Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

andt.sys & indt2.sys HELP!!

Reply
1 2

Join Date: Feb 2008
Posts: 16
Reputation: digital11 is an unknown quantity at this point 
Solved Threads: 0
digital11's Avatar
digital11 digital11 is offline Offline
Newbie Poster

andt.sys & indt2.sys HELP!!

 
0
  #1
Feb 27th, 2008
Need some help getting rid of andt & indt2. Spybot doesn't pick it up, any help would be greatly appreciated. Here's a log from Hijackthis.

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe" /d=60
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 7337 bytes

Thanks.
Reply With Quote Quick reply to this message  
Join Date: Jan 2008
Posts: 61
Reputation: Malwarehunter94 is an unknown quantity at this point 
Solved Threads: 5
Malwarehunter94 Malwarehunter94 is offline Offline
Junior Poster in Training

Re: andt.sys & indt2.sys HELP!!

 
0
  #2
Feb 27th, 2008
Have Hijackthis fix these entries:

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
Reply With Quote Quick reply to this message  
Join Date: Feb 2008
Posts: 16
Reputation: digital11 is an unknown quantity at this point 
Solved Threads: 0
digital11's Avatar
digital11 digital11 is offline Offline
Newbie Poster

Re: andt.sys & indt2.sys HELP!!

 
0
  #3
Feb 27th, 2008
Originally Posted by Malwarehunter94 View Post
Have Hijackthis fix these entries:

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe

Not getting the annoying clicking anymore but: O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe - still appears on the hijackthis log.

Thanks for your help.
Reply With Quote Quick reply to this message  
Join Date: Jan 2008
Posts: 61
Reputation: Malwarehunter94 is an unknown quantity at this point 
Solved Threads: 5
Malwarehunter94 Malwarehunter94 is offline Offline
Junior Poster in Training

Re: andt.sys & indt2.sys HELP!!

 
0
  #4
Feb 27th, 2008
Try fixing it in safe mode, Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Run Hijackthis in safe mode and have it fix the entry.
Reply With Quote Quick reply to this message  
Join Date: Feb 2008
Posts: 16
Reputation: digital11 is an unknown quantity at this point 
Solved Threads: 0
digital11's Avatar
digital11 digital11 is offline Offline
Newbie Poster

Re: andt.sys & indt2.sys HELP!!

 
0
  #5
Feb 27th, 2008
Originally Posted by Malwarehunter94 View Post
Try fixing it in safe mode, Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Run Hijackthis in safe mode and have it fix the entry.
'Fixed checked' in safe mode here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45:44, on 27/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\routing.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 6601 bytes

As you can see it's still showing up.
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark

Re: andt.sys & indt2.sys HELP!!

 
0
  #6
Feb 27th, 2008
Originally Posted by digital11 View Post
'Fixed checked' in safe mode here's the log:
As you can see it's still showing up.
HijackThis is more a diagnostic tool than a "fixer" program.
It does not attempt to delete any actual malware files (except for those associated with 02 BHO entries). At its core, it is a powerful registry editor.
The "fixes" you are attempting are incomplete and probably being thwarted by SpyBotSD's Tea Timer feature.

FIRST:
Disable SpybotSD's Tea Timer. Do that now.

THEN:
  • Download combofix.exe by sUBs to your computer's Desktop.
  • Alternate Download
  • (If you already have a previous version, delete it and download a new version).
  • Double click combofix.exe & follow the prompts.
    Note: Combofix will automatically disconnect your Internet connection when it runs, do not reconnect it.

When it finishes, it ought to
  • Produce a log for you. ( C:\ComboFix\ComboFix.txt)
  • Restore your Internet connection.

IMPORTANT:
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.

Please post that log for us along with a fresh HJT. Let us know if you run into any difficulty.

Best Luck
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Join Date: Feb 2008
Posts: 16
Reputation: digital11 is an unknown quantity at this point 
Solved Threads: 0
digital11's Avatar
digital11 digital11 is offline Offline
Newbie Poster

Re: andt.sys & indt2.sys HELP!!

 
0
  #7
Feb 27th, 2008
Hi PP;
Here's the combofix log:

ComboFix 08-02-25.3 - Rob 2008-02-28 0:44:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1607 [GMT 0:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Rob\Application Data\inst.exe
C:\Program Files\internet explorer\svchost.exe
C:\WINDOWS\msvrc20.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 00:15 . 2008-02-28 00:15 251,392 --a------ C:\WINDOWS\system32\andt.sys
2008-02-28 00:15 . 2008-02-28 00:15 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-02-27 12:32 . 2008-02-27 12:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SUPERAntiSpyware.com
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-27 12:31 . 2008-02-27 12:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 10:53 . 2008-02-27 23:43 7,662 --a------ C:\WINDOWS\system32\oodbs.lor
2008-02-27 00:31 . 2008-02-27 17:00 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-27 00:10 . 2008-02-27 00:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-26 23:52 . 2008-02-26 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 23:47 . 2008-02-27 00:27 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PrevxCSI
2008-02-26 19:16 . 2008-02-26 19:16 0 --a------ C:\WINDOWS\OODCNT.INI
2008-02-26 18:37 . 2008-02-27 22:15 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-02-26 18:24 . 2008-02-26 18:24 <DIR> d-------- C:\Program Files\OO Software
2008-02-26 17:04 . 2008-02-26 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-02-26 14:44 . 2008-02-26 14:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 19:13 . 2008-02-27 20:52 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
2008-02-25 19:13 . 2008-02-25 19:13 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-02-25 14:19 . 2008-02-25 14:19 <DIR> d-------- C:\Program Files\Nero
2008-02-25 14:17 . 2008-02-25 14:17 31,232 --a------ C:\WINDOWS\system32\routing.exe
2008-02-25 14:17 . 2008-02-25 14:17 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-25 13:39 . 2008-02-25 13:39 <DIR> d-------- C:\Program Files\PowerISO
2008-02-25 13:32 . 2008-02-25 13:32 0 --a------ C:\WINDOWS\Irremote.ini
2008-02-25 10:10 . 2007-06-25 22:30 86,016 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2008-02-25 10:10 . 2007-04-24 19:33 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL
2008-02-25 09:48 . 2008-02-25 09:48 <DIR> d-------- C:\Program Files\IObit
2008-02-25 01:35 . 2008-02-25 01:35 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-02-24 21:06 . 2008-02-24 21:06 <DIR> d-------- C:\Documents and Settings\Rob\dwhelper
2008-02-23 17:31 . 2008-02-23 17:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\TVU networks
2008-02-23 17:31 . 2008-02-23 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-23 17:30 . 2008-02-23 17:31 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-22 10:40 . 2008-02-22 10:40 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 18:53 . 2001-09-06 10:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-18 18:53 . 2007-06-25 14:02 475,136 --a------ C:\WINDOWS\system32\SkinCrafter2.dll
2008-02-17 00:04 . 2008-02-17 00:04 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\vlc
2008-02-17 00:03 . 2008-02-17 00:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 23:42 . 2004-03-22 23:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-15 23:42 . 2008-02-15 23:42 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-15 23:40 . 2008-02-15 23:40 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-15 23:35 . 2008-02-15 23:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-15 23:34 . 2008-02-15 23:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-15 23:32 . 2008-02-15 23:32 <DIR> d-------- C:\Program Files\Disc2Phone
2008-02-15 23:26 . 2008-02-15 23:26 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-02-15 23:24 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:23 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-15 23:22 . 2008-02-15 23:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-15 23:21 . 2008-02-15 23:21 6,176 --a------ C:\WINDOWS\system32\drivers\w810cm.sys
2008-02-15 23:21 . 2008-02-15 23:21 5,808 --a------ C:\WINDOWS\system32\drivers\w810wh.sys
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Real
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-13 21:14 . 2008-02-13 21:14 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-13 21:13 . 2008-02-26 14:43 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-13 17:24 . 2008-02-13 17:25 81 --a------ C:\WINDOWS\WB.ini
2008-02-13 06:07 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-13 06:07 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-13 06:07 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-13 03:22 . 2008-02-13 03:22 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Symantec
2008-02-12 20:13 . 2008-02-12 20:13 <DIR> d-------- C:\N360_BACKUP
2008-02-12 20:11 . 2008-02-12 20:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-12 17:46 . 2008-02-13 18:10 <DIR> d-------- C:\Program Files\Norton 360
2008-02-12 17:40 . 2008-02-12 22:09 <DIR> d-------- C:\Program Files\Symantec
2008-02-12 17:40 . 2008-02-12 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-12 17:40 . 2008-02-12 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-12 17:40 . 2008-02-12 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-12 17:40 . 2008-02-12 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-12 17:39 . 2008-02-26 02:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-12 17:38 . 2008-02-27 23:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-12 17:35 . 2008-02-12 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-12 16:08 . 2008-02-12 16:08 <DIR> d-------- C:\Program Files\LimeWire
2008-02-12 16:08 . 2008-02-26 16:31 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-02-12 01:24 . 2008-02-12 01:24 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{404C1499-24DB-49AC-BF11-F0AD2C046836}
2008-02-11 23:30 . 2008-02-11 23:28 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 23:30 . 2008-02-11 23:30 3,439 --a------ C:\WINDOWS\unins000.dat
2008-02-11 23:26 . 2008-02-27 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Nero
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Grisoft
2008-02-11 22:55 . 2008-02-11 22:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 22:13 . 2008-02-11 22:14 163,712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-02-11 20:40 . 2008-02-11 20:43 <DIR> d-------- C:\Program Files\SopCast
2008-02-11 20:26 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-02-11 20:17 . 2008-02-12 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-11 19:28 . 2008-02-11 19:28 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-02-11 19:14 . 2008-02-11 19:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-11 19:10 . 2008-02-11 19:10 <DIR> d-------- C:\Program Files\Say the Time
2008-02-11 19:03 . 2008-02-28 00:44 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-02-11 19:02 . 2004-08-04 04:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-11 18:52 . 2008-02-11 18:58 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-02-11 18:52 . 2008-02-11 18:52 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\URSoft
2008-02-11 18:52 . 2008-02-27 17:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-11 18:51 . 2008-02-11 18:51 <DIR> d-------- C:\Program Files\VSO
2008-02-11 18:51 . 2008-02-26 13:36 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Vso
2008-02-11 18:51 . 2008-02-11 18:51 47,360 --a------ C:\Documents and Settings\Rob\Application Data\pcouffin.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 22:51 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-11 18:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-11 16:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-10 13:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 13:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-12-24 13:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 02:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 23:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 23:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-08 16:50 418120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 22:51 185896]
"Advanced WindowsCare V2 Pro"="C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" [2007-09-19 22:10 2916528]
"SpeedBitVideoAccelerator"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-02-25 19:13 2283120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1Atardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [2007-05-18 04:00:00 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-11 18:09 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
C:\Program Files\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefragTaskBar]
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 1422632 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxCSI]
C:\Program Files\PrevxCSI\prevxcsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=

R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-02-25 19:13]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe -start []
S2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe [2004-08-07 00:15]
S2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe [2008-02-25 14:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setupx.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 00:45:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-28 0:46:21
ComboFix-quarantined-files.txt 2008-02-28 00:46:13
.
2008-02-16 08:19:57 --- E O F ---


& here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:47:26, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Say the Time\SayTimeMain.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Advanced WindowsCare V2 Pro] "C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" /startup
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Say the Time.lnk = C:\Program Files\Say the Time\SayTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AshampooDefragService - Unknown owner - C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\aDefragService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe

--
End of file - 6438 bytes

I appreciate the help.
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark

Re: andt.sys & indt2.sys HELP!!

 
0
  #8
Feb 27th, 2008
Originally Posted by digital11 View Post
Hi PP;
Here's the combofix log:
I appreciate the help.
Happy to try to help

-- You should uninstall Limewire


Then, let's give this a go, shall we?

-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.

And, I guess we'll go from there....

Cheers
PP
Last edited by PhilliePhan; 3 Days Ago at 8:12 pm.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Join Date: Feb 2008
Posts: 16
Reputation: digital11 is an unknown quantity at this point 
Solved Threads: 0
digital11's Avatar
digital11 digital11 is offline Offline
Newbie Poster

Re: andt.sys & indt2.sys HELP!!

 
0
  #9
Feb 28th, 2008
Hi PP. Here's the combofix log as requested:

ComboFix 08-02-25.3 - Rob 2008-02-28 10:28:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1641 [GMT 0:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\andt.sys
C:\WINDOWS\system32\Indt2.sys
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\routing.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-28 to 2008-02-28 )))))))))))))))))))))))))))))))
.

2008-02-28 00:56 . 2008-02-28 00:56 <DIR> d---s---- C:\Documents and Settings\Rob\UserData
2008-02-27 12:32 . 2008-02-27 12:33 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SUPERAntiSpyware.com
2008-02-27 12:32 . 2008-02-27 12:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-27 12:31 . 2008-02-27 12:31 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-27 10:53 . 2008-02-28 10:30 10,216 --a------ C:\WINDOWS\system32\oodbs.lor
2008-02-27 00:31 . 2008-02-27 17:00 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-02-27 00:10 . 2008-02-27 00:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-02-26 23:52 . 2008-02-26 23:52 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-26 23:47 . 2008-02-27 00:27 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PrevxCSI
2008-02-26 19:16 . 2008-02-26 19:16 0 --a------ C:\WINDOWS\OODCNT.INI
2008-02-26 18:37 . 2008-02-27 22:15 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-02-26 18:24 . 2008-02-26 18:24 <DIR> d-------- C:\Program Files\OO Software
2008-02-26 17:04 . 2008-02-26 17:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ashampoo
2008-02-26 14:44 . 2008-02-26 14:44 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-25 19:13 . 2008-02-27 20:52 <DIR> d-------- C:\Program Files\SpeedBit Video Accelerator
2008-02-25 19:13 . 2008-02-25 19:13 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-02-25 14:19 . 2008-02-25 14:19 <DIR> d-------- C:\Program Files\Nero
2008-02-25 14:17 . 2008-02-25 14:17 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-02-25 13:39 . 2008-02-25 13:39 <DIR> d-------- C:\Program Files\PowerISO
2008-02-25 13:32 . 2008-02-25 13:32 0 --a------ C:\WINDOWS\Irremote.ini
2008-02-25 10:10 . 2007-06-25 22:30 86,016 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2008-02-25 10:10 . 2007-04-24 19:33 32,768 --a------ C:\WINDOWS\system32\FrogASPI.DLL
2008-02-25 09:48 . 2008-02-25 09:48 <DIR> d-------- C:\Program Files\IObit
2008-02-25 01:35 . 2008-02-25 01:35 <DIR> d-------- C:\WINDOWS\Applian FLV Player
2008-02-24 21:06 . 2008-02-24 21:06 <DIR> d-------- C:\Documents and Settings\Rob\dwhelper
2008-02-23 17:31 . 2008-02-23 17:32 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\TVU networks
2008-02-23 17:31 . 2008-02-23 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-23 17:30 . 2008-02-23 17:31 <DIR> d-------- C:\Program Files\TVUPlayer
2008-02-22 10:40 . 2008-02-22 10:40 <DIR> d-------- C:\WINDOWS\Sun
2008-02-18 18:53 . 2001-09-06 10:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-02-18 18:53 . 2007-06-25 14:02 475,136 --a------ C:\WINDOWS\system32\SkinCrafter2.dll
2008-02-17 00:04 . 2008-02-17 00:04 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\vlc
2008-02-17 00:03 . 2008-02-17 00:03 <DIR> d-------- C:\Program Files\VideoLAN
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-02-16 10:18 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-02-15 23:42 . 2004-03-22 23:17 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2008-02-15 23:42 . 2008-02-15 23:42 376 --a------ C:\WINDOWS\ODBC.INI
2008-02-15 23:40 . 2008-02-15 23:40 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-02-15 23:35 . 2008-02-15 23:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-02-15 23:34 . 2008-02-15 23:34 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-02-15 23:32 . 2008-02-15 23:32 <DIR> d-------- C:\Program Files\Disc2Phone
2008-02-15 23:26 . 2008-02-15 23:26 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2008-02-15 23:24 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:23 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-02-15 23:23 . 2008-02-15 23:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-02-15 23:22 . 2008-02-15 23:23 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-02-15 23:21 . 2008-02-15 23:21 6,176 --a------ C:\WINDOWS\system32\drivers\w810cm.sys
2008-02-15 23:21 . 2008-02-15 23:21 5,808 --a------ C:\WINDOWS\system32\drivers\w810wh.sys
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Real
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-02-15 22:51 . 2008-02-15 22:51 <DIR> d-------- C:\Program Files\Common Files\Real
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-02-14 13:27 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-02-13 21:14 . 2008-02-13 21:14 <DIR> d-------- C:\Program Files\InstallShield Installation Information
2008-02-13 21:13 . 2008-02-26 14:43 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-02-13 17:24 . 2008-02-13 17:25 81 --a------ C:\WINDOWS\WB.ini
2008-02-13 06:07 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-02-13 06:07 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-13 06:07 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-02-13 03:22 . 2008-02-13 03:22 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Symantec
2008-02-12 20:13 . 2008-02-12 20:13 <DIR> d-------- C:\N360_BACKUP
2008-02-12 20:11 . 2008-02-12 20:11 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-12 17:46 . 2008-02-13 18:10 <DIR> d-------- C:\Program Files\Norton 360
2008-02-12 17:40 . 2008-02-12 22:09 <DIR> d-------- C:\Program Files\Symantec
2008-02-12 17:40 . 2008-02-12 22:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-12 17:40 . 2008-02-12 22:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-12 17:40 . 2008-02-12 22:09 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-12 17:40 . 2008-02-12 22:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-12 17:39 . 2008-02-28 00:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-12 17:38 . 2008-02-28 10:13 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-12 17:35 . 2008-02-12 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-12 16:08 . 2008-02-26 16:31 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\LimeWire
2008-02-12 01:24 . 2008-02-12 01:24 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{404C1499-24DB-49AC-BF11-F0AD2C046836}
2008-02-11 23:30 . 2008-02-11 23:28 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-11 23:30 . 2008-02-11 23:30 3,439 --a------ C:\WINDOWS\unins000.dat
2008-02-11 23:26 . 2008-02-27 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Nero
2008-02-11 23:02 . 2008-02-11 23:02 <DIR> d-------- C:\Documents and Settings\Digital\Application Data\Grisoft
2008-02-11 22:55 . 2008-02-11 22:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-11 22:13 . 2008-02-11 22:14 163,712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2008-02-11 20:40 . 2008-02-11 20:43 <DIR> d-------- C:\Program Files\SopCast
2008-02-11 20:26 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-02-11 20:17 . 2008-02-12 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-11 19:28 . 2008-02-11 19:28 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-02-11 19:14 . 2008-02-11 19:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-02-11 19:10 . 2008-02-11 19:10 <DIR> d-------- C:\Program Files\Say the Time
2008-02-11 19:03 . 2008-02-28 10:27 <DIR> d-------- C:\Program Files\PeerGuardian2
2008-02-11 19:02 . 2004-08-04 04:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-02-11 18:52 . 2008-02-11 18:58 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-02-11 18:52 . 2008-02-11 18:52 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\URSoft
2008-02-11 18:52 . 2008-02-28 10:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-11 18:51 . 2008-02-11 18:51 <DIR> d-------- C:\Program Files\VSO
2008-02-11 18:51 . 2008-02-26 13:36 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Vso
2008-02-11 18:51 . 2008-02-11 18:51 47,360 --a------ C:\Documents and Settings\Rob\Application Data\pcouffin.sys
2008-02-11 18:44 . 2008-02-11 18:44 <DIR> d-------- C:\Program Files\Winamp
2008-02-11 18:44 . 2008-02-19 22:05 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Winamp
2008-02-11 18:31 . 2008-02-25 23:03 69 --a------ C:\WINDOWS\NeroDigital.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 22:51 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-11 18:51 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-02-11 16:57 --------- d-----w C:\Program Files\microsoft frontpage
2008-01-20 07:07 33,292 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
2008-01-10 13:16 159,839 ----a-w C:\WINDOWS\system32\xvidvfw.dll
2008-01-10 13:15 755,027 ----a-w C:\WINDOWS\system32\xvidcore.dll
2007-12-24 13:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 02:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-29 23:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 23:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"CursorFX"="C:\Program Files\Stardock\CursorFX\CursorFX.exe" [2008-02-08 16:50 418120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 22:51 185896]
"Advanced WindowsCare V2 Pro"="C:\Program Files\IObit\Advanced WindowsCare V2 Pro\Awc.exe" [2007-09-19 22:10 2916528]
"SpeedBitVideoAccelerator"="C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-02-25 19:13 2283120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"1Atardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 04:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Say the Time.lnk - C:\Program Files\Say the Time\SayTime.exe [2007-05-18 04:00:00 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-02-11 18:09 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
C:\Program Files\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DefragTaskBar]
C:\Program Files\Ashampoo\Ashampoo Magical Defrag 2\bin\defragTaskBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-08-03 12:51 1422632 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrevxCSI]
C:\Program Files\PrevxCSI\prevxcsi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-06-21 14:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\SopCast\\sopvod.exe"=

R2 sbbotdi;sbbotdi;C:\PROGRA~1\SpeedBit Video Accelerator\sbbotdi.sys [2008-02-25 19:13]
R2 VideoAcceleratorService;VideoAcceleratorService;C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe -start []
S2 Routing;Routing Service;C:\WINDOWS\system32\routing.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setupx.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-28 10:30:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Say the Time\SayTimeMain.exe
C:\PROGRA~1\SpeedBit Video Accelerator\VideoAcceleratorEngine.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\luall.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-02-28 10:34:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-28 10:34:06
ComboFix2.txt 2008-02-28 10:22:56
ComboFix3.txt 2008-02-28 00:46:22
.
2008-02-16 08:19:57 --- E O F ---

Ta.
Reply With Quote Quick reply to this message  
Join Date: Dec 2006
Posts: 913
Reputation: PhilliePhan will become famous soon enough PhilliePhan will become famous soon enough 
Solved Threads: 43
Moderator
PhilliePhan's Avatar
PhilliePhan PhilliePhan is offline Offline
Posting Shark

Re: andt.sys & indt2.sys HELP!!

 
0
  #10
Feb 28th, 2008
Hi digital11,

Let's try this one more time - I hate to say it, but I missed one. This particular infection often has some rootkit-type stealthing attributes that try to hide its components. I wish I could say I missed a hidden one, but that's not the case... LOL!

Anyhoo, I'd like to do one more CFScript. I changed it a bit and it should get the remaining baddies. In addition, I'd like to look for a couple associated baddies that have not shown themselves.


-- Please DELETE your copy of ComboFix and download a fresh one to your Desktop
-- Please Download this updated CFScript to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into/over ComboFix.exe to start ComboFix

-- Let Combofix run as before and post me that log.
-- I'd also like to see a fresh HijackThis Log from after this CFScript step.

With any luck, that ought to do the trick!

Cheers
PP
Last edited by PhilliePhan; Feb 28th, 2008 at 4:18 pm. Reason: The Usual...
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer

ASAP
Reply With Quote Quick reply to this message  
Reply
1 2

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC