Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent: ntndis.sys & ipsecndis.sys


  • Please log in to reply
1 reply to this topic

#1 TAG_ScorpioN

TAG_ScorpioN

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:48 AM

Posted 05 August 2010 - 02:31 AM

Malwarebytes found two rootkig agents on my computer which it can't remove:

C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.


I found a topic about the same rootkit explaing these rootkits can be very dangerous because they log your keystrokes to gain access to passwords. That user was advised to run ComboFix and I went ahead and used it too. It seemed to work at first because it finds the rootkits and removes them but after a reboot they still come back. It also found something else in my registry called "yujzoy".

The log from ComboFix is below, I hope somebody can advise me what to do.


ComboFix 10-08-04.04 - Alarik 08/05/2010 2:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1680 [GMT 2:00]
Running from: c:\documents and settings\Alarik\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 00:26 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-05 00:26 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-05 00:26 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-05 00:26 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-05 00:26 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-05 00:26 . 2010-08-05 00:26 -------- d-----w- c:\program files\Alwil Software
2010-08-05 00:24 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-05 00:24 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-05 00:24 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-05 00:24 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-04 22:05 . 2010-08-04 22:05 -------- d-----w- c:\documents and settings\Alarik\Application Data\Malwarebytes
2010-08-04 22:05 . 2010-08-04 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-04 22:05 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 22:05 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-04 21:45 . 2010-08-04 21:45 -------- d-----w- c:\program files\Enigma Software Group
2010-08-04 21:45 . 2010-08-04 22:14 -------- d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
2010-08-04 19:27 . 2010-08-04 19:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2010-08-04 16:10 . 2010-08-04 23:07 -------- d-----w- c:\documents and settings\Alarik\Local Settings\Application Data\laplcfpwd
2010-08-04 16:10 . 2010-08-05 00:41 782848 ----a-w- c:\windows\system32\drivers\yujzoy.sys
2010-08-04 16:10 . 2010-08-04 23:07 -------- d-----w- c:\documents and settings\Alarik\Application Data\53399CEEF270C1B17EF4072D7E3A217F
2010-07-30 14:35 . 2010-07-30 14:35 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-30 14:35 . 2010-07-30 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-07-30 14:35 . 2010-07-30 14:35 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-07-30 14:35 . 2010-07-30 14:35 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-30 14:35 . 2010-07-30 14:36 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-30 14:34 . 2010-07-09 22:38 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-30 14:34 . 2010-07-09 22:38 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-30 14:34 . 2010-07-09 22:38 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-30 14:34 . 2010-07-09 22:38 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-30 14:34 . 2010-07-09 22:38 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-30 14:28 . 2010-07-30 14:40 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-07-30 14:14 . 2010-07-30 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-07-30 10:15 . 2010-07-30 14:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-25 08:10 . 2010-07-25 08:10 -------- d-----w- c:\documents and settings\Alarik\Application Data\AVS4YOU
2010-07-25 08:10 . 2010-07-25 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-07-25 08:10 . 2010-08-04 22:45 -------- d-----w- c:\program files\AVS4YOU
2010-07-25 08:10 . 2010-08-04 22:45 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-07-25 08:10 . 2008-08-13 09:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-07-25 08:10 . 2008-08-13 09:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-07-25 08:10 . 2008-08-13 09:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 00:26 . 2010-02-11 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-05 00:12 . 2009-02-28 17:39 -------- d-----w- c:\documents and settings\Alarik\Application Data\uTorrent
2010-08-04 22:16 . 2008-06-04 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-04 21:44 . 2007-09-11 13:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-04 16:14 . 2004-08-03 22:14 211072 -c--a-w- c:\windows\system32\drivers\ndis.sys
2010-08-01 17:49 . 2009-11-26 17:29 -------- d-----w- c:\documents and settings\Alarik\Application Data\vlc
2010-07-24 09:37 . 2010-04-05 06:41 -------- d-----w- c:\program files\uTorrent
2010-07-09 22:38 . 2008-08-31 17:01 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 22:38 . 2008-05-16 12:01 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38 . 2008-05-16 12:01 236136 ----a-w- c:\windows\system32\nvcodins.dll
2010-07-09 22:38 . 2008-05-16 12:01 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-07-09 22:38 . 2008-05-16 12:01 1388544 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:38 . 2008-05-16 12:01 13549568 ----a-w- c:\windows\system32\nvoglnt.dll
2010-07-09 22:38 . 2007-04-20 04:05 6343040 ----a-w- c:\windows\system32\nv4_disp.dll
2010-07-09 22:38 . 2007-04-20 04:05 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-07-07 11:46 . 2008-08-31 17:01 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-07-03 09:43 . 2010-07-03 09:43 -------- d-----w- c:\program files\AviSynth 2.5
2010-07-03 09:32 . 2010-07-03 09:32 -------- d-----w- c:\documents and settings\Alarik\Application Data\AnvSoft
2010-05-22 12:33 . 2010-05-22 12:33 503808 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2bc8835d-n\msvcp71.dll
2010-05-22 12:33 . 2010-05-22 12:33 499712 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2bc8835d-n\jmc.dll
2010-05-22 12:33 . 2010-05-22 12:33 348160 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2bc8835d-n\msvcr71.dll
2010-05-22 12:33 . 2010-05-22 12:33 61440 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b784064-n\decora-sse.dll
2010-05-22 12:33 . 2010-05-22 12:33 12800 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b784064-n\decora-d3d.dll
2010-05-15 20:39 . 2010-05-15 20:39 2095 ----a-w- c:\documents and settings\Alarik\Application Data\.purple\certificates\x509\tls_peers\login.live.com
.

