Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.agent


  • This topic is locked This topic is locked
10 replies to this topic

#1 JDW73

JDW73

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 08 August 2010 - 10:07 AM

I administer my Nephews PC and irregularly come by and scan it for infections using Malewarebytes,SpybotS&D and Adaware. I normally find a few trojans and misc. maleware and greyware. I can fix these and remove them in most cases using available software like Killbox,Malewarebytes,SpybotS&D,Pandaactivescan,and a few others like Housecall.
He seems to have contracted Rootkit.agent which is a royal pain to get rid of. I have used Malewarebytes which says it finds and removes it but upon further scans after reboots it appears again. I tried to disable the system restore to make sure it wasn't hiding in memory or the recovery log. That didn't work sad.gif. So off to Google I went looking for an answer and after alot of reading it seems I need some real proffesional help. I came upon this site as it was the top 10 searched sites and a few of the other sites all reffered people to this one. He is running Windows Vista on a refurbished Compaq Presario buisiness system which has worked really well and continues to do so. The only hitch is that it has a rootkit installed. He would have never known if I hadn't come by to do maintenance on his rig. I read through the help givien to others and I have compiled a list of all acceptable logs and will post here. I have removed a few different Trojans and many misc. maleware. Threads I have read suggest to use Combofix under the suppervision of someone who is familiar with it applications which I am not, so here I am.
Malewarebytes is the only software that seems to be picking this rootkit.agent up in their scan and says it is removing it but upon reboot it reappears.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4363

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/29/2010 11:10:48 AM
mbam-log-2010-07-29 (11-10-48).txt

Scan type: Quick scan
Objects scanned: 135197
Time elapsed: 6 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\ptmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


I have a HJT log as well
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:55:35 PM, on 7/29/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Users\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portal.wowway.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7785 bytes

I also have the archived report made by GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-29 22:17:37
Windows 6.0.6002 Service Pack 2
Running: 4d9ukdxe.exe; Driver: C:\Users\Owner\AppData\Local\Temp\kglcapow.sys


---- Kernel code sections - GMER 1.0.15 ----

? System32\Drivers\ptmgs.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CC0F320, 0x3DE2A7, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74737817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7478A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7473BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7472F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7472E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74768395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7473DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7472FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7472FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [747BCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7475C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7472D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74726853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7472687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74732AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8699ECB8

AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] ptmgs <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet005\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet005\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet005\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet005\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet007\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet007\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet007\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet007\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet008\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet008\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet008\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet008\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet009\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet009\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet009\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet009\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet010\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet010\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet010\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet010\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet011\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet011\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet011\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet011\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet012\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet012\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet012\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet012\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet013\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet013\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet013\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet013\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet014\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet014\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet014\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet014\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet015\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet015\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet015\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet015\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet016\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet016\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet016\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet016\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet017\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet017\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet017\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet017\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet018\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet018\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet018\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet018\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet019\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet019\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet019\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet019\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet020\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet020\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet020\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet020\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet021\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet021\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet021\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet021\Services\ptmgs@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet022\Services\ptmgs@Type 1
Reg HKLM\SYSTEM\ControlSet022\Services\ptmgs@Start 0
Reg HKLM\SYSTEM\ControlSet022\Services\ptmgs@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet022\Services\ptmgs@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----
And the attach doc is attached

And here is the DDS doc.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 23:07:04.76 on Thu 07/29/2010
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.996 [GMT -4:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://portal.wowway.net/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-28 64288]
R3 HSXHWBS3;HSXHWBS3;c:\windows\system32\drivers\HSXHWBS3.sys [2008-2-12 207360]
R3 NdisrdMP;NdisrdMP;c:\windows\system32\drivers\Ndisrd.sys [2009-8-27 22016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-25 38224]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 Ndisrd;WinpkFilter Service;c:\windows\system32\drivers\Ndisrd.sys [2009-8-27 22016]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-29 15:27:24 0 d-----w- c:\program files\CCleaner
2010-07-29 14:59:45 122 ----a-w- c:\windows\wininit.ini
2010-07-29 00:10:24 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-28 21:16:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-28 21:16:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-28 20:52:41 0 dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-26 04:20:25 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-07-26 01:44:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 01:44:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-26 01:44:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 01:15:48 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-25 23:25:21 0 d-----w- c:\programdata\Sun
2010-07-25 23:24:23 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 07:02:53 183 ----a-w- c:\windows\system32\MRT.INI
2010-07-14 07:02:53 0 d-----w- c:\windows\system32\MpEngineStore
2010-07-02 11:07:30 0 d-----w- c:\program files\iPod
2010-07-02 11:07:20 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-02 11:07:20 0 d-----w- c:\program files\iTunes
2010-07-02 11:00:13 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-07-30 03:07:05 860672 ----a-w- c:\windows\system32\drivers\ptmgs.sys
2010-07-02 11:02:03 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-02 11:02:02 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-02 11:02:02 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2009-11-21 02:43:23 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-15 14:03:44 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 23:08:20.47 ===============
well the attach file wont upload ,it says I'm not allowed to upload this type of file

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 AM

Posted 08 August 2010 - 10:58 AM

Hi, JDW73 smile.gif

welcome.gif

Please download and run Rkill by Grinler from any of the following locations (Vista and Win7: to run the application, right click on Rkill and choose Run as an Administrator):
  1. rkill.exe
  2. rkill.com
  3. rkill.scr
  4. rkill.pif

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 JDW73

JDW73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 08 August 2010 - 02:37 PM

OK, so I ran rkill. Then Combofix and when it rebooted I copied the log to the desktop. That's when I discovered I no longer had an internet connection. It tells me now I have a Networking Controller driver or hardware issue. It also prompts me to make sure my IP protocol bindings are correctly configured. As far as I can tell the settings are all correct. My PC has internet connectivity and is what I'm sending this reply with.

