

---

I suggest you start a new topic in the Malware Removal forum in order for this to be resolved, if you do not wish to format.

You can post the Virustotal results in the new topic where you started as well as the GMER log there as well or post it here if you wish. If you are going to post it here, please post the results before you start a topic in the Malware Removal forum.

1st Step: Preparation Guide Before Starting a Topic: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
2nd Step: Starting a Topic in the HJT-Malware Removal forum: http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Good Luck!

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:50 AM

Posted 20 July 2009 - 01:06 PM

Hello.

Appears our posts crossed.

--

Anyways, I would still suggest you start a topic in the Malware Removal forum. Instructions are provided above.

You may post the GMER log in the new topic you start in the Malware Removal forum.

Once you start a topic there, please reply back here letting us know, so I can notify a moderator to close this topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 icku86

icku86
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 20 July 2009 - 02:17 PM

Thanks Extremeboy!
Here is the new topic: http://www.bleepingcomputer.com/forums/t/243068/infected-ndissys-trojan-win32-protectorb-virus/

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:50 AM

Posted 20 July 2009 - 02:31 PM

Files Infected:
c:\WINDOWS\system32\reader_s.exe.vir

Looks to be Virut.

However, since you already posted a log, I will leave it in Extremeboy's capable hands to provide further direction.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users