TR/Rootkit.gen

**Taurian** · 07-03-2010

There is TR/rootkit.gen in the system32/drivers/mkuftbpt.sys.Avira is not able to remove it permanently.My internet speed has also slowed down drastically .Please help.
Also please fin below the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:52 PM, on 3/7/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...9&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.106.24.73:8080
R3 - URLSearchHook: (no name) - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{707F8B9E-49F8-494B-880D-D9382630DE1E}: NameServer = 202.144.105.4,202.144.10.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID. EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm1 2.exe

--
End of file - 4759 bytes

**broni** · 07-03-2010

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**Taurian** · 08-03-2010

Hi please find teh Combofix and HJT logs as asked by you
ComboFix 10-03-07.04 - Phanindra Duddu 03/08/2010 13:43:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.592 [GMT 5.5:30]
Running from: c:\documents and settings\Phanindra Duddu\Desktop\ComboFix.exe
Command switches used :: and Settings\Phanindra Duddu\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Phanindra Duddu\csrss.exe
c:\recycler\S-1-5-21-0839501349-3184979542-608879323-1474
c:\recycler\S-1-5-21-1151398439-7828633754-563755993-7240
c:\recycler\S-1-5-21-1243019571-4500321275-288728824-5871
c:\recycler\S-1-5-21-1297061607-5041727798-627465407-5214
c:\recycler\S-1-5-21-2128628502-8529060436-310103171-0437
c:\recycler\S-1-5-21-3208298357-5518390994-750293330-1104
c:\recycler\S-1-5-21-3878447542-7785570452-051761952-6225
c:\recycler\S-1-5-21-3907038668-9550808814-375009743-9317
c:\recycler\S-1-5-21-4364229661-9911368428-428959418-4452
c:\recycler\S-1-5-21-4369429854-8972616375-601809907-4170
c:\recycler\S-1-5-21-4398381536-8451711983-939817329-1843
c:\recycler\S-1-5-21-4441187141-0261908664-846760792-7939
c:\recycler\S-1-5-21-4790537406-1277641269-137661824-5447
c:\recycler\S-1-5-21-5967068309-6493283993-945943297-3612
c:\recycler\S-1-5-21-6336366132-9406617732-932178756-9004
c:\recycler\S-1-5-21-6604364251-5845816514-290641755-3956
c:\recycler\S-1-5-21-6775524838-1425766672-032817663-1495
c:\recycler\S-1-5-21-6813464220-7036849535-050521794-8821
c:\recycler\S-1-5-21-6881890162-9032043349-174460941-6583
c:\recycler\S-1-5-21-6956820342-5055892041-840744498-8216
c:\recycler\S-1-5-21-8115505336-9639716528-940983799-5984
c:\recycler\S-1-5-21-8416162496-3537554425-562681696-0835
c:\recycler\S-1-5-21-8899654321-3520356198-724105670-8272
c:\recycler\S-1-5-21-9439532259-7274396150-604307984-4620
c:\windows\regedit.com
c:\windows\system32\drivers\mkuftbpt.sys
c:\windows\system32\sys_dll.dll
c:\windows\system32\taskmgr.com
c:\windows\system32\win.ini

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSDRV32
-------\Legacy_mkuftbpt
-------\Service_mkuftbpt

