Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Four Ukrainians Arrested for Running Six Fake Cryptocurrency Exchanges

Featured Deal: Get 95% off The Complete Raspberry Pi Hacker Bundle Deal

Photo

Infected NDIS.SYS trojan Win32 Protector.B virus

Started by icku86 , Jul 20 2009 02:15 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 icku86

icku86

  • Members
  • 9 posts
  • OFFLINE
    •  
  • Local time:11:34 PM

Posted 20 July 2009 - 02:15 PM

My "NDIS.SYS" file is infected with trojan. The name of the virus I got from my Nod32. I think that the trojan affects my IE - it's not working properly. I saw that I have second file inside "system32" named "NDIS(2).SYS".
Here is the log from DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 22:00:15,09 on 20.07.2009 г.
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.1015.516 [GMT 3:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Datecs\FlexType 2K\FType2K.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.bg/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\program files\registrybooster\RegistryBooster.exe /S
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\flexty~1.lnk - c:\program files\datecs\flextype 2k\FType2K.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Е&кспортирай в Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\htg0qj9d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561552&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1561552&SearchSource=2&q=

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-19 130936]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2007-12-21 33800]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2007-12-6 660768]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2007-12-21 468224]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2009-6-22 97280]
S2 gupdate1c9fe61c82afab4;Ус»уі° Google Update (gupdate1c9fe61c82afab4);c:\program files\google\update\GoogleUpdate.exe [2009-7-6 133104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-19 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-19 1096584]
S3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-6-25 25472]