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 AM

Posted 08 August 2010 - 04:30 PM

Go to Start (Vista orb)->Type CMD and press Ctrl+Shift+Enter. That should bring the Administrator MSDOS Window. At the command prompt, type the following and press Enter after each line:


netsh int ip reset C:\Resetlog.txt
netsh winsock reset catalog
ipconfig /flushdns
(The space between g and / is needed)
Exit

Restart the computer.

Retry your connection.

If that doe not resolve the issue, is there a way to transfer the Combofix log to a flash drive, for example, post or attach it in your next reply? You can also try SafeMode with Networking to have access to the internet.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 JDW73

JDW73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 08 August 2010 - 04:43 PM

I think I got it now. I run Combofix and it reset all the tcp/ip functions in vista I just needed to uncheck a few boxes and up and running. I have the logs here now.
ComboFix 10-08-07.02 - Owner 08/08/2010 14:09:12.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1365 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Uninstall
c:\users\Owner\g2mdlhlpx.exe
c:\windows\system32\%appdata%
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\drivers\ptmgs.sys
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\ndisapi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Ndisrd
-------\Legacy_ptmgs
-------\Service_NdisrdMP
-------\Service_ptmgs


((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-05 22:49 . 2010-08-05 22:49 -------- d-----w- c:\windows\system32\RTCOM
2010-08-05 22:49 . 2010-08-05 22:49 -------- d-----w- c:\program files\Realtek
2010-08-05 22:45 . 2010-08-05 22:46 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-29 15:27 . 2010-07-29 15:27 -------- d-----w- c:\program files\CCleaner
2010-07-29 00:10 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-28 21:16 . 2010-07-12 08:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-28 21:16 . 2010-07-28 21:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-28 20:53 . 2010-07-28 20:53 -------- d-----w- c:\users\Owner\AppData\Local\Sunbelt Software
2010-07-28 20:52 . 2010-07-28 20:52 -------- dc-h--w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-26 06:32 . 2010-07-26 06:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-26 01:44 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-26 01:44 . 2010-07-26 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-26 01:44 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-26 01:15 . 2010-07-26 01:15 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-07-25 23:24 . 2010-07-25 23:24 -------- d-----w- c:\program files\Common Files\Java
2010-07-25 23:24 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-14 07:02 . 2010-07-26 01:09 -------- d-----w- c:\windows\system32\MpEngineStore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 18:17 . 2010-08-06 21:26 34901 ----a-w- c:\programdata\nvModes.dat
2010-08-08 03:38 . 2009-01-23 02:12 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-08-05 23:47 . 2009-01-22 18:45 -------- d-----w- c:\programdata\NVIDIA
2010-08-01 15:45 . 2009-01-22 18:54 -------- d-----w- c:\users\Derek\AppData\Roaming\uTorrent
2010-07-29 15:29 . 2009-01-22 18:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-29 15:13 . 2010-02-28 13:52 -------- d-----w- c:\programdata\Norton
2010-07-29 15:05 . 2010-03-11 22:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-29 15:00 . 2010-01-11 23:01 -------- d-----w- c:\program files\Yahoo!
2010-07-29 01:13 . 2009-01-22 18:01 1356 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2010-07-28 20:52 . 2009-01-22 19:04 -------- d-----w- c:\programdata\Lavasoft
2010-07-28 20:52 . 2009-01-22 19:04 -------- d-----w- c:\program files\Lavasoft
2010-07-26 03:28 . 2010-02-24 01:09 -------- d-----w- c:\users\Owner\AppData\Roaming\Paladin Antivirus
2010-07-26 01:17 . 2009-01-23 00:56 -------- d-----w- c:\program files\Windows Live
2010-07-26 00:29 . 2009-11-29 17:36 -------- d-----w- c:\program files\Google
2010-07-25 23:24 . 2009-01-22 19:34 -------- d-----w- c:\program files\Java
2010-07-25 23:24 . 2009-01-22 19:50 -------- d-----w- c:\users\Owner\AppData\Roaming\uTorrent
2010-07-14 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-12 08:56 . 2010-07-28 20:52 2979280 -c--a-w- c:\programdata\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-09 18:41 . 2010-02-17 12:32 -------- d-----w- c:\users\Owner\AppData\Roaming\Apple Computer
2010-07-04 22:34 . 2010-07-04 22:34 -------- d-----w- c:\users\Derek\AppData\Roaming\Apple Computer
2010-07-02 11:07 . 2010-07-02 11:07 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-02 11:07 . 2010-07-02 11:07 -------- d-----w- c:\program files\iTunes
2010-07-02 11:07 . 2010-07-02 11:07 -------- d-----w- c:\program files\iPod
2010-07-02 11:07 . 2010-02-17 12:26 -------- d-----w- c:\program files\Common Files\Apple
2010-07-02 11:05 . 2010-07-02 11:04 -------- d-----w- c:\program files\QuickTime
2010-07-02 11:00 . 2010-07-02 11:00 -------- d-----w- c:\program files\Bonjour
2010-07-02 10:58 . 2010-07-02 10:58 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-02 10:57 . 2010-07-02 10:57 -------- d-----w- c:\program files\Safari
2010-07-02 10:56 . 2010-07-02 10:56 71992 ----a-w- c:\programdata\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
2010-07-02 10:54 . 2010-02-17 12:26 -------- d-----w- c:\programdata\Apple
2010-06-26 07:01 . 2010-06-26 07:01 -------- d-----w- c:\program files\Microsoft.NET
2010-06-23 14:06 . 2010-06-23 14:06 501936 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbA713.tmp.exe
2010-06-19 18:05 . 2009-10-13 22:52 -------- d-----w- c:\program files\Ask.com
2010-05-26 17:06 . 2010-06-09 21:48 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 21:48 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-23 16:34 . 2009-01-22 18:17 680 ----a-w- c:\users\Derek\AppData\Local\d3d9caps.dat
2010-05-21 18:14 . 2009-10-02 19:18 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 19:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-07-12 08:55 864112 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-17 21:10 135664 ----atw- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 20:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 02:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"VistaSp2"=hex(cool.gif:c4,89,3b,c4,62,56,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-12 64288]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-07-12 1352832]
S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1506235850-800629805-2041374827-1000Core.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-17 21:10]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1506235850-800629805-2041374827-1000UA.job
- c:\users\Owner\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-17 21:10]