((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-07 18:24 . 2010-03-07 18:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-07 18:04 . 2010-03-07 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-07 18:04 . 2010-03-08 03:31 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\SUPERAntiSpyware.com
2010-03-07 12:24 . 2010-03-07 12:24 -------- d-----w- c:\program files\Trend Micro
2010-03-07 12:00 . 2010-03-07 12:04 -------- d-----w- c:\program files\Symantec
2010-03-07 11:54 . 2010-03-07 11:54 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-07 04:29 . 2009-03-30 05:03 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-07 04:29 . 2009-02-13 06:59 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-07 04:29 . 2009-02-13 06:47 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\program files\Avira
2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-07 04:10 . 2010-03-07 12:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-01 15:40 . 2010-03-01 15:40 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-03-01 15:40 . 2010-03-01 15:43 3616 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-01 15:40 . 2010-03-01 15:43 43040 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-01 14:20 . 2010-03-01 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-03-01 10:00 . 2010-03-01 15:43 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-01 10:00 . 2010-03-01 10:00 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Downloaded Installations
2010-02-24 10:18 . 2010-02-24 10:18 -------- d-----w- c:\program files\EpiValley
2010-02-22 14:10 . 2010-02-22 15:49 -------- d-----w- C:\$AVG8.VAULT$
2010-02-22 11:03 . 2010-02-22 10:55 641304 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2010-02-22 11:03 . 2010-02-22 10:55 583960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2010-02-22 11:03 . 2010-02-22 10:55 443672 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2010-02-22 11:03 . 2010-02-22 10:55 1082624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2010-02-22 10:54 . 2010-03-07 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-02-21 15:28 . 2010-02-22 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 14:49 . 2010-02-21 14:49 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Threat Expert
2010-02-21 13:43 . 2010-03-05 18:07 -------- d-----w- c:\program files\Sify Broadband
2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Malwarebytes
2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 13:53 . 2010-02-17 13:53 -------- d-----w- c:\windows\Internet Logs
2010-02-17 13:51 . 2010-02-17 13:51 -------- d-----w- c:\program files\Cisco Systems
2010-02-13 00:02 . 2010-02-13 00:02 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Yahoo
2010-02-12 15:57 . 2010-02-15 07:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Yahoo!
2010-02-12 15:57 . 2010-02-15 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-12 15:41 . 2010-02-15 08:20 -------- d-----w- c:\program files\Yahoo!
2010-02-07 05:22 . 2010-02-15 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-03-08 03:48 . 2009-05-08 03:13 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Broadband
2010-03-07 12:06 . 2009-05-28 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-07 04:51 . 2009-05-28 19:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-06 16:07 . 2010-03-06 16:02 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-03-06 16:02 . 2010-03-06 16:02 21798 ----a-w- c:\windows\winsbak.reg
2010-03-06 16:02 . 2010-03-06 16:02 172598 ----a-w- c:\windows\winsbak2.reg
2010-03-01 15:43 . 2010-03-01 15:40 2624 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-01 15:43 . 2010-03-01 15:40 1412 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-24 10:19 . 2009-05-08 03:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-21 16:11 . 2009-07-27 12:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-19 10:04 . 2004-08-03 17:44 212736 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-01-23 06:51 . 2009-06-27 15:45 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Ahead
2010-01-23 06:16 . 2010-01-23 06:13 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\program files\Nero
2009-12-31 16:14 . 2004-08-03 17:44 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2004-08-03 19:26 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-03 19:26 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2009-05-06 10:19 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-03 19:26 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:53 . 2004-08-03 17:48 2136064 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-03 22:59 2015744 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 . 558635D3AF1C7546D26067D5D9B6959E . 182656 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 19:34 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 02:42 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 12:06 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \HP1006MC.EXE"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 9:59 AM 108289]
S3 lxu800ds;LXU800 DIAG Port;c:\windows\system32\DRIVERS\lxu800ds.sys --> c:\windows\system32\DRIVERS\lxu800ds.sys [?]
S3 lxu800gs;LXU800 GUI Port;c:\windows\system32\DRIVERS\lxu800gs.sys --> c:\windows\system32\DRIVERS\lxu800gs.sys [?]
S3 lxu800m;LXU800 USB Data Modem Driver;c:\windows\system32\DRIVERS\lxu800m.sys --> c:\windows\system32\DRIVERS\lxu800m.sys [?]
S3 ZTEHandsetmodem;ZTE Handset Proprietary USB Serial Driver;c:\windows\system32\drivers\ztechandsetmode m32.sys [11/19/2009 10:18 AM 102144]
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 08:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo! UK & Ireland
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {E0E4205C-67BD-435C-A710-17714B68F95B} = 10.106.24.70,10.108.5.26
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll
Notify-NavLogon - (no file)

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-03-08 13:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x86D15580]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7647fc3
\Driver\ACPI -> ACPI.sys @ 0xf74dacb8
\Driver\atapi -> atapi.sys @ 0xf73267b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: Intel(R) 82562GT 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0x86c88ba0
PacketIndicateHandler -> NDIS.sys @ 0x86c77a0b
SendHandler -> NDIS.sys @ 0x86c8bb31
user & kernel MBR OK

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3976)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\MicroWorld\Agent\MWASER.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm1 2.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006M C.EXE
.
************************************************** ************************
.
Completion time: 2010-03-08 13:50:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 08:20

Pre-Run: 74,106,798,080 bytes free
Post-Run: 74,078,863,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 32518EEF15CFC3193173B81B8D41F8E7

HJT Logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:34 PM, on 3/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...9&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK & Ireland
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE2F28A-362C-42CE-92DD-B8067585E8C7}: NameServer = 203.200.230.244 202.54.29.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID. EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm1 2.exe

--
End of file - 4466 bytes

**broni** · 08-03-2010

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Vista users:: Right click on SystemLook.exe, click Run As Administrator
Copy the content of the following box into the main textfield:
Code:
```
:filefind
ndis.sys
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

================================================== =============

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

File::

Folder::
c:\program files\Symantec
c:\program files\Common Files\Symantec Shared
C:\$AVG8.VAULT$
c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\Symantec


Driver::

Registry::

RegLockDel::

SecCenter::
{17DDD097-36FF-435F-9E1B-52D74245D6BF}

MBR::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**Taurian** · 08-03-2010

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:16 on 08/03/2010 by Phanindra Duddu (Administrator - Elevation successful)

========== filefind ==========

Searching for "ndis.sys"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\ndis.sys --a--- 182912 bytes [19:20 13/04/2008] [19:20 13/04/2008] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\system32\dllcache\ndis.sys --a--c 182912 bytes [17:44 03/08/2004] [10:04 19/02/2010] 558635D3AF1C7546D26067D5D9B6959E
C:\WINDOWS\system32\drivers\ndis.sys --a--- 182912 bytes [17:44 03/08/2004] [10:04 19/02/2010] 558635D3AF1C7546D26067D5D9B6959E

-=End Of File=-

**Taurian** · 08-03-2010

HI the Combofix log :
ComboFix 10-03-07.04 - Phanindra Duddu 03/08/2010 23:29:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.645 [GMT 5.5:30]
Running from: c:\documents and settings\Phanindra Duddu\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phanindra Duddu\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\$AVG8.VAULT$
c:\$avg8.vault$\vvfolder.idx
c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\avg8\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\updatecomps.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avguilog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avildr.log
c:\documents and settings\All Users\Application Data\avg8\Log\cfglog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\corelog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\history.xml
c:\documents and settings\All Users\Application Data\avg8\Log\lnglog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\privlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\publog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\rslog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\scanlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\schedlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\srmlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\updlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\vaultlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\wdlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\wdsvclog.cfg
c:\documents and settings\All Users\Application Data\avg8\Lsdb\cf.dat
c:\documents and settings\All Users\Application Data\avg8\Lsdb\ph.dat
c:\documents and settings\All Users\Application Data\avg8\Lsdb\sb.dat
c:\documents and settings\All Users\Application Data\avg8\Lsdb\sb.dat.xcd
c:\documents and settings\All Users\Application Data\avg8\Lsdb\sb2.dat
c:\documents and settings\All Users\Application Data\avg8\Lsdb\sc.dat
c:\documents and settings\All Users\Application Data\avg8\Lsdb\sc.dat.xcd
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\cf.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\incavi.avm
c:\documents and settings\All Users\Application Data\avg8\update\backup\microavi.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\miniavi.avg
c:\documents and settings\All Users\Application Data\avg8\update\backup\ph.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat.xcd
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb2.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat.xcd
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Product.Inventory.Live Update
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Product.Inventory.LiveU pdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Settings.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LUInstall.LiveUpdate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpd ate
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\Help\LUALL.CHM
c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.grd
c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.sig
c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.spm
c:\program files\Symantec
c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE
c:\program files\Symantec\LiveUpdate\ALUNOTIFYRES.DLL
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvcRes.dll
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\AUPDATERES.DLL
c:\program files\Symantec\LiveUpdate\LSETUP.EXE
c:\program files\Symantec\LiveUpdate\LUALL.EXE
c:\program files\Symantec\LiveUpdate\LUALLRES.DLL
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LUCheck.exe
c:\program files\Symantec\LiveUpdate\LuComServer_3_3.EXE
c:\program files\Symantec\LiveUpdate\LuConfig.EXE
c:\program files\Symantec\LiveUpdate\ludirloc.dat
c:\program files\Symantec\LiveUpdate\LUINFO.INF
c:\program files\Symantec\LiveUpdate\LUInit.exe
c:\program files\Symantec\LiveUpdate\LUInit.ini
c:\program files\Symantec\LiveUpdate\LUINSDLL.DLL
c:\program files\Symantec\LiveUpdate\LuInsRes.dll
c:\program files\Symantec\LiveUpdate\LuPreCon.DLL
c:\program files\Symantec\LiveUpdate\LuResult.txt
c:\program files\Symantec\LiveUpdate\MFC71.DLL
c:\program files\Symantec\LiveUpdate\MSVCP71.DLL
c:\program files\Symantec\LiveUpdate\MSVCR71.DLL
c:\program files\Symantec\LiveUpdate\NetDetectController_3_3. DLL
c:\program files\Symantec\LiveUpdate\NotifyHA.exe
c:\program files\Symantec\LiveUpdate\ProductRegCom_3_3.DLL
c:\program files\Symantec\LiveUpdate\PSProductRegCom_3_3.DLL
c:\program files\Symantec\LiveUpdate\PSProductRegCom64_3_3.DL L
c:\program files\Symantec\LiveUpdate\README.TXT
c:\program files\Symantec\LiveUpdate\ResLuComServer_3_3.DLL
c:\program files\Symantec\LiveUpdate\S32LIVE1.DLL
c:\program files\Symantec\LiveUpdate\S32LUCP1RES.DLL
c:\program files\Symantec\LiveUpdate\S32LUCP2.CPL
c:\program files\Symantec\LiveUpdate\S32LUIS1.DLL
c:\program files\Symantec\LiveUpdate\S32LUWI1.DLL
c:\program files\Symantec\LiveUpdate\Settings.Default.LiveUpd ate
c:\program files\Symantec\LiveUpdate\SETUPRES.DLL
c:\program files\Symantec\LiveUpdate\SymantecRootInstaller.ex e
c:\program files\Symantec\LiveUpdate\SymantecRootInstaller.lo g
c:\program files\Symantec\LiveUpdate\SymantecRootInstallerRes .dll
c:\program files\Symantec\LiveUpdate\UNRAR.DLL

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-07 18:24 . 2010-03-07 18:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-07 18:04 . 2010-03-07 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-07 18:04 . 2010-03-08 03:31 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\SUPERAntiSpyware.com
2010-03-07 12:24 . 2010-03-07 12:24 -------- d-----w- c:\program files\Trend Micro
2010-03-07 11:54 . 2010-03-07 11:54 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-07 04:29 . 2009-03-30 05:03 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-03-07 04:29 . 2009-02-13 06:59 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-03-07 04:29 . 2009-02-13 06:47 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\program files\Avira
2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-03-01 15:40 . 2010-03-01 15:40 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-03-01 15:40 . 2010-03-01 15:43 3616 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-03-01 15:40 . 2010-03-01 15:43 43040 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-03-01 14:20 . 2010-03-01 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-03-01 10:00 . 2010-03-01 15:43 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-03-01 10:00 . 2010-03-01 10:00 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Downloaded Installations
2010-02-24 10:18 . 2010-02-24 10:18 -------- d-----w- c:\program files\EpiValley
2010-02-21 15:28 . 2010-02-22 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-21 14:49 . 2010-02-21 14:49 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Threat Expert
2010-02-21 13:43 . 2010-03-08 17:40 -------- d-----w- c:\program files\Sify Broadband
2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Malwarebytes
2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-17 13:53 . 2010-02-17 13:53 -------- d-----w- c:\windows\Internet Logs
2010-02-17 13:51 . 2010-02-17 13:51 -------- d-----w- c:\program files\Cisco Systems
2010-02-13 00:02 . 2010-02-13 00:02 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Yahoo
2010-02-12 15:57 . 2010-02-15 07:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Yahoo!
2010-02-12 15:57 . 2010-02-15 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-12 15:41 . 2010-02-15 08:20 -------- d-----w- c:\program files\Yahoo!
2010-02-07 05:22 . 2010-02-15 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-03-08 17:43 . 2009-05-08 03:13 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Broadband
2010-03-07 04:51 . 2009-05-28 19:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-03-06 16:07 . 2010-03-06 16:02 -------- d-----w- c:\program files\Common Files\MicroWorld
2010-03-06 16:02 . 2010-03-06 16:02 21798 ----a-w- c:\windows\winsbak.reg
2010-03-06 16:02 . 2010-03-06 16:02 172598 ----a-w- c:\windows\winsbak2.reg
2010-03-01 15:43 . 2010-03-01 15:40 2624 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-03-01 15:43 . 2010-03-01 15:40 1412 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-24 10:19 . 2009-05-08 03:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-21 16:11 . 2009-07-27 12:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-19 10:04 . 2004-08-03 17:44 212736 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-01-23 06:51 . 2009-06-27 15:45 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Ahead
2010-01-23 06:16 . 2010-01-23 06:13 -------- d-----w- c:\program files\Common Files\Ahead
2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\program files\Nero
2009-12-31 16:14 . 2004-08-03 17:44 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2004-08-03 19:26 662016 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2004-08-03 19:26 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 12:58 . 2009-05-06 10:19 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2004-08-03 19:26 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 18:53 . 2004-08-03 17:48 2136064 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:19 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 . 558635D3AF1C7546D26067D5D9B6959E . 182656 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-03-08_08.18.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2001-08-23 12:00 . 2010-03-08 07:01 54010 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-03-08 14:46 54010 c:\windows\system32\perfc009.dat
+ 2001-08-23 12:00 . 2010-03-08 14:46 383822 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-03-08 07:01 383822 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ \0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-14 19:34 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 02:42 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 12:06 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \HP1006MC.EXE"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 9:59 AM 108289]
S3 lxu800ds;LXU800 DIAG Port;c:\windows\system32\DRIVERS\lxu800ds.sys --> c:\windows\system32\DRIVERS\lxu800ds.sys [?]
S3 lxu800gs;LXU800 GUI Port;c:\windows\system32\DRIVERS\lxu800gs.sys --> c:\windows\system32\DRIVERS\lxu800gs.sys [?]
S3 lxu800m;LXU800 USB Data Modem Driver;c:\windows\system32\DRIVERS\lxu800m.sys --> c:\windows\system32\DRIVERS\lxu800m.sys [?]
S3 ZTEHandsetmodem;ZTE Handset Proprietary USB Serial Driver;c:\windows\system32\drivers\ztechandsetmode m32.sys [11/19/2009 10:18 AM 102144]
.
Contents of the 'Scheduled Tasks' folder

2010-03-05 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 08:58]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = 10.106.24.73:8080
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo! UK & Ireland
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {707F8B9E-49F8-494B-880D-D9382630DE1E} = 202.144.105.4,202.144.10.50
TCP: {E0E4205C-67BD-435C-A710-17714B68F95B} = 10.106.24.70,10.108.5.26
.
- - - - ORPHANS REMOVED - - - -

AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-03-08 23:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe >>UNKNOWN [0x86C97580]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf760cfc3
\Driver\ACPI -> ACPI.sys @ 0xf749fcb8
\Driver\atapi -> atapi.sys @ 0xf74317b4
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
NDIS: Intel(R) 82562GT 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0x86c7eba0
PacketIndicateHandler -> NDIS.sys @ 0x86c6da0b
SendHandler -> NDIS.sys @ 0x86c81b31
user & kernel MBR OK

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3396)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\MicroWorld\Agent\MWASER.EXE
c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm1 2.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006M C.EXE
.
************************************************** ************************
.
Completion time: 2010-03-08 23:36:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-08 18:06
ComboFix2.txt 2010-03-08 08:20

Pre-Run: 74,068,234,240 bytes free
Post-Run: 74,037,735,424 bytes free

- - End Of File - - DBB4456759ED9F9CBD51C60DDE0C1191
HJT Log is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:26 PM, on 3/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askR...9&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK & Ireland
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 10.106.24.73:8080
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{707F8B9E-49F8-494B-880D-D9382630DE1E}: NameServer = 202.144.105.4,202.144.10.50
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO. EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID. EXE
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm1 2.exe

--
End of file - 4578 bytes
Please help!!!!!

**broni** · 08-03-2010

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\dllcache\ndis.sys
c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\ndis.sys
Post scan results.

**Taurian** · 09-03-2010

Am unable to load the files , the server is getting disconnected,tried many times.Please suggest,

**broni** · 09-03-2010

Try here: Jotti's malware scan

**Taurian** · 10-03-2010

The scan result of drivers/ndis.sys
This file has been scanned before. The results for this previous scan are listed below.

--------------------------------------------------------------------------------

Filename: ndis.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 2 Mar 2010 12:06:18 (CET) Permalink
================================================== =======================================
shall send the result of others shortly.
My net connection has become very slow(it used to be in 230kbps now its going down to 100bps.

TR/Rootkit.gen

TR/Rootkit.gen

Similar Threads

Possible rootkit, I have doubts

Rootkit deletion help please

Rootkit

win32:rootkit-gen[rtk]

HELP! Win32:Rootkit-gen (Rtk) ??