=============== Created Last 30 ================

2009-07-20 11:25 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-07-20 11:17 219,648 a------- c:\windows\PEV.exe
2009-07-20 11:17 161,792 a------- c:\windows\SWREG.exe
2009-07-20 11:17 98,816 a------- c:\windows\sed.exe
2009-07-20 11:16 <DIR> --ds---- C:\ComboFix
2009-07-20 03:36 <DIR> --d----- c:\program files\Enigma Software Group
2009-07-20 03:16 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-07-20 03:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 03:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 03:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-20 03:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-20 03:03 <DIR> --dsh--- c:\documents and settings\administrator\PrivacIE
2009-07-20 01:17 <DIR> --dsh--- c:\documents and settings\administrator\IETldCache
2009-07-20 01:16 <DIR> --d----- c:\windows\ie8updates
2009-07-20 01:13 <DIR> -cd-h--- c:\windows\ie8
2009-07-20 01:12 217 a------- c:\windows\system32\MRT.INI
2009-07-20 01:10 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-20 01:10 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-20 01:10 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-20 01:10 1,985,024 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-07-20 01:10 11,064,832 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-07-20 00:44 116,224 ac------ c:\windows\system32\dllcache\xrxwiadr.dll
2009-07-20 00:44 23,040 ac------ c:\windows\system32\dllcache\xrxwbtmp.dll
2009-07-20 00:44 17,408 ac------ c:\windows\system32\dllcache\xrxscnui.dll
2009-07-20 00:44 27,648 ac------ c:\windows\system32\dllcache\xrxftplt.exe
2009-07-20 00:44 4,608 ac------ c:\windows\system32\dllcache\xrxflnch.exe
2009-07-20 00:43 99,865 ac------ c:\windows\system32\dllcache\xlog.exe
2009-07-20 00:43 16,970 ac------ c:\windows\system32\dllcache\xem336n5.sys
2009-07-20 00:43 19,455 ac------ c:\windows\system32\dllcache\wvchntxx.sys
2009-07-20 00:43 19,328 ac------ c:\windows\system32\dllcache\wstcodec.sys
2009-07-20 00:43 12,063 ac------ c:\windows\system32\dllcache\wsiintxx.sys
2009-07-20 00:41 13,568 ac------ c:\windows\system32\dllcache\wacompen.sys
2009-07-20 00:40 687,999 ac------ c:\windows\system32\dllcache\usrwdxjs.sys
2009-07-20 00:39 26,624 ac------ c:\windows\system32\dllcache\umaxu22.dll
2009-07-20 00:38 440,576 ac------ c:\windows\system32\dllcache\tridkb.dll
2009-07-20 00:38 222,336 ac------ c:\windows\system32\dllcache\trid3dm.sys
2009-07-20 00:38 315,520 ac------ c:\windows\system32\dllcache\trid3d.dll
2009-07-20 00:38 34,375 ac------ c:\windows\system32\dllcache\tpro4.sys
2009-07-20 00:38 42,496 ac------ c:\windows\system32\dllcache\tp4res.dll
2009-07-20 00:38 82,432 ac------ c:\windows\system32\dllcache\tp4mon.exe
2009-07-20 00:38 31,744 ac------ c:\windows\system32\dllcache\tp4.dll
2009-07-20 00:38 4,992 ac------ c:\windows\system32\dllcache\toside.sys
2009-07-20 00:38 230,912 ac------ c:\windows\system32\dllcache\tosdvd03.sys
2009-07-20 00:38 241,664 ac------ c:\windows\system32\dllcache\tosdvd02.sys
2009-07-20 00:38 28,232 ac------ c:\windows\system32\dllcache\tos4mo.sys
2009-07-20 00:38 123,995 ac------ c:\windows\system32\dllcache\tjisdn.sys
2009-07-20 00:38 138,528 ac------ c:\windows\system32\dllcache\tgiulnt5.sys
2009-07-20 00:36 103,936 ac------ c:\windows\system32\dllcache\sx.sys
2009-07-20 00:35 61,824 ac------ c:\windows\system32\dllcache\speed.sys
2009-07-20 00:35 106,584 ac------ c:\windows\system32\dllcache\spdports.dll
2009-07-20 00:35 19,072 ac------ c:\windows\system32\dllcache\sparrow.sys
2009-07-20 00:35 7,552 ac------ c:\windows\system32\dllcache\sonypvu1.sys
2009-07-20 00:35 37,040 ac------ c:\windows\system32\dllcache\sonypi.sys
2009-07-20 00:35 114,688 ac------ c:\windows\system32\dllcache\sonypi.dll
2009-07-20 00:35 20,752 ac------ c:\windows\system32\dllcache\sonync.sys
2009-07-20 00:35 9,600 ac------ c:\windows\system32\dllcache\sonymc.sys
2009-07-20 00:35 7,552 ac------ c:\windows\system32\dllcache\sonyait.sys
2009-07-20 00:35 7,040 ac------ c:\windows\system32\dllcache\snyaitmc.sys
2009-07-20 00:35 58,368 ac------ c:\windows\system32\dllcache\smiminib.sys
2009-07-20 00:35 147,200 ac------ c:\windows\system32\dllcache\smidispb.dll
2009-07-20 00:35 25,034 ac------ c:\windows\system32\dllcache\smcpwr2n.sys
2009-07-20 00:33 104,064 ac------ c:\windows\system32\dllcache\sisgrp.sys
2009-07-20 00:32 6,912 ac------ c:\windows\system32\dllcache\seaddsmc.sys
2009-07-20 00:31 210,496 ac------ c:\windows\system32\dllcache\s3mvirge.dll
2009-07-20 00:30 79,104 ac------ c:\windows\system32\dllcache\rocket.sys
2009-07-20 00:30 30,080 ac------ c:\windows\system32\dllcache\rndismpx.sys
2009-07-20 00:30 37,563 ac------ c:\windows\system32\dllcache\rlnet5.sys
2009-07-20 00:30 59,648 ac------ c:\windows\system32\dllcache\rfcomm.sys
2009-07-20 00:30 86,097 ac------ c:\windows\system32\dllcache\reslog32.dll
2009-07-20 00:30 13,776 ac------ c:\windows\system32\dllcache\recagent.sys
2009-07-20 00:30 714,762 ac------ c:\windows\system32\dllcache\r2mdmkxx.sys
2009-07-20 00:30 899,146 ac------ c:\windows\system32\dllcache\r2mdkxga.sys
2009-07-20 00:30 41,472 ac------ c:\windows\system32\dllcache\qvusd.dll
2009-07-20 00:30 3,328 ac------ c:\windows\system32\dllcache\qv2kux.sys
2009-07-20 00:30 49,024 ac------ c:\windows\system32\dllcache\ql1280.sys
2009-07-20 00:30 40,448 ac------ c:\windows\system32\dllcache\ql1240.sys
2009-07-20 00:30 45,312 ac------ c:\windows\system32\dllcache\ql12160.sys
2009-07-20 00:28 121,344 ac------ c:\windows\system32\dllcache\phvfwext.dll
2009-07-20 00:27 30,495 ac------ c:\windows\system32\dllcache\pc100nds.sys
2009-07-20 00:26 61,056 ac------ c:\windows\system32\dllcache\ohci1394.sys
2009-07-20 00:26 1,897,408 ac------ c:\windows\system32\dllcache\nv4_mini.sys
2009-07-20 00:26 4,274,816 ac------ c:\windows\system32\dllcache\nv4_disp.dll
2009-07-20 00:26 198,144 ac------ c:\windows\system32\dllcache\nv3.sys
2009-07-20 00:26 123,776 ac------ c:\windows\system32\dllcache\nv3.dll
2009-07-20 00:26 180,360 ac------ c:\windows\system32\dllcache\ntmtlfax.sys
2009-07-20 00:26 51,552 ac------ c:\windows\system32\dllcache\ntgrip.sys
2009-07-20 00:26 9,344 ac------ c:\windows\system32\dllcache\ntapm.sys
2009-07-20 00:26 7,552 ac------ c:\windows\system32\dllcache\nsmmc.sys
2009-07-20 00:26 28,672 ac------ c:\windows\system32\dllcache\nscirda.sys
2009-07-20 00:26 87,040 ac------ c:\windows\system32\dllcache\nm6wdm.sys
2009-07-20 00:26 126,080 ac------ c:\windows\system32\dllcache\nm5a2wdm.sys
2009-07-20 00:26 32,840 ac------ c:\windows\system32\dllcache\ngrpci.sys
2009-07-20 00:24 7,168 ac------ c:\windows\system32\dllcache\mxport.dll
2009-07-20 00:23 35,200 ac------ c:\windows\system32\dllcache\msgame.sys
2009-07-20 00:22 7,424 ac------ c:\windows\system32\dllcache\mammoth.sys
2009-07-20 00:21 34,688 ac------ c:\windows\system32\dllcache\lbrtfdc.sys
2009-07-20 00:21 26,442 ac------ c:\windows\system32\dllcache\lanepic5.sys
2009-07-20 00:21 43,008 ac------ c:\windows\system32\dllcache\ksxbar.ax
2009-07-20 00:21 19,016 ac------ c:\windows\system32\dllcache\ktc111.sys
2009-07-20 00:21 90,624 ac------ c:\windows\system32\dllcache\kswdmcap.ax
2009-07-20 00:21 61,952 ac------ c:\windows\system32\dllcache\kstvtune.ax
2009-07-20 00:21 37,376 ac------ c:\windows\system32\dllcache\kousd.dll
2009-07-20 00:21 242,176 ac------ c:\windows\system32\dllcache\kdsusd.dll
2009-07-20 00:21 45,568 ac------ c:\windows\system32\dllcache\kdsui.dll
2009-07-20 00:21 14,848 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-07-20 00:20 26,624 ac------ c:\windows\system32\dllcache\irstusb.sys
2009-07-20 00:20 18,688 ac------ c:\windows\system32\dllcache\irsir.sys
2009-07-20 00:20 23,552 ac------ c:\windows\system32\dllcache\irmk7.sys
2009-07-20 00:20 40,832 ac------ c:\windows\system32\dllcache\irbus.sys
2009-07-20 00:20 16,384 ac------ c:\windows\system32\dllcache\ipsink.ax
2009-07-20 00:20 45,632 ac------ c:\windows\system32\dllcache\ip5515.sys
2009-07-20 00:20 90,200 ac------ c:\windows\system32\dllcache\io8ports.dll
2009-07-20 00:20 38,784 ac------ c:\windows\system32\dllcache\io8.sys
2009-07-20 00:20 13,056 ac------ c:\windows\system32\dllcache\inport.sys
2009-07-20 00:20 16,000 ac------ c:\windows\system32\dllcache\ini910u.sys
2009-07-20 00:18 58,592 ac------ c:\windows\system32\dllcache\i740nt5.sys
2009-07-20 00:18 353,184 ac------ c:\windows\system32\dllcache\i740dnt5.dll
2009-07-20 00:18 18,560 ac------ c:\windows\system32\dllcache\i2omp.sys
2009-07-20 00:18 8,192 ac------ c:\windows\system32\dllcache\i2omgmt.sys
2009-07-20 00:18 1,041,536 ac------ c:\windows\system32\dllcache\hsfdpsp2.sys
2009-07-20 00:18 685,056 ac------ c:\windows\system32\dllcache\hsfcxts2.sys
2009-07-20 00:18 32,285 ac------ c:\windows\system32\dllcache\hsfcisp2.dll
2009-07-20 00:18 220,032 ac------ c:\windows\system32\dllcache\hsfbs2s2.sys
2009-07-20 00:18 488,383 ac------ c:\windows\system32\dllcache\hsf_v124.sys
2009-07-20 00:18 50,751 ac------ c:\windows\system32\dllcache\hsf_tone.sys
2009-07-20 00:18 73,279 ac------ c:\windows\system32\dllcache\hsf_spkp.sys
2009-07-20 00:18 44,863 ac------ c:\windows\system32\dllcache\hsf_soar.sys
2009-07-20 00:18 57,471 ac------ c:\windows\system32\dllcache\hsf_samp.sys
2009-07-20 00:16 123,392 ac------ c:\windows\system32\dllcache\hpgt21tk.dll
2009-07-20 00:15 92,160 ac------ c:\windows\system32\dllcache\fuusd.dll
2009-07-20 00:15 455,296 ac------ c:\windows\system32\dllcache\fusbbase.sys
2009-07-20 00:15 455,680 ac------ c:\windows\system32\dllcache\fus2base.sys
2009-07-20 00:15 442,240 ac------ c:\windows\system32\dllcache\fpnpbase.sys
2009-07-20 00:15 441,728 ac------ c:\windows\system32\dllcache\fpcmbase.sys
2009-07-20 00:15 444,416 ac------ c:\windows\system32\dllcache\fpcibase.sys
2009-07-20 00:15 34,173 ac------ c:\windows\system32\dllcache\forehe.sys
2009-07-20 00:15 71,680 ac------ c:\windows\system32\dllcache\fnfilter.dll
2009-07-20 00:15 27,165 ac------ c:\windows\system32\dllcache\fetnd5.sys
2009-07-20 00:15 22,090 ac------ c:\windows\system32\dllcache\fem556n5.sys
2009-07-20 00:15 24,618 ac------ c:\windows\system32\dllcache\fa410nd5.sys
2009-07-20 00:15 16,074 ac------ c:\windows\system32\dllcache\fa312nd5.sys
2009-07-20 00:13 18,503 ac------ c:\windows\system32\dllcache\epro4.sys
2009-07-20 00:12 28,062 ac------ c:\windows\system32\dllcache\dp83820.sys
2009-07-20 00:11 24,064 ac------ c:\windows\system32\dllcache\devldr32.exe
2009-07-20 00:10 60,970 ac------ c:\windows\system32\dllcache\cpqtrnd5.sys
2009-07-20 00:09 32,256 ac------ c:\windows\system32\dllcache\diapi2NT.dll
2009-07-20 00:08 871,388 ac------ c:\windows\system32\dllcache\bcmdm.sys
2009-07-20 00:07 30,671 ac------ c:\windows\system32\dllcache\ati1raxx.sys
2009-07-20 00:06 12,288 ac------ c:\windows\system32\dllcache\4mmdat.sys
2009-07-20 00:06 689,216 ac------ c:\windows\system32\dllcache\3dfxvs.dll
2009-07-20 00:06 148,352 ac------ c:\windows\system32\dllcache\3dfxvsm.sys
2009-07-20 00:06 762,780 ac------ c:\windows\system32\dllcache\3cwmcru.sys
2009-07-20 00:06 11,264 ac------ c:\windows\system32\dllcache\1394vdbg.sys
2009-07-20 00:06 53,248 ac------ c:\windows\system32\dllcache\1394bus.sys
2009-07-20 00:05 66,048 ac------ c:\windows\system32\dllcache\s3legacy.dll
2009-07-19 23:56 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-07-19 23:38 2,136,064 ac------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-19 23:38 2,015,744 ac------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-19 23:35 272,128 ac------ c:\windows\system32\dllcache\bthport.sys