2010-08-08 c:\windows\Tasks\User_Feed_Synchronization-{C173D203-C0D4-4A78-AF99-34CAF6F6D1B9}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal.wowway.net/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-08 14:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2010-08-08 14:25:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-08 18:25

Pre-Run: 139,325,284,352 bytes free
Post-Run: 139,629,735,936 bytes free

- - End Of File - - DB863D48AF1087AE4EEE34DA766F7C8B





I ran MAlewarebytes again after this ran and found no infecitons and no rootkit activity

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4363

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

8/8/2010 4:28:38 PM
mbam-log-2010-08-08 (16-28-38).txt

Scan type: Quick scan
Objects scanned: 136609
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I really appreciate all the help so far.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 AM

Posted 08 August 2010 - 04:56 PM

The logs look clear. The rootkit has been nuked. Lets scan for remnants.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following are checked
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

You don't have an antivirus programs. I would recommend AVAST.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JDW73

JDW73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 09 August 2010 - 07:37 PM

I found a few different things with Kapersky.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 9, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, August 08, 2010 17:25:39
Records in database: 4132801
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 136862
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:47:45


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\drivers\ptmgs.sys.vir Infected: Rootkit.Win32.Agent.bdkq 1
C:\Qoobox\Quarantine\C\Windows\System32\drivers\_ptmgs_.sys.zip Infected: Rootkit.Win32.Agent.bdkq 1
C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\541a9557-364c7d2c Infected: Exploit.Java.Agent.f 1
C:\Users\Owner\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\541a9557-364c7d2c Infected: Trojan-Downloader.Java.OpenStream.ad 1

Selected area has been scanned.




After installing and scanning with Avast, it found a rootkit and succesfully deleted it.
C:\Qoobox\Quarantine\C\Windows\System32\drivers\ptmgs.sys.vir
This no longer is found after repeated scans with Avast and rebooting.
The last 3 there are not being detected or removed with any of the current software I have available. Kapersky is the only scan that has produced those results.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 AM

Posted 09 August 2010 - 09:35 PM

The files in the Qoobox folder are files quarantined by Combofix. Lets do some housekeeping.

Rename Combofix to Uninstall and click on it. That will remove the application along with its related folders and files.

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

How is it doing?




No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JDW73

JDW73
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:25 AM

Posted 10 August 2010 - 07:33 PM

I uninstalled Combofix and used TFC and removed over 130MB of temp folders. Ran Avast with boot-time scan and it removed the rest of everything I had left in the system. After that I rebooted and ran a scan with Kaspersky online scanner 7.0 and it came up clean. I believe all of the remnants of everything I used and had so far is all gone. I really really appreciate all the help and Kudos to your knowledge in helping me out. I don't believe I could have managed to find or be comfortable using all the different software you employed and felt comfortable following your instructions every step of the way. This has been a really enjoyable learning experience and I will direct anyone else I know that is competent enough to follow the steps given to this site in the future if they need a helping hand.
Thank you so very much!!

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 AM

Posted 10 August 2010 - 08:14 PM

You are Welcome.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  4. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  5. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  6. ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! icon_hello.gif

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 AM

Posted 12 August 2010 - 11:14 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users