Help with Rootkit Agents ntndis.sys/ipsecndis.sys removal

damagedone · September 3, 2010

Hello to all,new to this forum!=)

Log from ComboFix:

ComboFix 10-09-02.03 - Administrator 03/09/2010 14:27:29.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1253.30.1032.18.1023.711 [GMT 3:00]

Running from: c:\documents and settings\Administrator\????????? ????????\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\3dcs9.exe

c:\documents and settings\Administrator\Application Data\F999863FCD0F84161E0D975E30AD6759

c:\documents and settings\Administrator\Application Data\F999863FCD0F84161E0D975E30AD6759\enemies-names.txt

c:\documents and settings\Administrator\Application Data\F999863FCD0F84161E0D975E30AD6759\local.ini

c:\documents and settings\Administrator\Application Data\F999863FCD0F84161E0D975E30AD6759\lsrslt.ini

c:\documents and settings\Administrator\Favorites\Download programs.url

c:\documents and settings\Administrator\Favorites\Games.url

c:\documents and settings\Administrator\Favorites\Translator.url

c:\documents and settings\Administrator\Favorites\Videos.url

c:\documents and settings\Administrator\Local Settings\Application Data\edimqackg

c:\documents and settings\Administrator\Local Settings\Application Data\edimqackg\ktyxhepshdw.exe

c:\documents and settings\Administrator\Local Settings\Application Data\fnpoplmub

c:\documents and settings\Administrator\Local Settings\Application Data\fnpoplmub\kfkabklshdw.exe

c:\documents and settings\Administrator\Local Settings\Application Data\nwosolutm

c:\documents and settings\Administrator\Local Settings\Application Data\nwosolutm\kcgvkyxshdw.exe

c:\documents and settings\Administrator\Local Settings\Application Data\phmvqlcwt

c:\documents and settings\Administrator\Local Settings\Application Data\phmvqlcwt\fqqfykpshdw.exe

c:\documents and settings\Administrator\Local Settings\Application Data\skwronivg

c:\documents and settings\Administrator\Local Settings\Application Data\skwronivg\kbelgbtshdw.exe

c:\documents and settings\Administrator\Local Settings\Application Data\sovdgpblb

c:\documents and settings\Administrator\Local Settings\Application Data\sovdgpblb\uubxqarshdw.exe

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\server.dat

c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat

C:\Install.exe

c:\windows\system32\404Fix.exe

c:\windows\system32\agbnmwbi.dll

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\apvphdih.ini

c:\windows\system32\atsamkqn.dll

c:\windows\system32\auuunnat.dll

c:\windows\system32\bffmyr.dll

c:\windows\system32\CJjRBcdd.ini

c:\windows\system32\cMnmWyxx.ini

c:\windows\system32\coifbkdy.dll

c:\windows\system32\crvgfyeo.dll

c:\windows\system32\cscuhm.dll

c:\windows\system32\ddbgmqcy.dll

c:\windows\system32\dheuyq.dll

c:\windows\system32\dumphive.exe

c:\windows\system32\eboobnhy.dll

c:\windows\system32\edijaz.dll

c:\windows\system32\eguhefnq.dll

c:\windows\system32\emhlmgah.dll

c:\windows\system32\EMVwaGgh.ini

c:\windows\system32\esdlmutq.dll

c:\windows\system32\ewachj.dll

c:\windows\system32\exochuvs.dll

c:\windows\system32\eysotv.dll

c:\windows\system32\fbiwqfsy.dll

c:\windows\system32\fcfxvcmt.dll

c:\windows\system32\fglgvwet.dll

c:\windows\system32\frgqaz.dll

c:\windows\system32\gdifjdid.dll

c:\windows\system32\ghcpuagw.dll

c:\windows\system32\gknaxjhe.dll

c:\windows\system32\gnakefvp.dll

c:\windows\system32\gngkxbsu.dll

c:\windows\system32\GOUtCIPo.ini

c:\windows\system32\gqsfjvkp.dll

c:\windows\system32\gtlleeow.dll

c:\windows\system32\gyiclnet.dll

c:\windows\system32\haemdi.dll

c:\windows\system32\hdomnopd.dll

c:\windows\system32\hdwqkljr.dll

c:\windows\system32\hhobdfkf.dll

c:\windows\system32\hhqthb.dll

c:\windows\system32\hixvzj.dll

c:\windows\system32\hjdpyqiy.dll

c:\windows\system32\hmkfcxlu.dll

c:\windows\system32\hsdsjn.dll

c:\windows\system32\hwcqeysi.dll

c:\windows\system32\hxfiwejn.dll

c:\windows\system32\hxtstcyn.dll

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\ijslxyjr.dll

c:\windows\system32\imrquw.dll

c:\windows\system32\ipdypour.dll

c:\windows\system32\iyervnkx.dll

c:\windows\system32\iysvdk.dll

c:\windows\system32\jfafsjni.dll

c:\windows\system32\jreyyx.dll

c:\windows\system32\jsmpudgm.dll

c:\windows\system32\jysppuyt.dll

c:\windows\system32\kedtpr.dll

c:\windows\system32\knnfnfgm.dll

c:\windows\system32\kudmwvpl.dll

c:\windows\system32\kvnvildh.dll

c:\windows\system32\kvujkr.dll

c:\windows\system32\kwmqqn.dll

c:\windows\system32\kyiwmk.dll

c:\windows\system32\lcvceq.dll

c:\windows\system32\ljcrmx.dll

c:\windows\system32\llncfpbf.dll

c:\windows\system32\lsgysp.dll

c:\windows\system32\mhqgdhgb.dll

c:\windows\system32\mpdofg.dll

c:\windows\system32\mpqjaf.dll

c:\windows\system32\mrikppvv.dll

c:\windows\system32\ngjani.dll

c:\windows\system32\o4Patch.exe

c:\windows\system32\ohqjjgwc.dll

c:\windows\system32\onhfkn.dll

c:\windows\system32\oolfrw.dll

c:\windows\system32\oscqqe.dll

c:\windows\system32\oumuws.dll

c:\windows\system32\pfxhfyta.dll

c:\windows\system32\pjhjonoa.dll

c:\windows\system32\pmlvyg.dll

c:\windows\system32\pnfumxhm.dll

c:\windows\system32\poyuzk.dll

c:\windows\system32\pqltbq.dll

c:\windows\system32\Process.exe

c:\windows\system32\pszjwc.dll

c:\windows\system32\ptcsaiuv.dll

c:\windows\system32\pxgyubhy.dll

c:\windows\system32\qbrycxea.dll

c:\windows\system32\qdjyalqe.dll

c:\windows\system32\qggyuhwa.dll

c:\windows\system32\qhyqygnm.dll

c:\windows\system32\qkutlvmq.dll

c:\windows\system32\qwhfqnmg.dll

c:\windows\system32\rCMVyyay.ini

c:\windows\system32\rigtkjej.dll

c:\windows\system32\rjofce.dll

c:\windows\system32\rnyrbexb.dll

c:\windows\system32\shcfypww.dll

c:\windows\system32\sicbql.dll

c:\windows\system32\SrchSTS.exe

c:\windows\system32\svrstx.dll

c:\windows\system32\sycqgu.dll

c:\windows\system32\tfqroqrx.dll

c:\windows\system32\tfwuomqh.dll

c:\windows\system32\tmp.reg

c:\windows\system32\tvbsmd.dll

c:\windows\system32\uaifxgrb.dll

c:\windows\system32\UBbJQXbc.ini

c:\windows\system32\ucqbqu.dll

c:\windows\system32\udtqhkmj.dll

c:\windows\system32\uerqqmoh.dll

c:\windows\system32\uglqvqdf.dll

c:\windows\system32\ulpqpkhg.dll

c:\windows\system32\uqttuc.dll

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\vewubd.dll

c:\windows\system32\vhyrrk.dll

c:\windows\system32\vpbcitbl.dll

c:\windows\system32\vxwqwsdb.dll

c:\windows\system32\vyavxerc.dll

c:\windows\system32\wbdmdygl.dll

c:\windows\system32\wggwppma.dll

c:\windows\system32\wlhnrjxu.dll

c:\windows\system32\wpodrl.dll

c:\windows\system32\WS2Fix.exe

c:\windows\system32\xdxuplnw.dll

c:\windows\system32\xervxv.dll

c:\windows\system32\xgntecff.dll

c:\windows\system32\xsplfutd.dll

c:\windows\system32\xtycojvv.dll

c:\windows\system32\yluceq.dll

c:\windows\system32\yowhjqyj.dll

c:\windows\system32\ypxakc.dll

c:\windows\system32\yqgynoum.dll

c:\windows\system32\ytnojo.dll

c:\windows\system32\yuydixfn.dll

c:\windows\system32\ywkwifst.dll

c:\windows\system32\yzargd.dll

c:\windows\system32\zagdse.dll

c:\windows\system32\zkrdls.dll

c:\windows\system32\zowixj.dll

C:\ws.exe

c:\windows\system32\winlogon.exe . . . is infected!!

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

c:\windows\system32\drivers\ndis.sys . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ATAPIDRV

-------\Service_usnjsvc

((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))

.

2010-09-03 10:36 . 2010-09-03 10:36 -------- d-----w- c:\program files\TheStubware

2010-09-03 10:36 . 2010-04-10 14:05 9728 ----a-w- c:\windows\system32\drivers\TheStubwareDriver.SYS

2010-09-03 10:36 . 2010-04-10 14:01 44032 ----a-w- c:\windows\system32\drivers\ActiveMonitor.SYS

2010-09-02 17:34 . 2010-09-02 17:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\NETGATE Registry Cleaner

2010-09-02 17:34 . 2010-09-02 17:34 -------- d-----w- c:\program files\NETGATE

2010-09-01 13:39 . 2010-09-01 13:39 711168 ----a-w- c:\windows\is-70I7F.exe

2010-08-31 16:14 . 2010-08-31 16:14 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-31 15:30 . 2010-09-03 11:36 786944 ----a-w- c:\windows\system32\drivers\dwtma.sys

2010-08-30 01:08 . 2010-08-30 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Navnet_Solutions

2010-08-30 01:07 . 2010-08-30 01:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\NavNet Solutions

2010-08-24 21:40 . 2010-08-30 19:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc

2010-08-24 21:39 . 2010-08-24 21:39 -------- d-----w- c:\program files\VideoLAN

2010-08-09 14:51 . 2010-08-09 14:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\LolClient

2010-08-09 13:53 . 2010-08-23 12:43 -------- d-----w- c:\program files\League of Legends

2010-08-09 13:20 . 2010-08-09 21:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\PMB Files

2010-08-09 13:20 . 2010-08-09 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2010-08-09 13:20 . 2010-08-09 13:20 -------- d-----w- c:\program files\Pando Networks

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-03 11:37 . 2001-11-27 12:00 554098 ----a-w- c:\windows\system32\perfh008.dat

2010-09-03 11:37 . 2001-11-27 12:00 96134 ----a-w- c:\windows\system32\perfc008.dat

2010-09-03 11:06 . 2008-02-22 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg7

2010-09-03 11:06 . 2008-02-22 19:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG7

2010-09-01 21:48 . 2007-10-23 15:56 76056 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-09-01 13:42 . 2009-05-08 20:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-31 17:09 . 2004-08-03 20:14 211072 ----a-w- c:\windows\system32\drivers\ndis.sys

2010-08-31 15:31 . 2008-08-19 05:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\BitTorrent

2010-08-31 07:09 . 2010-05-16 19:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype

2010-08-30 18:23 . 2007-10-23 15:52 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-08-30 18:21 . 2009-05-05 12:33 -------- d-----w- c:\program files\Rock Legend Demo

2010-08-30 18:19 . 2010-03-20 01:47 -------- d-----w- c:\program files\Common Files\AVSMedia

2010-08-30 18:19 . 2010-03-20 01:46 -------- d-----w- c:\program files\AVS4YOU

2010-08-30 18:18 . 2010-06-18 01:34 -------- d-----w- c:\program files\AVI-GIF

2010-07-08 21:31 . 2009-06-19 17:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\skypePM

2010-06-20 21:49 . 2010-06-20 21:49 77312 ----a-w- c:\documents and settings\Administrator\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.72.0A.dll

2010-06-11 22:46 . 2010-01-12 12:46 237568 ----a-w- c:\windows\system32\rmc_rtspdl.dll

2010-06-11 22:46 . 2010-01-12 12:46 156672 ----a-w- c:\windows\system32\rmc_fixasf.exe

2004-10-01 12:00 . 2007-10-23 16:13 40960 ----a-w- c:\program files\Uninstall_CDS.exe

2006-05-03 09:06 . 2010-06-18 02:27 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 10:47 . 2010-06-18 02:27 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 12:30 . 2010-06-18 02:27 216064 --sh--r- c:\windows\system32\nbDX.dll

.

------- Sigcheck -------

[-] 2010-08-31 17:09 . !HASH: COULD NOT OPEN FILE !!!!! . 211072 . . [------] . . c:\windows\system32\drivers\ndis.sys

[-] 2010-08-31 17:09 . !HASH: COULD NOT OPEN FILE !!!!! . 211072 . . [------] . . c:\windows\system32\dllcache\ndis.sys

[-] 2004-09-04 . 1B0C413220951CDE77988FA46F024E9C . 508416 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2007-06-13 . 080A0A07EEB41370757978CF9A6A4476 . 1037824 . . [6.00.2900.3156] . . c:\windows\explorer.exe

[7] 2007-06-13 . 1DEB059FFD416425426735E6EC1CF3C0 . 1037824 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NETGATERegistryCleaner"="c:\program files\NETGATE\Registry Cleaner\RegistryCleaner.exe" [2010-08-30 1870488]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-09-04 15360]

"iLike"="c:\program files\iLike\1.2.11\ilikesidebar.exe" [2008-09-11 63024]

c:\documents and settings\All Users\Start Menu\

Haider · September 3, 2010

Hello damagedone:

Sorry to hear that your system is infected. Please read and follow the instructions in I'm infected - What do I do now? An Expert will assist you in removal process. Should you have any other question(s) please post back

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Sign In

Help with Rootkit Agents ntndis.sys/ipsecndis.sys removal

Recommended Posts

damagedone

Link to post

Share on other sites

Haider

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information