2009-07-19 23:35 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-07-19 23:28 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-19 23:23 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-07-19 23:22 <DIR> --d----- c:\docume~1\admini~1\applic~1\Uniblue
2009-07-19 23:22 <DIR> --d----- c:\program files\RegistryBooster
2009-07-19 23:15 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{2840BBCB-9BEC-47F6-BA0F-10D3C34BF151}
2009-07-19 19:42 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-19 19:41 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-19 19:41 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-19 19:41 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-19 19:41 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-19 19:41 <DIR> --d----- c:\program files\Spyware Doctor
2009-07-19 19:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-07-19 19:41 <DIR> --d----- c:\docume~1\admini~1\applic~1\PC Tools
2009-07-19 19:08 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-07-19 19:06 <DIR> --d----- c:\docume~1\admini~1\applic~1\Panda Security
2009-07-19 18:04 <DIR> --d----- c:\program files\Anti Trojan Elite
2009-07-19 17:59 <DIR> --d----- c:\windows\$hf_mig$
2009-07-18 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-07-16 23:04 <DIR> --d----- c:\program files\Valve
2009-07-16 22:23 <DIR> --d----- c:\program files\Nitro PDF
2009-07-16 02:05 <DIR> --d----- c:\program files\HTTP-Tunnel
2009-07-15 21:35 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-07-15 21:35 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-07-15 21:35 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-07-15 21:35 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-07-10 12:54 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-07-10 12:54 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-07-10 12:53 31,616 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-07-10 12:53 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2009-07-08 15:04 <DIR> --d----- c:\program files\Conduit
2009-07-02 05:34 33,840 a------- c:\windows\system32\drivers\HssDrv.sys
2009-06-30 17:14 <DIR> --d----- c:\program files\WinSCP
2009-06-30 16:42 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-06-30 16:42 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-06-30 16:42 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-06-30 16:42 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-06-30 16:42 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-06-30 16:42 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-06-30 16:42 8,192 a------- c:\windows\system32\kbdkor.dll
2009-06-30 16:42 6,144 a------- c:\windows\system32\kbd106.dll
2009-06-30 16:42 6,144 a------- c:\windows\system32\kbd101c.dll
2009-06-30 16:42 5,632 a------- c:\windows\system32\kbd103.dll
2009-06-30 16:42 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-06-30 16:42 6,144 a------- c:\windows\system32\kbd101b.dll
2009-06-30 11:46 <DIR> --d----- c:\docume~1\admini~1\applic~1\ABBYY
2009-06-30 11:42 <DIR> --d----- c:\program files\common files\ABBYY
2009-06-30 11:38 <DIR> --d----- c:\program files\ABBYY FineReader 9.0
2009-06-30 11:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ABBYY
2009-06-28 22:43 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-28 22:40 <DIR> --d----- c:\windows\system32\Adobe
2009-06-28 14:29 <DIR> --d----- c:\windows\system32\LogFiles
2009-06-25 21:28 <DIR> --dsh--- c:\documents and settings\administrator\UserData
2009-06-25 15:44 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-25 15:43 14,048 -------- c:\windows\system32\spmsg2.dll
2009-06-25 15:16 25,472 a------- c:\windows\system32\drivers\tap0901.sys
2009-06-25 12:00 <DIR> --d----- c:\program files\Broadcom
2009-06-25 11:36 <DIR> --d----- c:\docume~1\admini~1\applic~1\tor
2009-06-25 11:35 <DIR> --d----- c:\program files\Vidalia Bundle
2009-06-24 11:03 3,244 a------- c:\windows\system32\wbem\Outlook_01c9f4a23538c704.mof
2009-06-24 10:57 17,920 a------- c:\windows\system32\mdimon.dll
2009-06-24 10:56 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-06-24 10:56 <DIR> --d----- c:\windows\SHELLNEW
2009-06-24 09:43 <DIR> --d----- c:\windows\system32\appmgmt
2009-06-24 09:34 754 a------- c:\windows\ODBC.INI
2009-06-23 21:30 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-06-23 21:28 <DIR> --d--r-- c:\program files\Skype
2009-06-23 11:08 2,308 a------- c:\windows\mozver.dat
2009-06-23 11:01 81,920 a------- c:\windows\system32\Startup.cpl
2009-06-23 10:53 <DIR> --d----- c:\program files\AEDiction
2009-06-23 10:52 6,416 a------- c:\windows\system32\kbdinori.Dll
2009-06-23 10:52 7,440 a------- c:\windows\system32\Kbddll.dll
2009-06-23 10:52 6,928 a------- c:\windows\system32\kbdhebx.Dll
2009-06-23 10:52 6,416 a------- c:\windows\system32\kbdinasa.Dll
2009-06-23 10:52 8,992 a------- c:\windows\system32\kbdbphz.dLL
2009-06-23 10:52 8,992 a------- c:\windows\system32\KBDBPH.dLL
2009-06-23 10:52 6,416 a------- c:\windows\system32\kbdbp.Dll
2009-06-23 10:52 6,416 a------- c:\windows\system32\kbdbds.Dll
2009-06-23 10:52 66,594 a------- c:\windows\system32\C_856.nls
2009-06-23 10:52 45,056 a------- c:\windows\system32\newdll.dll
2009-06-23 10:52 <DIR> --d----- c:\program files\Datecs
2009-06-22 23:38 <DIR> --d----- c:\program files\GRETECH
2009-06-22 23:13 <DIR> --d----- c:\program files\uTorrent
2009-06-22 23:12 <DIR> --d----- c:\docume~1\admini~1\applic~1\uTorrent
2009-06-22 21:39 352 a---h--- c:\windows\nod32fixtemdono.reg
2009-06-22 21:37 <DIR> --d----- c:\program files\ESET
2009-06-22 21:31 3,072 ac------ c:\windows\system32\dllcache\audstub.sys
2009-06-22 21:31 3,072 a------- c:\windows\system32\drivers\audstub.sys
2009-06-22 21:29 5,504 ac------ c:\windows\system32\dllcache\intelide.sys
2009-06-22 21:29 5,504 a------- c:\windows\system32\drivers\intelide.sys
2009-06-22 21:29 8,832 ac------ c:\windows\system32\dllcache\wmiacpi.sys
2009-06-22 21:29 8,832 a------- c:\windows\system32\drivers\wmiacpi.sys
2009-06-22 21:29 9,344 ac------ c:\windows\system32\dllcache\compbatt.sys
2009-06-22 21:29 9,344 a------- c:\windows\system32\drivers\compbatt.sys
2009-06-22 21:29 14,080 ac------ c:\windows\system32\dllcache\cmbatt.sys
2009-06-22 21:29 14,080 ac------ c:\windows\system32\dllcache\battc.sys
2009-06-22 21:29 14,080 a------- c:\windows\system32\drivers\CmBatt.sys
2009-06-22 21:29 14,080 a------- c:\windows\system32\drivers\battc.sys
2009-06-22 21:28 <DIR> --d----- c:\program files\common files\ODBC
2009-06-22 21:28 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-22 21:28 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-06-22 21:27 1,086,058 a----r-- c:\windows\SET4.tmp
2009-06-22 21:27 1,042,903 a----r-- c:\windows\SET3.tmp
2009-06-22 21:27 <DIR> --d----- c:\windows\system32\CatRoot2
2009-06-22 21:27 <DIR> --d----- c:\windows\system32\CatRoot
2009-06-22 21:27 <DIR> --d----- C:\Documents and Settings
2009-06-22 21:26 261 a------- c:\windows\system32\$winnt$.inf
2009-06-22 20:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Backup
2009-06-22 19:53 <DIR> --d----- c:\documents and settings\administrator\Bluetooth Software
2009-06-22 19:51 <DIR> --d----- c:\docume~1\admini~1\applic~1\Intel
2009-06-22 19:20 <DIR> --d----- c:\program files\WIDCOMM
2009-06-22 19:19 <DIR> --d----- c:\program files\HPQ
2009-06-22 19:17 <DIR> --d----- c:\program files\Analog Devices
2009-06-22 19:16 <DIR> --d----- c:\program files\Synaptics
2009-06-22 18:38 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-22 18:37 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-22 18:36 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-22 18:35 <DIR> --d----- c:\program files\Online Services
2009-06-22 18:35 <DIR> --d----- c:\program files\Messenger
2009-06-22 18:35 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-22 18:34 <DIR> --d----- c:\program files\Windows NT

==================== Find3M ====================

2009-07-19 02:14 212,480 a------- c:\windows\system32\drivers\ndis.sys
2009-06-22 19:23 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2009-06-22 19:23 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-22 19:07 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-22 18:35 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-06-16 17:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 17:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-03 22:27 1,290,752 a------- c:\windows\system32\quartz.dll
2009-05-13 08:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 18:44 344,064 a------- c:\windows\system32\localspl.dll

============= FINISH: 22:00:30,64 ===============


The GMER log asked be Extremeboy:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-20 21:51:14
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.15 ----

.reloc C:\WINDOWS\system32\drivers\NDIS.sys section is executable [0x864DC200, 0x32BAA, 0xE0000060]
? C:\WINDOWS\system32\drivers\NDIS.sys Access is denied.
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00BE0001
.text C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe[232] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E90001
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[272] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 037C0001
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[272] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe[632] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E50001
.text C:\WINDOWS\system32\csrss.exe[856] KERNEL32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 015A0001
.text C:\WINDOWS\system32\winlogon.exe[880] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 012B0001
.text C:\WINDOWS\system32\services.exe[924] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01980001
.text C:\WINDOWS\system32\lsass.exe[940] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F90001
.text ...
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[992] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
? C:\WINDOWS\System32\svchost.exe[1056] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dll
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\svchost.exe[1100] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00FC0001
.text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00CA0001
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 02490001
.text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1256] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00D70001
.text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00BA0001
.text C:\Documents and Settings\Administrator\Desktop\hh4hup0e.exe[1412] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 006C0001
.text C:\WINDOWS\system32\spoolsv.exe[1716] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F80001
.text C:\WINDOWS\System32\SCardSvr.exe[1760] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 006F0001
? C:\WINDOWS\System32\svchost.exe[2216] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: gdiplus.dllunknown module: OLEAUT32.dll
.text C:\WINDOWS\System32\svchost.exe[2216] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2500] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 011B0001
.text C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe[2516] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00F80001
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2528] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01AF0001
.text C:\WINDOWS\system32\ctfmon.exe[2580] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B70001
.text C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[2664] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00A20001
.text ...
.text C:\WINDOWS\System32\alg.exe[3364] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\explorer.exe[3728] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wscntfy.exe[4424] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D
.text C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE[4844] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00B40001
.text C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE[4844] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 7170003D

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\NDIS \Device\Ndis [864E3982] NDIS.sys[.reloc]

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

---- Files - GMER 1.0.15 ----

ADS C:\Program Files\Anti Trojan Elite\tjender.exe :no 25600 bytes executable

---- EOF - GMER 1.0.15 ----


Help?

Attached Files


BC AdBot (Login to Remove)

 

#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:12:34 AM

Posted 21 July 2009 - 10:14 AM

Hello.

I hope your Catroot folder is not broken..

Anyways, please delete Combofix you currently have. If you don't have it, then follow the instructions below. If you do, delete it and then continue with the steps below.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Re-run GMER with the Settings like before[/u]]

Please re-run GMER like last time with the same settings. Refer back to the Am I Infected forum where I requested you to run GMER for instructions.

Post the Combofix and GMER log in your next reply please.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
    •  
  • Gender:Male
  • Local time:12:34 AM

Posted 26 July 2009 - 05:18 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.
Back to Virus, Trojan, Spyware, and Malware Removal Assistance


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Assistance
  4. Privacy Policy
  5. Rules ·