Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit.Agent: ntndis.sys & ipsecndis.sys

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Rootkit.Agent: ntndis.sys & ipsecndis.sys

Unread postby TAGScorpioN » August 5th, 2010, 3:44 am

Malwarebytes found two rootkig agents on my computer which it can't remove:

C:\WINDOWS\system32\ipsecndis.sys (Rootkit.Agent) -> Delete on reboot.

C:\WINDOWS\system32\Drivers\ntndis.sys (Rootkit.Agent) -> Delete on reboot.


I found a topic about the same rootkit explaing these rootkits can be very dangerous because they log your keystrokes to gain access to passwords. That user was advised to run ComboFix and I went ahead and used it too. It seemed to work at first because it finds the rootkits and removes them but after a reboot they still come back. It also found something else in my registry called "yujzoy".

The log from ComboFix is below, I hope somebody can advise me what to do.


ComboFix 10-08-04.04 - Alarik 08/05/2010 2:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1680 [GMT 2:00]
Running from: c:\documents and settings\Alarik\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-05 to 2010-08-05 )))))))))))))))))))))))))))))))
.

2010-08-05 00:26 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-05 00:26 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-05 00:26 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-05 00:26 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-05 00:26 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-05 00:26 . 2010-08-05 00:26 -------- d-----w- c:\program files\Alwil Software
2010-08-05 00:24 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-05 00:24 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-08-05 00:24 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-08-05 00:24 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-08-04 22:05 . 2010-08-04 22:05 -------- d-----w- c:\documents and settings\Alarik\Application Data\Malwarebytes
2010-08-04 22:05 . 2010-08-04 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-04 22:05 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-04 22:05 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-04 21:45 . 2010-08-04 21:45 -------- d-----w- c:\program files\Enigma Software Group
2010-08-04 21:45 . 2010-08-04 22:14 -------- d-----w- c:\windows\95431C66CF9A4913BFFF6050785AFB65.TMP
2010-08-04 19:27 . 2010-08-04 19:27 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
2010-08-04 16:10 . 2010-08-04 23:07 -------- d-----w- c:\documents and settings\Alarik\Local Settings\Application Data\laplcfpwd
2010-08-04 16:10 . 2010-08-05 00:41 782848 ----a-w- c:\windows\system32\drivers\yujzoy.sys
2010-08-04 16:10 . 2010-08-04 23:07 -------- d-----w- c:\documents and settings\Alarik\Application Data\53399CEEF270C1B17EF4072D7E3A217F
2010-07-30 14:35 . 2010-07-30 14:35 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-07-30 14:35 . 2010-07-30 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-07-30 14:35 . 2010-07-30 14:35 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-07-30 14:35 . 2010-07-30 14:35 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-07-30 14:35 . 2010-07-30 14:36 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-30 14:34 . 2010-07-09 22:38 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-07-30 14:34 . 2010-07-09 22:38 2914408 ----a-w- c:\windows\system32\nvcuvid.dll
2010-07-30 14:34 . 2010-07-09 22:38 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-07-30 14:34 . 2010-07-09 22:38 2195030 ----a-w- c:\windows\system32\nvdata.bin
2010-07-30 14:34 . 2010-07-09 22:38 10260480 ----a-w- c:\windows\system32\nvcompiler.dll
2010-07-30 14:28 . 2010-07-30 14:40 47364 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-07-30 14:14 . 2010-07-30 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-07-30 10:15 . 2010-07-30 14:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-25 08:10 . 2010-07-25 08:10 -------- d-----w- c:\documents and settings\Alarik\Application Data\AVS4YOU
2010-07-25 08:10 . 2010-07-25 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-07-25 08:10 . 2010-08-04 22:45 -------- d-----w- c:\program files\AVS4YOU
2010-07-25 08:10 . 2010-08-04 22:45 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-07-25 08:10 . 2008-08-13 09:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-07-25 08:10 . 2008-08-13 09:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-07-25 08:10 . 2008-08-13 09:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 00:26 . 2010-02-11 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-05 00:12 . 2009-02-28 17:39 -------- d-----w- c:\documents and settings\Alarik\Application Data\uTorrent
2010-08-04 22:16 . 2008-06-04 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-04 21:44 . 2007-09-11 13:34 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-08-04 16:14 . 2004-08-03 22:14 211072 -c--a-w- c:\windows\system32\drivers\ndis.sys
2010-08-01 17:49 . 2009-11-26 17:29 -------- d-----w- c:\documents and settings\Alarik\Application Data\vlc
2010-07-24 09:37 . 2010-04-05 06:41 -------- d-----w- c:\program files\uTorrent
2010-07-09 22:38 . 2008-08-31 17:01 604776 ----a-w- c:\windows\system32\nvudisp.exe
2010-07-09 22:38 . 2008-05-16 12:01 4595712 ----a-w- c:\windows\system32\nvcuda.dll
2010-07-09 22:38 . 2008-05-16 12:01 236136 ----a-w- c:\windows\system32\nvcodins.dll
2010-07-09 22:38 . 2008-05-16 12:01 236136 ----a-w- c:\windows\system32\nvcod.dll
2010-07-09 22:38 . 2008-05-16 12:01 1388544 ----a-w- c:\windows\system32\nvapi.dll
2010-07-09 22:38 . 2008-05-16 12:01 13549568 ----a-w- c:\windows\system32\nvoglnt.dll
2010-07-09 22:38 . 2007-04-20 04:05 6343040 ----a-w- c:\windows\system32\nv4_disp.dll
2010-07-09 22:38 . 2007-04-20 04:05 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2010-07-07 11:46 . 2008-08-31 17:01 604776 ----a-w- c:\windows\system32\NVUNINST.EXE
2010-07-03 09:43 . 2010-07-03 09:43 -------- d-----w- c:\program files\AviSynth 2.5
2010-07-03 09:32 . 2010-07-03 09:32 -------- d-----w- c:\documents and settings\Alarik\Application Data\AnvSoft
2010-05-22 12:33 . 2010-05-22 12:33 503808 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2bc8835d-n\msvcp71.dll
2010-05-22 12:33 . 2010-05-22 12:33 499712 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2bc8835d-n\jmc.dll
2010-05-22 12:33 . 2010-05-22 12:33 348160 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-2bc8835d-n\msvcr71.dll
2010-05-22 12:33 . 2010-05-22 12:33 61440 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b784064-n\decora-sse.dll
2010-05-22 12:33 . 2010-05-22 12:33 12800 ----a-w- c:\documents and settings\Alarik\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6b784064-n\decora-d3d.dll
2010-05-15 20:39 . 2010-05-15 20:39 2095 ----a-w- c:\documents and settings\Alarik\Application Data\.purple\certificates\x509\tls_peers\login.live.com
.

------- Sigcheck -------

[-] 2010-08-04 16:14 . 15F08B567A07E81E6C2843498FF9052E . 211072 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-08-04 16:14 . 15F08B567A07E81E6C2843498FF9052E . 211072 . . [------] . . c:\windows\system32\dllcache\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-08-05_00.05.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 22:02 . 2009-07-11 22:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2010-08-05 00:39 . 2010-08-05 00:39 16384 c:\windows\Temp\Perflib_Perfdata_43c.dat
+ 2010-08-05 00:39 . 2010-08-05 00:39 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
- 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
- 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-11 22:05 . 2009-07-11 22:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
- 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2009-07-11 22:02 . 2009-07-11 22:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 11:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\k:\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Alarik^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Alarik\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alarik^Start Menu^Programs^Startup^Shortcut to AlwaysOnTopMaker.lnk]
path=c:\documents and settings\Alarik\Start Menu\Programs\Startup\Shortcut to AlwaysOnTopMaker.lnk
backup=c:\windows\pss\Shortcut to AlwaysOnTopMaker.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alarik^Start Menu^Programs^Startup^Shortcut to rbtray.lnk]
path=c:\documents and settings\Alarik\Start Menu\Programs\Startup\Shortcut to rbtray.lnk
backup=c:\windows\pss\Shortcut to rbtray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2006-11-16 09:05 1953792 ----a-r- c:\windows\system32\JMRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 00:04 39792 ----a-w- e:\adobe reader\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
2007-01-11 21:39 1423360 ----a-w- e:\asus\AI Suite\AiNap\AiNap.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp]
2006-12-29 01:54 363008 -c--a-r- c:\program files\ASUS\AASP\1.00.24\AsRunHelp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-02-05 21:26 75048 ------w- c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-03 23:56 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FinePrint Dispatcher v5]
2007-06-30 14:42 499712 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\fpdisp5a.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-05-03 08:01 133104 ----atw- c:\documents and settings\Alarik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2006-05-11 09:47 151552 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-25 23:10 142120 ----a-w- e:\itunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2006-10-30 12:44 36864 -c----r- c:\windows\JM\JMInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launch PC Probe II]
2007-01-05 15:36 2129920 ----a-w- e:\asus\PC Probe II\Probe2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 10:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 14:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-07-03 10:32 81920 ----a-w- e:\ntune\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-07-09 14:24 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2007-08-07 00:05 200704 ----a-w- e:\poweriso\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 19:53 421888 ----a-w- e:\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 -c--a-w- c:\program files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- e:\tomtom home 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-07-24 09:26 327472 ----a-w- E:\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 18:05 204288 -c--a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Supreme Commander\\Supreme Commander\\bin\\SupremeCommander.exe"=
"e:\\SiSoftware Sandra Professional Business XII\\Win32\\RpcDataSrv.exe"=
"e:\\SiSoftware Sandra Professional Business XII\\RpcSandraSrv.exe"=
"e:\\Fear\\FEAR.exe"=
"e:\\Supreme Commander\\Forged Alliance\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"e:\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"e:\\CoD4\\iw3mp.exe"=
"e:\\uTorrent.exe"=
"e:\\Mass Effect\\Binaries\\MassEffect.exe"=
"e:\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/5/2010 02:26 165456]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [3/10/2010 22:49 10384]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\system32\drivers\Scutum50.sys [4/10/2010 20:55 19072]
R2 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [11/13/2009 13:31 92008]
S2 aswFsBlk;aswFsBlk;aswFsBlk.sys --> aswFsBlk.sys [?]
S2 drltbgtk;Bluetooth Radio USB Support;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 01:56 14336]
S2 gupdate1c9d9f02cc2ff08;Google Update Service (gupdate1c9d9f02cc2ff08);c:\program files\Google\Update\GoogleUpdate.exe [5/21/2009 10:43 133104]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;\??\c:\docume~1\Alarik\LOCALS~1\Temp\TCCpuInfo.sys --> c:\docume~1\Alarik\LOCALS~1\Temp\TCCpuInfo.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/23/2007 21:19 639224]

--- Other Services/Drivers In Memory ---

*Deregistered* - yujzoy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
drltbgtk
.
Contents of the 'Scheduled Tasks' folder

2010-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

2010-08-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 08:43]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 08:43]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1214440339-725345543-1003Core.job
- c:\documents and settings\Alarik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 08:01]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1214440339-725345543-1003UA.job
- c:\documents and settings\Alarik\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-03 08:01]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - e:\micros~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Alarik\Application Data\Mozilla\Firefox\Profiles\vcullzh8.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox ... S:official

---- FIREFOX POLICIES ----
// Last value in milliseconds (default is 250)
FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: content.notify.ontimer - true
FF - user.js: content.notify.interval - 100
FF - user.js: content.notify.backoffcount - 200
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.max-connections - 60
FF - user.js: network.http.max-connections-per-server - 32
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: nglayout.initialpaint.delay - 0.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\yujzoy]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1214440339-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f2,d6,11,e9,2a,45,7c,69,d6,e9,83,18,30,3a,d2,1e,4b,fd,82,27,c2,53,d0,
32,a3,c6,51,21,79,20,bc,8b,c4,19,5a,b8,6e,84,2b,03,1c,2a,2f,70,23,a8,ec,83,\
"??"=hex:ad,67,88,63,89,a2,a9,d1,0e,ea,92,15,89,e2,aa,07
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-08-05 02:41:54
ComboFix-quarantined-files.txt 2010-08-05 00:41
ComboFix2.txt 2010-08-05 00:14
ComboFix3.txt 2010-08-05 00:06

Pre-Run: 2,060,931,072 bytes free
Post-Run: 2,160,308,224 bytes free

- - End Of File - - BA319FCA0FA0A2CB4E40BB36FA17CB04
TAGScorpioN
Active Member
 
Posts: 10
Joined: August 5th, 2010, 3:43 am
Advertisement
Register to Remove

Re: Rootkit.Agent: ntndis.sys & ipsecndis.sys

Unread postby NonSuch » August 5th, 2010, 4:45 pm

ComboFix is not a tool that is intended to be used without the direct supervision of a qualified expert. To use ComboFix on your own is to court disaster for your computer. Please stop all attempts at self-fixes for your system's issues as that may only confuse the issue further and cause additional problems as well.

In order for us to help you it is necessary that you provide us with a HijackThis log.

Please take the time to familiarize yourself with our forum rules. Follow the guideline at the link below to start a new topic and post your HijackThis log. Also include your ComboFix log in the same post.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27301
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware