1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Active] TR/Rootkit.gen

Discussion in 'Spyware, Adware, Viruses and Malware Removal' started by Taurian, Mar 7, 2010.

  1. Taurian

    Taurian Techie7 New Member

    There is TR/rootkit.gen in the system32/drivers/mkuftbpt.sys.Avira is not able to remove it permanently.My internet speed has also slowed down drastically .Please help.
    Also please fin below the HJT log.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:05:52 PM, on 3/7/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.106.24.73:8080
    R3 - URLSearchHook: (no name) - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{707F8B9E-49F8-494B-880D-D9382630DE1E}: NameServer = 202.144.105.4,202.144.10.50
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

    --
    End of file - 4759 bytes
     
    Last edited: Mar 7, 2010
  2. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. Taurian

    Taurian Techie7 New Member

    Hi please find teh Combofix and HJT logs as asked by you
    ComboFix 10-03-07.04 - Phanindra Duddu 03/08/2010 13:43:09.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.592 [GMT 5.5:30]
    Running from: c:\documents and settings\Phanindra Duddu\Desktop\ComboFix.exe
    Command switches used :: and Settings\Phanindra Duddu\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Phanindra Duddu\csrss.exe
    c:\recycler\S-1-5-21-0839501349-3184979542-608879323-1474
    c:\recycler\S-1-5-21-1151398439-7828633754-563755993-7240
    c:\recycler\S-1-5-21-1243019571-4500321275-288728824-5871
    c:\recycler\S-1-5-21-1297061607-5041727798-627465407-5214
    c:\recycler\S-1-5-21-2128628502-8529060436-310103171-0437
    c:\recycler\S-1-5-21-3208298357-5518390994-750293330-1104
    c:\recycler\S-1-5-21-3878447542-7785570452-051761952-6225
    c:\recycler\S-1-5-21-3907038668-9550808814-375009743-9317
    c:\recycler\S-1-5-21-4364229661-9911368428-428959418-4452
    c:\recycler\S-1-5-21-4369429854-8972616375-601809907-4170
    c:\recycler\S-1-5-21-4398381536-8451711983-939817329-1843
    c:\recycler\S-1-5-21-4441187141-0261908664-846760792-7939
    c:\recycler\S-1-5-21-4790537406-1277641269-137661824-5447
    c:\recycler\S-1-5-21-5967068309-6493283993-945943297-3612
    c:\recycler\S-1-5-21-6336366132-9406617732-932178756-9004
    c:\recycler\S-1-5-21-6604364251-5845816514-290641755-3956
    c:\recycler\S-1-5-21-6775524838-1425766672-032817663-1495
    c:\recycler\S-1-5-21-6813464220-7036849535-050521794-8821
    c:\recycler\S-1-5-21-6881890162-9032043349-174460941-6583
    c:\recycler\S-1-5-21-6956820342-5055892041-840744498-8216
    c:\recycler\S-1-5-21-8115505336-9639716528-940983799-5984
    c:\recycler\S-1-5-21-8416162496-3537554425-562681696-0835
    c:\recycler\S-1-5-21-8899654321-3520356198-724105670-8272
    c:\recycler\S-1-5-21-9439532259-7274396150-604307984-4620
    c:\windows\regedit.com
    c:\windows\system32\drivers\mkuftbpt.sys
    c:\windows\system32\sys_dll.dll
    c:\windows\system32\taskmgr.com
    c:\windows\system32\win.ini

    c:\windows\system32\drivers\ndis.sys . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SYSDRV32
    -------\Legacy_mkuftbpt
    -------\Service_mkuftbpt


    ((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
    .

    2010-03-07 18:24 . 2010-03-07 18:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-03-07 18:04 . 2010-03-07 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-03-07 18:04 . 2010-03-08 03:31 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\SUPERAntiSpyware.com
    2010-03-07 12:24 . 2010-03-07 12:24 -------- d-----w- c:\program files\Trend Micro
    2010-03-07 12:00 . 2010-03-07 12:04 -------- d-----w- c:\program files\Symantec
    2010-03-07 11:54 . 2010-03-07 11:54 -------- d--h--w- c:\windows\system32\GroupPolicy
    2010-03-07 04:29 . 2009-03-30 05:03 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-03-07 04:29 . 2009-02-13 06:59 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-03-07 04:29 . 2009-02-13 06:47 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\program files\Avira
    2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-03-07 04:10 . 2010-03-07 12:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2010-03-01 15:40 . 2010-03-01 15:40 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
    2010-03-01 15:40 . 2010-03-01 15:43 3616 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-03-01 15:40 . 2010-03-01 15:43 43040 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-03-01 14:20 . 2010-03-01 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2010-03-01 10:00 . 2010-03-01 15:43 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-03-01 10:00 . 2010-03-01 10:00 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Downloaded Installations
    2010-02-24 10:18 . 2010-02-24 10:18 -------- d-----w- c:\program files\EpiValley
    2010-02-22 14:10 . 2010-02-22 15:49 -------- d-----w- C:\$AVG8.VAULT$
    2010-02-22 11:03 . 2010-02-22 10:55 641304 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
    2010-02-22 11:03 . 2010-02-22 10:55 583960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
    2010-02-22 11:03 . 2010-02-22 10:55 443672 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
    2010-02-22 11:03 . 2010-02-22 10:55 1082624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
    2010-02-22 10:54 . 2010-03-07 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2010-02-21 15:28 . 2010-02-22 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-21 14:49 . 2010-02-21 14:49 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Threat Expert
    2010-02-21 13:43 . 2010-03-05 18:07 -------- d-----w- c:\program files\Sify Broadband
    2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Malwarebytes
    2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-17 13:53 . 2010-02-17 13:53 -------- d-----w- c:\windows\Internet Logs
    2010-02-17 13:51 . 2010-02-17 13:51 -------- d-----w- c:\program files\Cisco Systems
    2010-02-13 00:02 . 2010-02-13 00:02 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Yahoo
    2010-02-12 15:57 . 2010-02-15 07:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Yahoo!
    2010-02-12 15:57 . 2010-02-15 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-02-12 15:41 . 2010-02-15 08:20 -------- d-----w- c:\program files\Yahoo!
    2010-02-07 05:22 . 2010-02-15 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-08 03:48 . 2009-05-08 03:13 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Broadband
    2010-03-07 12:06 . 2009-05-28 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2010-03-07 04:51 . 2009-05-28 19:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-03-06 16:07 . 2010-03-06 16:02 -------- d-----w- c:\program files\Common Files\MicroWorld
    2010-03-06 16:02 . 2010-03-06 16:02 21798 ----a-w- c:\windows\winsbak.reg
    2010-03-06 16:02 . 2010-03-06 16:02 172598 ----a-w- c:\windows\winsbak2.reg
    2010-03-01 15:43 . 2010-03-01 15:40 2624 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-03-01 15:43 . 2010-03-01 15:40 1412 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-02-24 10:19 . 2009-05-08 03:11 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-21 16:11 . 2009-07-27 12:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-02-19 10:04 . 2004-08-03 17:44 212736 ----a-w- c:\windows\system32\drivers\ndis.sys
    2010-01-23 06:51 . 2009-06-27 15:45 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Ahead
    2010-01-23 06:16 . 2010-01-23 06:13 -------- d-----w- c:\program files\Common Files\Ahead
    2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\program files\Nero
    2009-12-31 16:14 . 2004-08-03 17:44 352640 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-22 05:42 . 2004-08-03 19:26 662016 ----a-w- c:\windows\system32\wininet.dll
    2009-12-22 05:42 . 2004-08-03 19:26 81920 ----a-w- c:\windows\system32\ieencode.dll
    2009-12-16 12:58 . 2009-05-06 10:19 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2004-08-03 19:26 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-08 18:53 . 2004-08-03 17:48 2136064 ----a-w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:19 . 2004-08-03 22:59 2015744 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .

    ------- Sigcheck -------

    [-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
    [-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
    [-] 2008-04-13 . 558635D3AF1C7546D26067D5D9B6959E . 182656 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "SynchronousMachineGroupPolicy"= 0 (0x0)
    "SynchronousUserGroupPolicy"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    backup=c:\windows\pss\Bluetooth.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-14 19:34 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    2006-07-13 02:42 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-01-05 12:06 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 9:59 AM 108289]
    S3 lxu800ds;LXU800 DIAG Port;c:\windows\system32\DRIVERS\lxu800ds.sys --> c:\windows\system32\DRIVERS\lxu800ds.sys [?]
    S3 lxu800gs;LXU800 GUI Port;c:\windows\system32\DRIVERS\lxu800gs.sys --> c:\windows\system32\DRIVERS\lxu800gs.sys [?]
    S3 lxu800m;LXU800 USB Data Modem Driver;c:\windows\system32\DRIVERS\lxu800m.sys --> c:\windows\system32\DRIVERS\lxu800m.sys [?]
    S3 ZTEHandsetmodem;ZTE Handset Proprietary USB Serial Driver;c:\windows\system32\drivers\ztechandsetmodem32.sys [11/19/2009 10:18 AM 102144]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-05 c:\windows\Tasks\HP WEP.job
    - c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 08:58]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://www.yahoo.com
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo! UK & Ireland
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: {E0E4205C-67BD-435C-A710-17714B68F95B} = 10.106.24.70,10.108.5.26
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-avgrsstarter - avgrsstx.dll
    Notify-NavLogon - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-03-08 13:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe >>UNKNOWN [0x86D15580]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf7647fc3
    \Driver\ACPI -> ACPI.sys @ 0xf74dacb8
    \Driver\atapi -> atapi.sys @ 0xf73267b4
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
    ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
    ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
    NDIS: Intel(R) 82562GT 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0x86c88ba0
    PacketIndicateHandler -> NDIS.sys @ 0x86c77a0b
    SendHandler -> NDIS.sys @ 0x86c8bb31
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3976)
    c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
    c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
    c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\MicroWorld\Agent\MWASER.EXE
    c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-03-08 13:50:33 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-08 08:20

    Pre-Run: 74,106,798,080 bytes free
    Post-Run: 74,078,863,360 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - 32518EEF15CFC3193173B81B8D41F8E7

    HJT Logs:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:54:34 PM, on 3/8/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK & Ireland
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3BE2F28A-362C-42CE-92DD-B8067585E8C7}: NameServer = 203.200.230.244 202.54.29.5
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

    --
    End of file - 4466 bytes
     
  4. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      ndis.sys
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    ===============================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    KillAll::
    
    File::
    
    Folder::
    c:\program files\Symantec
    c:\program files\Common Files\Symantec Shared
    C:\$AVG8.VAULT$
    c:\documents and settings\All Users\Application Data\avg8
    c:\documents and settings\All Users\Application Data\Symantec
    
    
    Driver::
    
    Registry::
    
    RegLockDel::
    
    SecCenter::
    {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    
    MBR::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  5. Taurian

    Taurian Techie7 New Member

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 23:16 on 08/03/2010 by Phanindra Duddu (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "ndis.sys"
    C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys --a--- 182912 bytes [19:20 13/04/2008] [19:20 13/04/2008] 558635D3AF1C7546D26067D5D9B6959E
    C:\WINDOWS\system32\dllcache\ndis.sys --a--c 182912 bytes [17:44 03/08/2004] [10:04 19/02/2010] 558635D3AF1C7546D26067D5D9B6959E
    C:\WINDOWS\system32\drivers\ndis.sys --a--- 182912 bytes [17:44 03/08/2004] [10:04 19/02/2010] 558635D3AF1C7546D26067D5D9B6959E

    -=End Of File=-
     
  6. Taurian

    Taurian Techie7 New Member

    HI the Combofix log :
    ComboFix 10-03-07.04 - Phanindra Duddu 03/08/2010 23:29:25.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.645 [GMT 5.5:30]
    Running from: c:\documents and settings\Phanindra Duddu\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Phanindra Duddu\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\$AVG8.VAULT$
    c:\$avg8.vault$\vvfolder.idx
    c:\documents and settings\All Users\Application Data\avg8
    c:\documents and settings\All Users\Application Data\avg8\Cfg\krnl.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\mail.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\scan.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\sched.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\update.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\updatecomps.cfg
    c:\documents and settings\All Users\Application Data\avg8\Cfg\user.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.1
    c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.2
    c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.1
    c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avguilog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log
    c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.lock
    c:\documents and settings\All Users\Application Data\avg8\Log\avildr.log
    c:\documents and settings\All Users\Application Data\avg8\Log\cfglog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\corelog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\history.xml
    c:\documents and settings\All Users\Application Data\avg8\Log\lnglog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\privlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\publog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\rslog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\scanlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\schedlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\srmlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\updlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\vaultlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\wdlog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Log\wdsvclog.cfg
    c:\documents and settings\All Users\Application Data\avg8\Lsdb\cf.dat
    c:\documents and settings\All Users\Application Data\avg8\Lsdb\ph.dat
    c:\documents and settings\All Users\Application Data\avg8\Lsdb\sb.dat
    c:\documents and settings\All Users\Application Data\avg8\Lsdb\sb.dat.xcd
    c:\documents and settings\All Users\Application Data\avg8\Lsdb\sb2.dat
    c:\documents and settings\All Users\Application Data\avg8\Lsdb\sc.dat
    c:\documents and settings\All Users\Application Data\avg8\Lsdb\sc.dat.xcd
    c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000001.log
    c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000005.log
    c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000006.log
    c:\documents and settings\All Users\Application Data\avg8\scanlogs\srm.idx
    c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
    c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
    c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
    c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
    c:\documents and settings\All Users\Application Data\avg8\update\backup\cf.dat
    c:\documents and settings\All Users\Application Data\avg8\update\backup\incavi.avm
    c:\documents and settings\All Users\Application Data\avg8\update\backup\microavi.avg
    c:\documents and settings\All Users\Application Data\avg8\update\backup\miniavi.avg
    c:\documents and settings\All Users\Application Data\avg8\update\backup\ph.dat
    c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat
    c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat.xcd
    c:\documents and settings\All Users\Application Data\avg8\update\backup\sb2.dat
    c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat
    c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat.xcd
    c:\documents and settings\All Users\Application Data\Symantec
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\1.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\10.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\2.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\3.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\4.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\5.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\6.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\7.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\8.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\9.Settings.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LUInstall.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Product.Inventory.LiveUpdate
    c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
    c:\program files\Common Files\Symantec Shared
    c:\program files\Common Files\Symantec Shared\Help\LUALL.CHM
    c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.grd
    c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.sig
    c:\program files\Common Files\Symantec Shared\SPManifests\LuSymProtect.spm
    c:\program files\Symantec
    c:\program files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    c:\program files\Symantec\LiveUpdate\ALUNOTIFYRES.DLL
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvcRes.dll
    c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
    c:\program files\Symantec\LiveUpdate\AUPDATERES.DLL
    c:\program files\Symantec\LiveUpdate\LSETUP.EXE
    c:\program files\Symantec\LiveUpdate\LUALL.EXE
    c:\program files\Symantec\LiveUpdate\LUALLRES.DLL
    c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
    c:\program files\Symantec\LiveUpdate\LUCheck.exe
    c:\program files\Symantec\LiveUpdate\LuComServer_3_3.EXE
    c:\program files\Symantec\LiveUpdate\LuConfig.EXE
    c:\program files\Symantec\LiveUpdate\ludirloc.dat
    c:\program files\Symantec\LiveUpdate\LUINFO.INF
    c:\program files\Symantec\LiveUpdate\LUInit.exe
    c:\program files\Symantec\LiveUpdate\LUInit.ini
    c:\program files\Symantec\LiveUpdate\LUINSDLL.DLL
    c:\program files\Symantec\LiveUpdate\LuInsRes.dll
    c:\program files\Symantec\LiveUpdate\LuPreCon.DLL
    c:\program files\Symantec\LiveUpdate\LuResult.txt
    c:\program files\Symantec\LiveUpdate\MFC71.DLL
    c:\program files\Symantec\LiveUpdate\MSVCP71.DLL
    c:\program files\Symantec\LiveUpdate\MSVCR71.DLL
    c:\program files\Symantec\LiveUpdate\NetDetectController_3_3.DLL
    c:\program files\Symantec\LiveUpdate\NotifyHA.exe
    c:\program files\Symantec\LiveUpdate\ProductRegCom_3_3.DLL
    c:\program files\Symantec\LiveUpdate\PSProductRegCom_3_3.DLL
    c:\program files\Symantec\LiveUpdate\PSProductRegCom64_3_3.DLL
    c:\program files\Symantec\LiveUpdate\README.TXT
    c:\program files\Symantec\LiveUpdate\ResLuComServer_3_3.DLL
    c:\program files\Symantec\LiveUpdate\S32LIVE1.DLL
    c:\program files\Symantec\LiveUpdate\S32LUCP1RES.DLL
    c:\program files\Symantec\LiveUpdate\S32LUCP2.CPL
    c:\program files\Symantec\LiveUpdate\S32LUIS1.DLL
    c:\program files\Symantec\LiveUpdate\S32LUWI1.DLL
    c:\program files\Symantec\LiveUpdate\Settings.Default.LiveUpdate
    c:\program files\Symantec\LiveUpdate\SETUPRES.DLL
    c:\program files\Symantec\LiveUpdate\SymantecRootInstaller.exe
    c:\program files\Symantec\LiveUpdate\SymantecRootInstaller.log
    c:\program files\Symantec\LiveUpdate\SymantecRootInstallerRes.dll
    c:\program files\Symantec\LiveUpdate\UNRAR.DLL

    c:\windows\system32\drivers\ndis.sys . . . is infected!!

    .
    ((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
    .

    2010-03-07 18:24 . 2010-03-07 18:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-03-07 18:04 . 2010-03-07 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-03-07 18:04 . 2010-03-08 03:31 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\SUPERAntiSpyware.com
    2010-03-07 12:24 . 2010-03-07 12:24 -------- d-----w- c:\program files\Trend Micro
    2010-03-07 11:54 . 2010-03-07 11:54 -------- d--h--w- c:\windows\system32\GroupPolicy
    2010-03-07 04:29 . 2009-03-30 05:03 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-03-07 04:29 . 2009-02-13 06:59 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-03-07 04:29 . 2009-02-13 06:47 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\program files\Avira
    2010-03-07 04:29 . 2010-03-07 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-03-01 15:40 . 2010-03-01 15:40 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
    2010-03-01 15:40 . 2010-03-01 15:43 3616 --sha-w- c:\windows\system32\drivers\fidbox2.dat
    2010-03-01 15:40 . 2010-03-01 15:43 43040 --sha-w- c:\windows\system32\drivers\fidbox.dat
    2010-03-01 14:20 . 2010-03-01 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
    2010-03-01 10:00 . 2010-03-01 15:43 -------- d-----w- c:\program files\Common Files\ParetoLogic
    2010-03-01 10:00 . 2010-03-01 10:00 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Downloaded Installations
    2010-02-24 10:18 . 2010-02-24 10:18 -------- d-----w- c:\program files\EpiValley
    2010-02-21 15:28 . 2010-02-22 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-02-21 14:49 . 2010-02-21 14:49 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Threat Expert
    2010-02-21 13:43 . 2010-03-08 17:40 -------- d-----w- c:\program files\Sify Broadband
    2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Malwarebytes
    2010-02-19 18:26 . 2010-02-19 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-02-17 13:53 . 2010-02-17 13:53 -------- d-----w- c:\windows\Internet Logs
    2010-02-17 13:51 . 2010-02-17 13:51 -------- d-----w- c:\program files\Cisco Systems
    2010-02-13 00:02 . 2010-02-13 00:02 -------- d-----w- c:\documents and settings\Phanindra Duddu\Local Settings\Application Data\Yahoo
    2010-02-12 15:57 . 2010-02-15 07:26 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Yahoo!
    2010-02-12 15:57 . 2010-02-15 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
    2010-02-12 15:41 . 2010-02-15 08:20 -------- d-----w- c:\program files\Yahoo!
    2010-02-07 05:22 . 2010-02-15 07:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-08 17:43 . 2009-05-08 03:13 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Broadband
    2010-03-07 04:51 . 2009-05-28 19:16 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-03-06 16:07 . 2010-03-06 16:02 -------- d-----w- c:\program files\Common Files\MicroWorld
    2010-03-06 16:02 . 2010-03-06 16:02 21798 ----a-w- c:\windows\winsbak.reg
    2010-03-06 16:02 . 2010-03-06 16:02 172598 ----a-w- c:\windows\winsbak2.reg
    2010-03-01 15:43 . 2010-03-01 15:40 2624 --sha-w- c:\windows\system32\drivers\fidbox.idx
    2010-03-01 15:43 . 2010-03-01 15:40 1412 --sha-w- c:\windows\system32\drivers\fidbox2.idx
    2010-02-24 10:19 . 2009-05-08 03:11 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-02-21 16:11 . 2009-07-27 12:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-02-19 10:04 . 2004-08-03 17:44 212736 ----a-w- c:\windows\system32\drivers\ndis.sys
    2010-01-23 06:51 . 2009-06-27 15:45 -------- d-----w- c:\documents and settings\Phanindra Duddu\Application Data\Ahead
    2010-01-23 06:16 . 2010-01-23 06:13 -------- d-----w- c:\program files\Common Files\Ahead
    2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2010-01-23 06:13 . 2010-01-23 06:13 -------- d-----w- c:\program files\Nero
    2009-12-31 16:14 . 2004-08-03 17:44 352640 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-22 05:42 . 2004-08-03 19:26 662016 ------w- c:\windows\system32\wininet.dll
    2009-12-22 05:42 . 2004-08-03 19:26 81920 ----a-w- c:\windows\system32\ieencode.dll
    2009-12-16 12:58 . 2009-05-06 10:19 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2004-08-03 19:26 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2009-12-08 18:53 . 2004-08-03 17:48 2136064 ------w- c:\windows\system32\ntoskrnl.exe
    2009-12-08 18:19 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe
    .

    ------- Sigcheck -------

    [-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys
    [-] 2010-02-19 . 558635D3AF1C7546D26067D5D9B6959E . 212736 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys
    [-] 2008-04-13 . 558635D3AF1C7546D26067D5D9B6959E . 182656 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-03-08_08.18.09 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2001-08-23 12:00 . 2010-03-08 07:01 54010 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2010-03-08 14:46 54010 c:\windows\system32\perfc009.dat
    + 2001-08-23 12:00 . 2010-03-08 14:46 383822 c:\windows\system32\perfh009.dat
    - 2001-08-23 12:00 . 2010-03-08 07:01 383822 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SifyBB"="c:\program files\Sify Broadband\BBImpSec.exe" [2006-04-21 127085]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "SynchronousMachineGroupPolicy"= 0 (0x0)
    "SynchronousUserGroupPolicy"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    backup=c:\windows\pss\Bluetooth.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-14 19:34 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
    2006-07-13 02:42 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
    2007-01-05 12:06 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=

    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/7/2010 9:59 AM 108289]
    S3 lxu800ds;LXU800 DIAG Port;c:\windows\system32\DRIVERS\lxu800ds.sys --> c:\windows\system32\DRIVERS\lxu800ds.sys [?]
    S3 lxu800gs;LXU800 GUI Port;c:\windows\system32\DRIVERS\lxu800gs.sys --> c:\windows\system32\DRIVERS\lxu800gs.sys [?]
    S3 lxu800m;LXU800 USB Data Modem Driver;c:\windows\system32\DRIVERS\lxu800m.sys --> c:\windows\system32\DRIVERS\lxu800m.sys [?]
    S3 ZTEHandsetmodem;ZTE Handset Proprietary USB Serial Driver;c:\windows\system32\drivers\ztechandsetmodem32.sys [11/19/2009 10:18 AM 102144]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-03-05 c:\windows\Tasks\HP WEP.job
    - c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 08:58]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    mStart Page = hxxp://www.yahoo.com
    uInternet Settings,ProxyServer = 10.106.24.73:8080
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo! UK & Ireland
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    TCP: {707F8B9E-49F8-494B-880D-D9382630DE1E} = 202.144.105.4,202.144.10.50
    TCP: {E0E4205C-67BD-435C-A710-17714B68F95B} = 10.106.24.70,10.108.5.26
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
    Rootkit scan 2010-03-08 23:33
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe >>UNKNOWN [0x86C97580]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0xf760cfc3
    \Driver\ACPI -> ACPI.sys @ 0xf749fcb8
    \Driver\atapi -> atapi.sys @ 0xf74317b4
    IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
    ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
    \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x8058241c
    ParseProcedure -> ntkrnlpa.exe @ 0x8058155c
    NDIS: Intel(R) 82562GT 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0x86c7eba0
    PacketIndicateHandler -> NDIS.sys @ 0x86c6da0b
    SendHandler -> NDIS.sys @ 0x86c81b31
    user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3396)
    c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
    c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
    c:\program files\Common Files\Ahead\Lib\BCGCBPRO800u.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Common Files\MicroWorld\Agent\MWASER.EXE
    c:\windows\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-03-08 23:36:36 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-03-08 18:06
    ComboFix2.txt 2010-03-08 08:20

    Pre-Run: 74,068,234,240 bytes free
    Post-Run: 74,037,735,424 bytes free

    - - End Of File - - DBB4456759ED9F9CBD51C60DDE0C1191
    HJT Log is:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:40:26 PM, on 3/8/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK & Ireland
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.106.24.73:8080
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{707F8B9E-49F8-494B-880D-D9382630DE1E}: NameServer = 202.144.105.4,202.144.10.50
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
    O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

    --
    End of file - 4578 bytes
    Please help!!!!!
     
  7. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to VirusTotal - Free Online Virus and Malware Scan for security check:
    c:\windows\system32\drivers\ndis.sys
    c:\windows\system32\dllcache\ndis.sys
    c:\windows\SoftwareDistribution\Download\e9500597a 78495f397efb821e37bf356\ndis.sys
    Post scan results.
     
  8. Taurian

    Taurian Techie7 New Member

    Am unable to load the files , the server is getting disconnected,tried many times.Please suggest,
     
  9. broni

    broni Malware Annihilator Techie7 Moderator Head Security

  10. Taurian

    Taurian Techie7 New Member

    The scan result of drivers/ndis.sys
    This file has been scanned before. The results for this previous scan are listed below.





    --------------------------------------------------------------------------------

    Filename: ndis.sys
    Status: Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Tue 2 Mar 2010 12:06:18 (CET) Permalink
    =========================================================================================
    shall send the result of others shortly.
    My net connection has become very slow(it used to be in 230kbps now its going down to 100bps.
     
  11. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Disregard the above. I want you to scan YOUR file anyway.
     
  12. Taurian

    Taurian Techie7 New Member

    Scan result of c:\windows\system32\drivers\ndis.sys

    --------------------------------------------------------------------------------

    Filename: ndis.sys
    Status: Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Tue 2 Mar 2010 12:06:18 (CET) Permalink
    =========================================================================================




    --------------------------------------------------------------------------------

    Scan result of c:\windows\system32\dllcache\ndis.sys

    --------------------------------------------------------------------------------

    Filename: ndis.sys
    Status: Scan finished. 0 out of 20 scanners reported malware.
    Scan taken on: Tue 2 Mar 2010 12:06:18 (CET) Permalink



    --------------------------------------------------------------------------------
    Additional info
    File size: 182912 bytes
    Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
    MD5: 558635d3af1c7546d26067d5d9b6959e
    SHA1: de08d6d587fe19ce3c61a1cf3773158df212dbe8

    ==========================================================
    Unable to locate the file ndis in software distribution.
     
  13. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Good :)

    Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

    * Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
    * A black DOS window will quickly appear then disappear.
    * When mbr.exe is finished it will create a log on your desktop.
    * Copy and paste contents of that log (mbr.log) file to your next reply.
     
  14. Taurian

    Taurian Techie7 New Member

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    ======================================
     
  15. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Very good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ============================================================

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2.
    Post fresh HijackThis log.
    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  16. Taurian

    Taurian Techie7 New Member

    hi my scan results:
    Malwarebytes' Anti-Malware 1.44
    Database version: 3852
    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    3/11/2010 7:33:32 PM
    mbam-log-2010-03-11 (19-33-32).txt

    Scan type: Quick Scan
    Objects scanned: 126854
    Time elapsed: 4 minute(s), 59 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    =======================================
    hjt results in safe mode

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:42:09 PM, on 3/11/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK & Ireland
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.106.24.73:8080
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{707F8B9E-49F8-494B-880D-D9382630DE1E}: NameServer = 202.144.105.4,202.144.10.50
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
    O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

    --
    End of file - 4703 bytes
    =====================================================
     
  17. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:


    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases

    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
  18. Taurian

    Taurian Techie7 New Member

    Kaspersky is asking for Java 1.5 , can i download it ?
     
  19. broni

    broni Malware Annihilator Techie7 Moderator Head Security

    Verify your Java version here: Verify Java Version
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).
     
  20. Taurian

    Taurian Techie7 New Member

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Saturday, March 13, 2010
    Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Friday, March 12, 2010 22:48:45
    Records in database: 3783152
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 47568
    Threats found: 1
    Infected objects found: 2
    Suspicious objects found: 0
    Scan duration: 02:01:41


    File name / Threat / Threats count
    D:\Software\RF Softwares\ZXPOS CNT1_V6.00.30.0618 Beta1_Upgrade Setup(Eng).exe Infected: Backdoor.Win32.Hupigon.bgj 2

    Selected area has been scanned.
    ====================================================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:42:30 PM, on 3/13/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! UK & Ireland
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101699&gct=&gc=1&q=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! UK & Ireland
    R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [SifyBB] C:\Program Files\Sify Broadband\BBImpSec.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{707F8B9E-49F8-494B-880D-D9382630DE1E}: NameServer = 202.144.105.4,202.144.10.50
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E0E4205C-67BD-435C-A710-17714B68F95B}: NameServer = 10.106.24.70,10.108.5.26
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPBOID.EXE
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
    O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe

    --
    End of file - 4967 bytes