------- Sigcheck -------

[-] 2010-08-04 16:14 . 15F08B567A07E81E6C2843498FF9052E . 211072 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-08-04 16:14 . 15F08B567A07E81E6C2843498FF9052E . 211072 . . [------] . . c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-05_00.05.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-08-05 00:39 . 2010-08-05 00:39 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
+ 2010-08-05 00:39 . 2010-08-05 00:39 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
- 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Alarik^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Alarik\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alarik^Start Menu^Programs^Startup^Shortcut to AlwaysOnTopMaker.lnk]
path=c:\documents and settings\Alarik\Start Menu\Programs\Startup\Shortcut to AlwaysOnTopMaker.lnk
backup=c:\windows\pss\Shortcut to AlwaysOnTopMaker.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alarik^Start Menu^Programs^Startup^Shortcut to rbtray.lnk]
path=c:\documents and settings\Alarik\Start Menu\Programs\Startup\Shortcut to rbtray.lnk
backup=c:\windows\pss\Shortcut to rbtray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2006-11-16 09:05 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- e:\adobe reader\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
2007-01-11 21:39 1423360 ----a-w- e:\asus\AI Suite\AiNap\AiNap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-12-29 01:54 363008 -c--a-r- c:\program files\ASUS\AASP\1.00.24\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-02-05 21:26 75048 ------w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
2007-06-30 14:42 499712 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-05-03 08:01 133104 ----atw- c:\documents and settings\Alarik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-05-11 09:47 151552 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-25 23:10 142120 ----a-w- e:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 12:44 36864 -c----r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch PC Probe II]
2007-01-05 15:36 2129920 ----a-w- e:\asus\PC Probe II\Probe2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 14:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-03 10:32 81920 ----a-w- e:\ntune\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 14:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 ----a-w- e:\poweriso\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- e:\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- e:\tomtom home 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-07-24 09:26 327472 ----a-w- E:\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 18:05 204288 -c--a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=
"e:\\SiSoftware Sandra Professional Business XII\\Win32\\RpcDataSrv.exe"=
"e:\\SiSoftware Sandra Professional Business XII\\RpcSandraSrv.exe"=
"e:\\Fear\\FEAR.exe"=
"e:\\Supreme Commander\\Forged Alliance\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"e:\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\CoD4\\iw3mp.exe"=
"e:\\uTorrent.exe"=
"e:\\Mass Effect\\Binaries\\MassEffect.exe"=
"e:\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/5/2010 02:26 165456]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/10/2010 22:49 10384]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [4/10/2010 20:55 19072]
R2 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [11/13/2009 13:31 92008]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 drltbgtk;Bluetooth Radio USB Support;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 01:56 14336]
S2 gupdate1c9d9f02cc2ff08;Google Update Service (gupdate1c9d9f02cc2ff08);c:\program files\Google\Update\GoogleUpdate.exe [5/21/2009 10:43 133104]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\Alarik\LOCALS~1\Temp\TCCpuInfo.sys --> c:\docume~1\Alarik\LOCALS~1\Temp\TCCpuInfo.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/23/2007 21:19 639224]

--- Other Services/Drivers In Memory ---

*Deregistered* - yujzoy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
drltbgtk
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 08:43]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 08:43]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1214440339-725345543-1003Core.job
- c:\documents and settings\Alarik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 08:01]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1214440339-725345543-1003UA.job
- c:\documents and settings\Alarik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - e:\micros~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Alarik\Application Data\Mozilla\Firefox\Profiles\vcullzh8.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

---- FIREFOX POLICIES ----
// Last value in milliseconds (default is 250)
FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.interval - 100
FF - user.js: content.notify.backoffcount - 200
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-connections - 60
FF - user.js: network.http.max-connections-per-server - 32
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 0.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yujzoy]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1214440339-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f2,d6,11,e9,2a,45,7c,69,d6,e9,83,18,30,3a,d2,1e,4b,fd,82,27,c2,53,d0,
32,a3,c6,51,21,79,20,bc,8b,c4,19,5a,b8,6e,84,2b,03,1c,2a,2f,70,23,a8,ec,83,\
"??"=hex:ad,67,88,63,89,a2,a9,d1,0e,ea,92,15,89,e2,aa,07
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-08-05 02:41:54
ComboFix-quarantined-files.txt 2010-08-05 00:41
ComboFix2.txt 2010-08-05 00:14
ComboFix3.txt 2010-08-05 00:06

Pre-Run: 2,060,931,072 bytes free
Post-Run: 2,160,308,224 bytes free

- - End Of File - - BA319FCA0FA0A2CB4E40BB36FA17CB04


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:48 AM

Posted 13 August 2010 - 07:25 AM

Hello TAG_ScorpioN

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    ndis.sys /md5
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users