Free Malware Removal Forum

[EsaVirtanen]

Hi

My problem is the two rootkit files which send spam from my frends computer.
ipsecdis.sys and ntndis.sys.
I drowe Compofix and Malwarebytes Antimalware programs several times.
They bopth can find the files but are unable to remove then.

Here is my Hijackthis.log file


Esa

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:28:03, on 19.5.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\GtDetectSc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\CAP3RSK.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CAP3SWK.EXE
C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com/foxit?o=101702&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [CAP3ON] C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3ONN.EXE
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
O4 - Global Startup: Canon LASER SHOT LBP-1120 - Tilaikkuna.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAP3LAK.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = punahonka.local
O17 - HKLM\Software\..\Telephony: DomainName = punahonka.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = punahonka.local
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: video/x-flv - {08C72DD4-19AD-49f1-83DA-8542B4D302C5} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Loogisen levyn hallinnan valvontapalvelu (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Tapahtumaloki (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GT Detect (GtDetectSc) - OptionNV - C:\WINDOWS\system32\GtDetectSc.exe
O23 - Service: CD-levyjen kirjoittamisen IMAPI COM -palvelu (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Etätyöpöydän ohjeen istunnonhallinta (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Älykortti (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Aseman tilannevedos (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: WMI resurssisovitin (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Windows Media Playerin verkkojakamispalvelu (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe

--
End of file - 7312 bytes

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[askey127]

EsaVirtanen,
I suspect there a couple reasons no one has answered this post.
One is that you have a non-English version of Windows.
I am willing to attempt helping you clean this machine, but I may not be successful, since I may not understand all the entries produced by the scanners, and we may have some tools that do not work properly on this machine.

The second reason for a reluctance to respond by our helpers is that Combofix was run by an untrained person, and there is no way to tell what changes have been made.
This can easily damage the system beyond repair, and lead to ultimate failure in "fixing" the machine.

If you still wish to receive help and are not receiving it elsewhere, please proceed as follows:

To begin, please tell me about the "punahonka.local" network.

-----------------------------------------------------------
Remove Registry items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://today.ask.com/foxit?o=101702&l=dis
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Advanced SystemCare 3

Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Double click to run it.
If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.

askey127

[EsaVirtanen]

Hi

Thanks for helping Me with my problem.
Yes, Finnish is a problem.
I just run the Compofix, didn't do any chanses to the system.
PUNAHONKA.local is Our companys network. It's Win 2003 Small bunisnes
server and we are having about 15 computers in the network. But any other
computer is not infected, just that one I'm trying to clean.

I made all Your proposals, just I took first away the ASC and then run the HiJackThis etc.
Here is the uninstall file.

Esa

2007 Office Systemin yhteensopivuuspaketti
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
ALPS Touch Pad Driver
Canon LASER SHOT LBP-1120
CCleaner
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CutePDF Writer 2.6
DWG TrueView 2008
Foxit Reader
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix-päivitys Windows XP:lle (KB979306)
Hotkey 1.0.4
Java(TM) 6 Update 19
Java(TM) 6 Update 6
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 SR-1 Professional
Mozilla Firefox (3.0.14)
Mozilla Thunderbird (2.0.0.24)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
Multi Word Translator
Nokia Connectivity Cable Driver
Nokia PC Suite
OpenOffice.org Installer 1.0
Profin Hinnasto
Päivitys Windows Internet Explorer 8:lle (KB971930)
Päivitys Windows Internet Explorer 8:lle (KB976662)
Päivitys Windows Internet Explorer 8:lle (KB976749)
Päivitys Windows Internet Explorer 8:lle (KB980182)
QuickTime
Skype™ 4.2
Soft Data Fax Modem with SmartCP
Sonic CinePlayer DVD Pack
Sonic UDF Reader
Sony Picture Utility
Suojauspäivitys Windows Internet Explorer 7:lle (KB938127)
Suojauspäivitys Windows Internet Explorer 7:lle (KB938127-v2)
Suojauspäivitys Windows Internet Explorer 7:lle (KB956390)
Suojauspäivitys Windows Internet Explorer 7:lle (KB958215)
Suojauspäivitys Windows Internet Explorer 7:lle (KB960714)
Suojauspäivitys Windows Internet Explorer 7:lle (KB961260)
Suojauspäivitys Windows Internet Explorer 7:lle (KB963027)
Suojauspäivitys Windows Internet Explorer 7:lle (KB969897)
Suojauspäivitys Windows Internet Explorer 8:lle (KB969897)
Suojauspäivitys Windows Internet Explorer 8:lle (KB971961)
Suojauspäivitys Windows Internet Explorer 8:lle (KB972260)
Suojauspäivitys Windows Internet Explorer 8:lle (KB974455)
Suojauspäivitys Windows Internet Explorer 8:lle (KB976325)
Suojauspäivitys Windows Internet Explorer 8:lle (KB978207)
Suojauspäivitys Windows Internet Explorer 8:lle (KB981332)
Suojauspäivitys Windows XP:lle (KB923789)
Suojauspäivitys Windows XP:lle (KB971468)
Suojauspäivitys Windows XP:lle (KB975560)
Suojauspäivitys Windows XP:lle (KB975561)
Suojauspäivitys Windows XP:lle (KB975713)
Suojauspäivitys Windows XP:lle (KB977165)
Suojauspäivitys Windows XP:lle (KB977816)
Suojauspäivitys Windows XP:lle (KB977914)
Suojauspäivitys Windows XP:lle (KB978037)
Suojauspäivitys Windows XP:lle (KB978251)
Suojauspäivitys Windows XP:lle (KB978262)
Suojauspäivitys Windows XP:lle (KB978338)
Suojauspäivitys Windows XP:lle (KB978542)
Suojauspäivitys Windows XP:lle (KB978601)
Suojauspäivitys Windows XP:lle (KB978706)
Suojauspäivitys Windows XP:lle (KB979309)
Suojauspäivitys Windows XP:lle (KB979683)
Suojauspäivitys Windows XP:lle (KB980232)
Symantec AntiVirus
TeamViewer
TreeSize Free V2.3.3
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VIA Ohjelmistoalustan laitehallinta
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver 6.14.10.0078
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Wireless LAN Driver Installation Program

[askey127]

This computer is a business computer, or a computer that is used for business, and it is part of a domain as well. As such, it may very likely have been connected to the domain's network while infected, thereby presenting a risk to other computers connected to that same network.

The online anti-malware community primarily serves home users, and is therefore not ideally suited to deal with situations that are best handled by a company's own IT department, or a commercial PC Security/Repair service. All companies have their own set of policies and procedures for handling situations like this, all of which are beyond our sphere of knowledge. Therefore, as this computer has been identified as infected, you are advised to immediately seek the assistance of your company's IT department or commercial PC Security/Repair service, so they may implement their preferred method for handling this situation.

In addition, there are data protection laws in many countries. If the machine is suspected of being "owned" or taken over by an outside force, and it has sensitive data stored on it, that could well be a reportable incident under data protection laws. For instance, it is possible that a machine could have credit card data, or other equally sensitive data, for customers of a business that would now be compromised.

As this issue involves either a company owned machine or a machine that is used for business purposes, it falls outside the scope of this forum. Therefore, this topic is now closed.