datan

Hi gents,
Hope someone can help me out. I'm unable to have access to the internet. When I try ipconfig, i receive an internal error, command not recognized. I've tried McAfee and received 1 issue: NTOSKRNL-hook trojan. Tried to remove it; but here i´m stuck, it keeps comming back and more and more the pc freezes up.

Hope one of you can help me out.

in attatchement, the combo fix file. I couldn't create a windows recovery point, because of the lack of access to the net

Steve

Here are the other files made with DDS

and the file made with GMER

ComboFix 09-04-19.01 - Administrator 20-04-2009 19:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1033.18.1014.647 [GMT 2:00]
Gestart vanuit: f:\ntoskrnl\Combo-Fix.exe
* Resident AV is active


WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\ieocx.dll
c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\drivers\UACduyqxrrmqpxbqjl.sys
c:\windows\system32\UACbosefyxetobwwap.dll
c:\windows\system32\UACcdanosccolqfvas.dll
c:\windows\system32\UACculrgfvkpavygdk.dll
c:\windows\system32\UACfmxuvlirpnxrklq.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkxwcfwmtjjqeksi.log
c:\windows\system32\UACpkkydqbuhgujoew.dat
c:\windows\system32\UACpptmxfujrgnkmea.log
c:\windows\system32\UACqwamrtqqctijepr.dll
c:\windows\system32\UACtlckrrhcetaylvd.log

----- BITS: Mogelijk geïnfecteerde sites -----

hxxp://loyalvideoz.com
hxxp://wsus:8530
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


(((((((((((((((((((( Bestanden Gemaakt van 2009-03-20 to 2009-04-20 ))))))))))))))))))))))))))))))
.

2009-04-20 17:01 . 2009-04-20 17:01 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-04-20 16:08 . 2009-04-20 16:08 42 ----a-w c:\windows\system32\RegistryEasy.lie
2009-04-20 10:20 . 2009-04-20 10:20 3696576 ----a-w c:\windows\system32\xa493281.exe
2009-04-20 10:20 . 2009-04-20 10:20 3696576 ----a-w c:\windows\system32\xa492875.exe
2009-04-20 10:08 . 2009-04-20 10:08 3696576 ----a-w c:\windows\system32\xa3713531.exe
2009-04-20 10:08 . 2009-04-20 10:08 3696576 ----a-w c:\windows\system32\xa3713140.exe
2009-04-19 21:53 . 2009-04-19 21:53 3696576 ----a-w c:\windows\system32\xa7810796.exe
2009-04-19 21:53 . 2009-04-19 21:53 3696576 ----a-w c:\windows\system32\xa7803765.exe
2009-04-19 21:24 . 2009-04-19 21:24 3696576 ----a-w c:\windows\system32\xa6103937.exe
2009-04-19 21:24 . 2009-04-19 21:24 180224 ----a-w c:\windows\system32\xwr85521.dll
2009-04-19 21:24 . 2009-04-19 21:24 180224 ----a-w c:\windows\system32\wr85521.dll
2009-04-19 21:24 . 2009-04-19 21:24 -------- d-----w c:\documents and settings\sbaele\Application Data\Thinstall
2009-04-19 21:24 . 2009-04-19 21:24 3696576 ----a-w c:\windows\system32\xa6103359.exe
2009-04-19 20:30 . 2008-06-20 11:51 361600 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-04-19 20:30 . 2008-06-20 11:08 225856 ----a-w c:\windows\system32\drivers\tcpip6.sys
2009-04-17 11:31 . 2009-02-09 12:10 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-04-17 11:31 . 2009-02-09 12:10 714752 ----a-w c:\windows\system32\ntdll.dll
2009-04-17 11:31 . 2009-02-09 12:10 617472 ----a-w c:\windows\system32\advapi32.dll
2009-04-17 11:31 . 2009-02-06 11:11 110592 ----a-w c:\windows\system32\services.exe
2009-04-17 11:31 . 2009-02-06 11:06 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-04-17 11:31 . 2009-02-06 10:32 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-04-17 11:25 . 2009-02-03 19:59 56832 -c----w c:\windows\system32\dllcache\secur32.dll
2009-04-17 11:25 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
2009-04-17 11:25 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 11:25 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 11:25 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 11:25 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 11:25 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 11:25 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 11:25 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 11:25 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 11:25 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 11:24 . 2008-06-12 14:23 956928 -c----w c:\windows\system32\dllcache\msdtctm.dll
2009-04-17 11:24 . 2008-06-12 14:23 91648 -c----w c:\windows\system32\dllcache\mtxoci.dll
2009-04-17 11:24 . 2008-06-12 14:23 66560 -c----w c:\windows\system32\dllcache\mtxclu.dll
2009-04-17 11:24 . 2008-06-12 14:23 58880 -c----w c:\windows\system32\dllcache\msdtclog.dll
2009-04-17 11:24 . 2008-06-12 14:23 161792 -c----w c:\windows\system32\dllcache\msdtcuiu.dll
2009-04-17 11:24 . 2008-12-16 12:30 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
2009-04-17 11:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 11:24 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 12:53 . 2008-12-03 10:06 2790304 ----a-w C:\tn2501ap-h0-f21-sig.bin
2009-04-15 12:03 . 2009-04-17 13:41 -------- d-----w c:\documents and settings\sbaele\Application Data\VMware
2009-04-15 11:37 . 2009-04-20 17:25 -------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-04-15 11:36 . 2008-05-09 19:05 9600 ----a-r c:\windows\system32\drivers\vmnetadapter.sys
2009-04-15 11:36 . 2008-05-09 19:05 5120 ----a-r c:\windows\system32\vnetinst.dll
2009-04-15 11:36 . 2008-05-09 19:05 106496 ----a-w c:\windows\system32\vmnetdhcp.exe
2009-04-15 11:36 . 2009-04-20 17:24 -------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-04-15 11:36 . 2008-05-09 19:05 135168 ----a-w c:\windows\system32\vmnat.exe
2009-04-15 11:36 . 2008-05-09 19:05 15744 ----a-w c:\windows\system32\drivers\vmnetuserif.sys
2009-04-15 11:35 . 2008-05-09 19:05 10240 ----a-r c:\windows\system32\drivers\vmnet.sys
2009-04-15 11:35 . 2008-05-09 19:05 364631 ----a-w c:\windows\system32\vnetlib.dll
2009-04-15 11:35 . 2009-04-15 11:35 1024 ----a-w C:\.rnd
2009-04-15 11:28 . 2009-04-15 11:28 -------- d-----w C:\Virtual Machines
2009-04-14 14:30 . 2009-04-14 14:30 54 ----a-w c:\windows\cvsupv13.cfg

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 16:11 . 2009-04-20 15:56 -------- d-----w c:\program files\Registry Easy
2009-04-19 21:17 . 2009-04-19 21:17 -------- d-----w c:\program files\SanityCheck
2009-04-17 06:56 . 2009-03-16 08:48 -------- d-----w c:\documents and settings\sbaele\Application Data\FileZilla
2009-04-15 11:28 . 2009-04-15 11:28 -------- d-----w c:\program files\Common Files\VMware
2009-04-15 11:27 . 2009-04-15 11:27 -------- d-----w c:\program files\VMware
2009-04-15 10:11 . 2009-04-15 10:11 -------- d-----w c:\program files\Microsoft Virtual PC
2009-04-14 14:28 . 2008-12-01 09:34 -------- d-----w c:\program files\Avaya
2009-04-14 14:28 . 2008-08-08 15:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-19 13:29 . 2008-11-25 12:10 69616 ----a-w c:\documents and settings\sbaele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-19 13:28 . 2009-03-19 13:28 -------- d-----w c:\program files\Microsoft
2009-03-19 13:27 . 2009-03-19 13:27 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-19 13:27 . 2008-12-01 10:27 -------- d-----w c:\program files\Windows Live
2009-03-19 13:25 . 2009-03-19 13:25 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-19 12:17 . 2009-03-17 14:10 -------- d-----w c:\program files\Your Free DVD Ripper
2009-03-19 12:10 . 2009-03-19 12:10 -------- d-----w c:\documents and settings\sbaele\Application Data\Malwarebytes
2009-03-19 12:10 . 2009-03-19 12:10 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-17 14:06 . 2009-03-17 14:00 -------- d-----w c:\program files\Common Files\AVSMedia
2009-03-17 14:01 . 2009-03-17 14:01 -------- d-----w c:\documents and settings\sbaele\Application Data\AVS4YOU
2009-03-17 14:01 . 2009-03-17 14:01 -------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-17 13:56 . 2009-03-17 13:50 -------- d-----w c:\program files\DNA
2009-03-16 08:48 . 2009-03-16 08:48 -------- d-----w c:\program files\FileZilla FTP Client
2009-03-12 12:47 . 2009-03-13 15:16 38564 ----a-w C:\TCD2009.gif
2009-03-09 08:14 . 2009-03-09 08:14 180862 ----a-w C:\9410.bmp
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2009-03-03 00:18 6656 ----a-w c:\windows\system32\zzmraik.exe
2009-03-03 00:18 . 2009-03-03 00:18 180224 ----a-w c:\windows\system32\wjazabf.dll
2009-03-03 00:18 . 2005-08-26 10:41 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-18 08:46 . 2009-02-19 15:29 2523862 ----a-w C:\CTP2007.zip
2009-02-09 12:10 . 2005-08-26 10:41 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2005-08-26 10:41 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:52 . 2009-02-06 17:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 06:42 . 2009-02-06 06:42 244 ---ha-w C:\sqmnoopt05.sqm
2009-02-06 06:42 . 2009-02-06 06:42 232 ---ha-w C:\sqmdata05.sqm
2009-02-06 04:36 . 2009-02-06 04:36 244 ---ha-w C:\sqmnoopt04.sqm
2009-02-06 04:36 . 2009-02-06 04:36 232 ---ha-w C:\sqmdata04.sqm
2009-02-05 14:36 . 2009-02-05 14:36 244 ---ha-w C:\sqmnoopt03.sqm
2009-02-05 14:36 . 2009-02-05 14:36 232 ---ha-w C:\sqmdata03.sqm
2009-02-04 12:11 . 2009-02-04 12:11 244 ---ha-w C:\sqmnoopt02.sqm
2009-02-04 12:11 . 2009-02-04 12:11 232 ---ha-w C:\sqmdata02.sqm
2009-02-03 19:59 . 2005-08-26 10:41 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-28 18:49 . 2009-03-17 13:59 974848 ----a-w c:\windows\system32\mfc70.dll
2009-01-28 18:49 . 2009-03-17 13:59 1700352 ----a-w c:\windows\system32\GdiPlus.dll
2009-01-28 18:49 . 2009-03-17 13:59 24576 ----a-w c:\windows\system32\msxml3a.dll
2009-01-27 11:47 . 2009-01-27 11:48 47779 ----a-w C:\zekeringskast.jpg
2008-08-25 11:14 . 2008-11-17 13:17 32768 --sha-w c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D875888-7421-37A1-8048-93B9993216B7}]
2009-04-19 21:24 180224 ----a-w c:\windows\system32\xwr85521.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-25 136600]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-04-23 5723656]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-07-17 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-27 111952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-5-24 622653]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\iexplore.exe]
"Debugger"=c:\windows\system32\zzmraik.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysav

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\DRIVERS\Gt51Ip.sys [2008-03-06 95744]
R3 GT72UBUS;GT 72 U BUS;c:\windows\system32\DRIVERS\gt72ubus.sys [2008-03-06 51968]
R3 GTPTSER;GT PT SER;c:\windows\system32\DRIVERS\gtptser.sys [2008-03-06 8064]
R3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys [2008-03-29 20632]
R3 NgWfp;Aventail VPN Callout;c:\windows\system32\DRIVERS\ngwfp.sys [2008-03-29 21656]
S1 NEOFLTR_620_13525;Juniper Networks TDI Filter Driver (NEOFLTR_620_13525);c:\windows\system32\Drivers\NEOFLTR_620_13525.SYS [2008-08-28 64480]
S2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2008-03-29 205381]
S2 vmserverdWin32;VMware Registration Service;c:\program files\VMware\VMware Server\vmserverdWin32.exe [2008-05-09 1650781]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys [2008-03-29 25240]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys [2008-03-29 76440]

.
Inhoud van de 'Gedeelde Taken' map

2009-04-20 c:\windows\Tasks\Schedule Task Weekly.job
- c:\program files\Registry Easy\RE.exe [2009-04-20 17:08]
.
- - - - ORPHANS VERWIJDERD - - - -

BHO-{39fc2065-c9c7-49cd-8942-44cc2dedc844} - c:\windows\ieocx.dll
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Bijkomende Scan -------
.
uInternet Settings,ProxyServer = ftp=proxy.newtelessence.com:80;http=nevs06.newtelessence.com:80;https=proxy.newtelessence.com:80;socks=proxy.newtelessence.com:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Verzenden naar &Bluetooth-apparaat... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 19:29
Windows 5.1.2600 Service Pack 3 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\UACd.sys]
"imagepath"="\systemroot\system32\drivers\UACduyqxrrmqpxbqjl.sys"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{207E2E1E-EF50-ADCC-1049-9886CE99E9FC}\InProcServer32*]
"kajbknnlmggflhnodpebnf"=hex:62,61,6a,67,00,8e
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(1412)
c:\windows\System32\newmsgina.dll
.
Voltooingstijd: 2009-04-20 19:30
ComboFix-quarantined-files.txt 2009-04-20 17:30

Pre-Run: 18.923.335.680 bytes free
Post-Run: 18.989.772.800 bytes free

233 --- E O F --- 2009-04-19 13:21

Attached Files

	ComboFix.txt (16.2 KB, 5 views)
	DDS.txt (12.7 KB, 1 views)
	Attach.txt (12.7 KB, 0 views)
	ark.txt (7.4 KB, 2 views)

Ried

Hello Steve,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


We must get that Recovery Console installed before we continue. Use another computer to download the following setup file:

http://www.microsoft.com/downloads/d...displaylang=en (it will work for SP3 as well)

Save it to your flash drive as originally named - do not do anything with it yet.

==============================

Ideally, you should move ComboFix.exe and the setup package you just downloaded, to the desktop of the infected computer. If you are unable to do that, then run it from your flash drive as follows:


Close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
• At the next prompt, click ' NO' to exit ComboFix for now.

==============================

Next, open notepad and copy/paste the text in the code box below into it:

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Post that in your next reply along with an update on system behavior.