Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

gernuwa.sys

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

gernuwa.sys

Unread postby gerhard84 » October 28th, 2008, 5:01 am

Hi everyone,

We have this PC at work that does not want to go onto the internet. If i use the ip address of the site is goes in. So i think the DNS is not working. I have checked everything and all seems fine. I have asked the technician at the branch to run combofix for me and i will post the log file here as soon as he has mailed it to me. an I on the right track or is there something that i must try first.

Thanks GG


ComboFix 08-10-27.03 - Cecile Clegg 2008-10-28 11:03:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1493 [GMT 2:00]
Running from: C:\DOCUME~1\Cecile\LOCALS~1\Temp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_004886_.tmp.dll
C:\WINDOWS\system32\_004887_.tmp.dll
C:\WINDOWS\system32\_004888_.tmp.dll
C:\WINDOWS\system32\_004889_.tmp.dll
C:\WINDOWS\system32\_004895_.tmp.dll
C:\WINDOWS\system32\_004896_.tmp.dll
C:\WINDOWS\system32\_004897_.tmp.dll
C:\WINDOWS\system32\_004898_.tmp.dll
C:\WINDOWS\system32\_004899_.tmp.dll
C:\WINDOWS\system32\_004900_.tmp.dll
C:\WINDOWS\system32\_004901_.tmp.dll
C:\WINDOWS\system32\_004902_.tmp.dll
C:\WINDOWS\system32\_004903_.tmp.dll
C:\WINDOWS\system32\_004904_.tmp.dll
C:\WINDOWS\system32\_004905_.tmp.dll
C:\WINDOWS\system32\_004907_.tmp.dll
C:\WINDOWS\system32\_004908_.tmp.dll
C:\WINDOWS\system32\_004909_.tmp.dll
C:\WINDOWS\system32\_004911_.tmp.dll
C:\WINDOWS\system32\_004912_.tmp.dll
C:\WINDOWS\system32\_004914_.tmp.dll
C:\WINDOWS\system32\_004915_.tmp.dll
C:\WINDOWS\system32\_004919_.tmp.dll
C:\WINDOWS\system32\_004920_.tmp.dll
C:\WINDOWS\system32\_004921_.tmp.dll
C:\WINDOWS\system32\_004922_.tmp.dll
C:\WINDOWS\system32\_004923_.tmp.dll
C:\WINDOWS\system32\_004924_.tmp.dll
C:\WINDOWS\system32\_004925_.tmp.dll
C:\WINDOWS\system32\_004926_.tmp.dll
C:\WINDOWS\system32\_004927_.tmp.dll
C:\WINDOWS\system32\_004928_.tmp.dll
C:\WINDOWS\system32\_004929_.tmp.dll
C:\WINDOWS\system32\_004930_.tmp.dll
C:\WINDOWS\system32\_004932_.tmp.dll
C:\WINDOWS\system32\_004933_.tmp.dll
C:\WINDOWS\system32\_004934_.tmp.dll
C:\WINDOWS\system32\_004935_.tmp.dll
C:\WINDOWS\system32\_004936_.tmp.dll
C:\WINDOWS\system32\_004937_.tmp.dll
C:\WINDOWS\system32\_004938_.tmp.dll
C:\WINDOWS\system32\_004941_.tmp.dll
C:\WINDOWS\system32\_004942_.tmp.dll
C:\WINDOWS\system32\_004943_.tmp.dll
C:\WINDOWS\system32\_004944_.tmp.dll
C:\WINDOWS\system32\_004945_.tmp.dll
C:\WINDOWS\system32\_004947_.tmp.dll
C:\WINDOWS\system32\_004948_.tmp.dll
C:\WINDOWS\system32\_004949_.tmp.dll
C:\WINDOWS\system32\_004951_.tmp.dll
C:\WINDOWS\system32\_004952_.tmp.dll
C:\WINDOWS\system32\_004954_.tmp.dll
C:\WINDOWS\system32\_004955_.tmp.dll
C:\WINDOWS\system32\_004959_.tmp.dll
C:\WINDOWS\system32\_004960_.tmp.dll
C:\WINDOWS\system32\_004962_.tmp.dll
C:\WINDOWS\system32\_004964_.tmp.dll
C:\WINDOWS\system32\_004965_.tmp.dll
C:\WINDOWS\system32\_004967_.tmp.dll
C:\WINDOWS\system32\_004968_.tmp.dll
C:\WINDOWS\system32\_004969_.tmp.dll
C:\WINDOWS\system32\_004970_.tmp.dll
C:\WINDOWS\system32\_004973_.tmp.dll
C:\WINDOWS\system32\_004974_.tmp.dll
C:\WINDOWS\system32\_004975_.tmp.dll
C:\WINDOWS\system32\_004976_.tmp.dll
C:\WINDOWS\system32\_004977_.tmp.dll
C:\WINDOWS\system32\_004982_.tmp.dll
C:\WINDOWS\system32\_004984_.tmp.dll
C:\WINDOWS\system32\_008109_.tmp.dll
C:\WINDOWS\system32\_008110_.tmp.dll
C:\WINDOWS\system32\_008111_.tmp.dll
C:\WINDOWS\system32\_008112_.tmp.dll
C:\WINDOWS\system32\_008119_.tmp.dll
C:\WINDOWS\system32\_008120_.tmp.dll
C:\WINDOWS\system32\_008121_.tmp.dll
C:\WINDOWS\system32\_008123_.tmp.dll
C:\WINDOWS\system32\_008124_.tmp.dll
C:\WINDOWS\system32\_008127_.tmp.dll
C:\WINDOWS\system32\_008128_.tmp.dll
C:\WINDOWS\system32\_008130_.tmp.dll
C:\WINDOWS\system32\_008131_.tmp.dll
C:\WINDOWS\system32\_008132_.tmp.dll
C:\WINDOWS\system32\_008134_.tmp.dll
C:\WINDOWS\system32\_008135_.tmp.dll
C:\WINDOWS\system32\_008137_.tmp.dll
C:\WINDOWS\system32\_008138_.tmp.dll
C:\WINDOWS\system32\_008140_.tmp.dll
C:\WINDOWS\system32\_008142_.tmp.dll
C:\WINDOWS\system32\_008143_.tmp.dll
C:\WINDOWS\system32\_008145_.tmp.dll
C:\WINDOWS\system32\_008147_.tmp.dll
C:\WINDOWS\system32\_008148_.tmp.dll
C:\WINDOWS\system32\_008150_.tmp.dll
C:\WINDOWS\system32\_008151_.tmp.dll
C:\WINDOWS\system32\_008152_.tmp.dll
C:\WINDOWS\system32\_008153_.tmp.dll
C:\WINDOWS\system32\_008156_.tmp.dll
C:\WINDOWS\system32\_008157_.tmp.dll
C:\WINDOWS\system32\_008158_.tmp.dll
C:\WINDOWS\system32\_008159_.tmp.dll
C:\WINDOWS\system32\_008160_.tmp.dll
C:\WINDOWS\system32\_008165_.tmp.dll
C:\WINDOWS\system32\_008167_.tmp.dll
C:\WINDOWS\system32\_008168_.tmp.dll
C:\WINDOWS\system32\Cache
E:\RECYCLER\desktop.ini
E:\RECYCLER\U.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2008-10-28 10:27 . 2008-10-28 10:27 0 --a------ C:\WINDOWS\nsreg.dat
2008-10-22 14:22 . 2008-10-22 14:22 <DIR> d-------- C:\3rdManual
2008-10-22 14:19 . 2008-10-13 09:12 142,168,108 --a------ C:\3rdManual.zip
2008-10-15 11:55 . 2008-10-28 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-15 11:55 . 2008-10-15 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-15 10:35 . 2008-10-15 10:35 <DIR> d-------- C:\Documents and Settings\Cecile\Application Data\GlarySoft
2008-10-15 10:34 . 2008-10-28 10:40 <DIR> d-------- C:\Program Files\Registry Repair
2008-10-15 10:26 . 2008-10-28 10:42 <DIR> d-------- C:\Program Files\XP TCPIP Repair
2008-10-12 09:51 . 2008-04-14 02:10 102,912 --a------ C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-10-12 09:51 . 2008-04-14 02:09 24,064 --a------ C:\WINDOWS\system32\dllcache\pidgen.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-28 09:11 --------- d-----w C:\Program Files\WinSMS
2008-10-28 09:11 --------- d-----w C:\Documents and Settings\Cecile\Application Data\Skype
2008-10-28 09:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-28 08:36 --------- d-----w C:\Documents and Settings\Cecile\Application Data\skypePM
2008-10-28 06:53 --------- d-----w C:\Program Files\Mooirivier System Backup
2008-09-25 09:00 2,050,686 ----a-w C:\Mosselbaai.zip
2008-09-01 06:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-31 06:15 16,760 ----a-w C:\Documents and Settings\Cecile\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 13:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2001-11-23 04:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-05-30 21718312]
"024h Lucky Reminder"="C:\Program Files\024h Lucky Reminder\LuckyReminder.exe" [2006-06-10 16:39 1567232]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Monitor"="C:\WINDOWS\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-06 718704]
"SiSPower"="SiSPower.dll" [2005-03-03 C:\WINDOWS\system32\SiSPower.dll]
"C-Media Mixer"="Mixer.exe" [2003-03-20 C:\WINDOWS\mixer.exe]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2005-03-08 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 C:\WINDOWS\system32\VTTrayp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Amethyst USBClient.lnk - C:\Program Files\Datatex\USBClient\USBClient.exe [3/28/2007 12:58:19 PM 1888256]
Canon iR1510-1670 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM4LAK.EXE [6/25/2005 1:29:31 PM 30720]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM 83360]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [6/25/2005 11:59:50 AM 266240]
WinSMS.lnk - C:\Program Files\WinSMS\WinSMS.exe [4/23/2008 2:20:38 PM 4867072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2002-02-15 10:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-25 149864]
R2 RapidPortM4;RapidPortM4;C:\WINDOWS\system32\Drivers\CAPM4LP.SYS [2003-11-27 23232]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-04-22 98488]
R3 PAC207;Webcam 1200;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-06-29 611584]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-10-27 C:\WINDOWS\Tasks\Cecile.job
- C:\WINDOWS\system32\ntbackup.exe [2008-04-14 02:12]

2008-10-27 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Cecile Clegg.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 06:05]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Cecile\Application Data\Mozilla\Firefox\Profiles\jxt6w6ok.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.za/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 11:11:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\CAPM4RSK.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM4SWK.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-10-28 11:14:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-28 09:14:34

Pre-Run: 49,178,648,576 bytes free
Post-Run: 49,205,915,648 bytes free

238 --- E O F --- 2008-10-28 01:00:31
gerhard84
Active Member
 
Posts: 1
Joined: October 28th, 2008, 4:43 am
Advertisement
Register to Remove

Re: gernuwa.sys

Unread postby silver » November 1st, 2008, 7:32 am

Hi gerhard84,

We have this PC at work that does not want to go onto the internet.

The forum policy is to not work on company machines:
In General, we do not help in cleaning business or corporate computers. There may be restrictions and modifications installed on such machines that could be damaged or altered by the actions we take to remove Malware. There may also be legal issues regarding any loss of business data that we do not wish to deal with.


So I'm sorry, we won't be able to help you with this problem, and I have accordingly closed this topic.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 128 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware