Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!!

ahart831 · 06-09-2007, 12:18 AM

Hey guys… I am having the following problem.

Whenever I start up my computer I get an error message (before my wallpaper is displayed) that says: “There is no disk in the drive Please insert disk into drive “\Device\Harddisk1\DR3” I usually click on cancel or continue and then three other pop ups follow saying the same exact thing except they say: “\Device\Harddisk2\DR4”, “\Device\Harddisk3\DR5”, and then “\Device\Harddisk4\DR6”.

After I click continue or cancel on each of them, my computer finally starts and says there is a problem with "C:\Windows\system32\drivers\NTNDIS.exe”.

Below I have listed my HijackThis Log, I would post my rootkit revealer but it says it is way too large to post. Thanks.

Logfile of HijackThis v1.99.1
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\SRNMIC~1\SOLOSENT.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [xkstartup] C:\WINDOWS\system32\spool\drivers\w32x86\2\ssccgo.exe Xerox WorkCentre XK Series
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

sUBs · 06-09-2007, 12:49 AM

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe
O15 - Trusted Zone: http://toolbar.imageshack.us
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

---------------

1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys:

Drivers::
ntndis

Save this as ComboFix-Do.txt

Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
Then post the resultant log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

ahart831 · 06-09-2007, 06:31 AM

thanks sUBs! Here's the ComboFix log:
ComboFix 07-06-09.4 - C:\Downloads\software\ComboFix.exe
"HP_Administrator" - 2007-06-09 5:19:10 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Administrator\My Documents\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\144.exe
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\koos.exe
C:\WINDOWS\system32\poof
C:\WINDOWS\system32\spoolsvv.exe
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\winsock64.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

2007-06-09 07:17 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 23:31 6,963,200 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat
2007-06-08 23:06 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\ymsgsmx.dll
2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\spmsmtsmxpfx.dll
2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\smtsmxpfx.dll
2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\gtalsmx.dll
2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\aosmx.dll
2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\aimsmx.dll
2007-06-08 21:04 53,248 --a------ C:\WINDOWS\system32\drivers\ntndis.exe
2007-06-08 21:04 4,864 --a------ C:\WINDOWS\system32\drivers\ntndis.sys
2007-06-08 21:04 153,728 --a------ C:\WINDOWS\system32\windev-492-3bd2.sys
2007-06-06 17:19 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Skype
2007-06-06 17:18 <DIR> d-------- C:\Program Files\Skype
2007-06-06 17:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-06-04 21:34 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2007-06-04 21:34 <DIR> d-------- C:\Program Files\Real
2007-06-04 21:34 <DIR> d-------- C:\My Music
2007-05-10 19:48 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-05-10 19:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 05:24:53 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Uniblue
2007-06-09 05:24:02 -------- d-----w C:\Program Files\Uniblue
2007-06-08 03:32:25 -------- d-----w C:\Program Files\FlashGet
2007-06-07 01:20:08 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-05 02:34:41 -------- d-----w C:\Program Files\Common Files\Real
2007-05-07 04:07:02 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Real
2007-05-07 03:31:13 -------- d-----w C:\Program Files\HP Rhapsody
2007-05-03 17:54:12 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-28 19:20:10 -------- d-----w C:\Program Files\Winamp
2007-04-22 05:13:22 -------- d-----w C:\Program Files\Yahoo!
2007-04-19 04:34:55 -------- d-----w C:\Program Files\BitComet
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 14:44:40 -------- d-----w C:\Program Files\MySpace
2007-04-16 16:11:27 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\MySpace
2007-04-16 01:18:02 38 ----a-w C:\WINDOWS\SOLOSCAN.BAT
2007-04-16 01:18:02 146 ----a-w C:\AUTOEXEC.BAT
2007-04-14 20:16:30 512 ----a-w C:\ScanSectorLog.dat
2007-04-13 19:14:44 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll
2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys
2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 20:47:53 0 ----a-w C:\WINDOWS\ORUN32.EXE
2007-03-16 20:47:43 0 ----a-w C:\WINDOWS\system32\CMMGR32.EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{601ED020-FB6C-11D3-87D8-0050DA59922B}=C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll [2004-08-16 13:51]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-01-20 00:55]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 19:19 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 13:15 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 05:53 C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 18:35]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 12:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 02:12]
"HostManager"="C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe" [2006-09-25 19:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"ASM"="C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" [2006-11-07 16:11]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SoloSentry"="C:\SRNMIC~1\SOLOSENT.EXE" [2006-10-03 21:17]
"SoloSysCheck"="C:\SRNMIC~1\SYSCHECK.COM" [2006-02-09 23:56]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-04-25 10:44]
"RegistryMechanic"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 13:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 16:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-06 23:04]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-02-18 22:46]
"Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 10:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-05 20:41:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-09 12:16:28 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 07:25:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-492-3bd2.sys
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\windev-492-3bd2]
"ImagePath"="\??\C:\WINDOWS\system32\windev-492-3bd2.sys"

Completion time: 2007-06-09 7:26:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 07:26

--- E O F ---

And the fresh Hijack This:
Logfile of HijackThis v1.99.1
Scan saved at 5:28:35 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\SRNMIC~1\SOLOSENT.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
c:\windows\system\hpsysdrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: F - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\F.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

ahart831 · 06-09-2007, 07:06 AM

just wanted to follow up... problem seemed to fix itself. I don't get those error messages before start up anymore, nor do I get any error messages after my Background is displayed. However I did get a message from my Windows Firewall asking to block something called "Launcher" and it said something to the extent of it trying to take over my Internet. I selected 'Keep Blocking".... let me know if there's anything else you think I should check out, as i'm sure there's some more wrong stuff with my comp! :)

thanks again :)

sUBs · 06-09-2007, 03:57 PM

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\ymsgsmx.dll
C:\WINDOWS\system32\spmsmtsmxpfx.dll
C:\WINDOWS\system32\smtsmxpfx.dll
C:\WINDOWS\system32\gtalsmx.dll
C:\WINDOWS\system32\aosmx.dll
C:\WINDOWS\system32\aimsmx.dll
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys
C:\WINDOWS\system32\windev-492-3bd2.sys
C:\WINDOWS\system32\windev-peers.ini

Drivers::
ntndis
windev-492-3bd2

Registry::
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ntndis]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\windev-492-3bd2]

Save this as ComboFix-Do.txt
Drag ComboFix-Do.txt into ComboFix.exe & then post the resultant log

---------------

Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. We only require a report from it.
It does not provide an option to clean/disinfect.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------

In your next post, please include fresh logs from:

Fresh Hijackthis log taken just before replying

Online scan

ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

ahart831 · 06-09-2007, 11:12 PM

Computer seems to be acting normal but I am alarmed at the results from the virus scan. Hope you can help. Thanks again for all your help thus far. :)

HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 10:09:51 PM, on 6/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe
C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\SRNMIC~1\SOLOSENT.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\notepad.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\SRNMIC~1\SYSCHECK.COM
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: F - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\F.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

ComboFix
ComboFix 07-06-09.4 - C:\Downloads\software\ComboFix.exe
"HP_Administrator" - 2007-06-09 22:30:00 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Administrator\My Documents\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\aimsmx.dll
C:\WINDOWS\system32\aosmx.dll
C:\WINDOWS\system32\gtalsmx.dll
C:\WINDOWS\system32\smtsmxpfx.dll
C:\WINDOWS\system32\spmsmtsmxpfx.dll
C:\WINDOWS\system32\windev-492-3bd2.sys
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\ymsgsmx.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\windev-492-3bd2

((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))

2007-06-09 11:07 <DIR> d-------- C:\Program Files\Viewpoint
2007-06-09 07:17 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 23:31 6,963,200 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat
2007-06-08 23:06 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-06-08 21:04 53,248 --a------ C:\WINDOWS\system32\drivers\ntndis.exe
2007-06-08 21:04 4,864 --a------ C:\WINDOWS\system32\drivers\ntndis.sys
2007-06-06 17:19 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Skype
2007-06-06 17:18 <DIR> d-------- C:\Program Files\Skype
2007-06-06 17:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-06-04 21:34 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2007-06-04 21:34 <DIR> d-------- C:\Program Files\Real
2007-06-04 21:34 <DIR> d-------- C:\My Music
2007-05-10 19:48 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-05-10 19:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 12:38:55 -------- d-----w C:\Program Files\Uniblue
2007-06-09 12:36:43 -------- d-----w C:\Program Files\iPod
2007-06-09 05:24:53 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Uniblue
2007-06-08 03:32:25 -------- d-----w C:\Program Files\FlashGet
2007-06-07 01:20:08 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-05 02:34:41 -------- d-----w C:\Program Files\Common Files\Real
2007-05-07 04:07:02 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Real
2007-05-07 03:31:13 -------- d-----w C:\Program Files\HP Rhapsody
2007-05-03 17:54:12 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-28 19:20:10 -------- d-----w C:\Program Files\Winamp
2007-04-22 05:13:22 -------- d-----w C:\Program Files\Yahoo!
2007-04-19 04:34:55 -------- d-----w C:\Program Files\BitComet
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 14:44:40 -------- d-----w C:\Program Files\MySpace
2007-04-16 16:11:27 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\MySpace
2007-04-16 01:18:02 38 ----a-w C:\WINDOWS\SOLOSCAN.BAT
2007-04-16 01:18:02 146 ----a-w C:\AUTOEXEC.BAT
2007-04-14 20:16:30 512 ----a-w C:\ScanSectorLog.dat
2007-04-13 19:14:44 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll
2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys
2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 20:47:53 0 ----a-w C:\WINDOWS\ORUN32.EXE
2007-03-16 20:47:43 0 ----a-w C:\WINDOWS\system32\CMMGR32.EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{601ED020-FB6C-11D3-87D8-0050DA59922B}=C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll [2004-08-16 13:51]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-01-20 00:55]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 19:19 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 13:15 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 05:53 C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 18:35]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 12:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 02:12]
"HostManager"="C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe" [2006-09-25 19:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"ASM"="C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" [2006-11-07 16:11]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SoloSentry"="C:\SRNMIC~1\SOLOSENT.EXE" [2006-10-03 21:17]
"SoloSysCheck"="C:\SRNMIC~1\SYSCHECK.COM" [2006-02-09 23:56]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-04-25 10:44]
"RegistryMechanic"="" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 13:15]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 16:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-06 23:04]
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-02-18 22:46]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-05 20:41:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-10 03:30:45 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 22:33:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 22:34:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 22:34
C:\ComboFix2.txt ... 2007-06-09 07:26

--- E O F ---

Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 10, 2007 12:08:26 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/06/2007
Kaspersky Anti-Virus database records: 341839
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 119796
Number of viruses found: 13
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 01:20:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstderr.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aolstdout.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\aoltsmon.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\cache.db Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\TopSpeed\2.0\server.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03172007-191640.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\ie0601a.jar-4ceeb842-1c626837.zip.bac_a00816/Installer.class Infected: Trojan-Downloader.Java.OpenStream.z skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\ie0601a.jar-4ceeb842-1c626837.zip.bac_a00816 ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\ie0601a.jar-4ceeb842-1c626837.zip.bac_a00816 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\ie0601a.jar-523da84a-50d4a99f.zip.bac_a00816/Installer.class Infected: Trojan-Downloader.Java.OpenStream.z skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\ie0601a.jar-523da84a-50d4a99f.zip.bac_a00816 ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\ie0601a.jar-523da84a-50d4a99f.zip.bac_a00816 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816 ZIP: infected - 2 skipped
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\A0032409.exe.bac_a01048/stream/data0005 Infected: not-a-virus:AdWare.Win32.Comet.ay skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\A0032409.exe.bac_a01048/stream/data0009 Infected: not-a-virus:AdWare.Win32.Comet.ba skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\A0032409.exe.bac_a01048/stream Infected: not-a-virus:AdWare.Win32.Comet.ba skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\A0032409.exe.bac_a01048 NSIS: infected - 3 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\A0032409.exe.bac_a01048 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\ie0601a.jar-4ceeb842-1c626837.zip.bac_a00816/Installer.class Infected: Trojan-Downloader.Java.OpenStream.z skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\ie0601a.jar-4ceeb842-1c626837.zip.bac_a00816 ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\ie0601a.jar-4ceeb842-1c626837.zip.bac_a00816 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\ie0601a.jar-523da84a-50d4a99f.zip.bac_a00816/Installer.class Infected: Trojan-Downloader.Java.OpenStream.z skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\ie0601a.jar-523da84a-50d4a99f.zip.bac_a00816 ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\ie0601a.jar-523da84a-50d4a99f.zip.bac_a00816 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816 ZIP: infected - 2 skipped
C:\Documents and Settings\HP_Administrator\.housecall6.6\Quarantine\jrl.jar-383ccec8-75ff6320.zip.bac_a00816 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0AEEC09D-8576-4C4D-B03E-471C65E68B07} Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007060920070610\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFD366.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFD3AC.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe Infected: Virus.Win32.Grum.a skipped
C:\QooBox\Quarantine\C\WINDOWS\144.exe.vir Infected: Packed.Win32.Tibs.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\alt.exe.exe.vir Infected: Packed.Win32.Tibs.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir Infected: Rootkit.Win32.Agent.dp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir Infected: Rootkit.Win32.Agent.ey skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spoolsvv.exe.vir Infected: Packed.Win32.Tibs.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\windev-492-3bd2.sys.vir Infected: Packed.Win32.Tibs.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\winsock64.dll.vir Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\QooBox\Quarantine\catchme2007-06-09_ 72544.98.zip/koos.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\QooBox\Quarantine\catchme2007-06-09_ 72544.98.zip/poof Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\QooBox\Quarantine\catchme2007-06-09_ 72544.98.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP401\A0156889.sys Infected: Rootkit.Win32.Agent.ey skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP403\A0157394.sys Infected: Packed.Win32.Tibs.ab skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP403\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\NCLAUNCH.EXe Infected: Virus.Win32.Grum.a skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7CF2584A-BA67-457E-AFB5-E64ED2250C33}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ntndis.exe Infected: Backdoor.Win32.SdBot.bfh skipped
C:\WINDOWS\system32\drivers\ntndis.sys Infected: Backdoor.Win32.SdBot.aqp skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP403\change.log Object is locked skipped

Scan process completed.

sUBs · 06-09-2007, 11:31 PM

Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:

ViewPoint

Please note any other programs that you dont recognize in that list in your next response

---------------

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O23 - Service: F - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\F.exe (file missing)

----------------

We need to perform another run with ComboFix-Do. Please run the script listed below.

Code:

File::
C:\Documents and Settings\HP_Administrator\.housecall\Quarantine
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys
Folder::
C:\Program Files\Viewpoint

Then post the log that's produced

ahart831 · 06-10-2007, 12:01 AM

Here are some programs I found that I don't know:
Customer Experience Enhancement
Enhanced Multimedia Keyboard Solution
HP Boot Optimizer
HP Deskjet Printer Preload
HP Digital Media Archive
Twain Driver Uninstaller

Here's the latest ComboFix results:
ComboFix 07-06-09.4 - C:\Downloads\software\ComboFix.exe
"HP_Administrator" - 2007-06-10 0:54:31 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Administrator\My Documents\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\HP_Administrator\.housecall\Quarantine
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\WINDOWS\NCLAUNCH.EXe
C:\WINDOWS\system32\drivers\ntndis.exe
C:\WINDOWS\system32\drivers\ntndis.sys

((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 )))))))))))))))))))))))))))))))

2007-06-09 22:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-09 22:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-09 07:17 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-08 23:31 7,077,888 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat
2007-06-08 23:06 <DIR> d-------- C:\Program Files\Free Window Registry Repair
2007-06-06 17:19 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Skype
2007-06-06 17:18 <DIR> d-------- C:\Program Files\Skype
2007-06-06 17:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-06-04 21:34 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys
2007-06-04 21:34 <DIR> d-------- C:\Program Files\Real
2007-06-04 21:34 <DIR> d-------- C:\My Music
2007-05-10 19:48 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-05-10 19:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 12:38:55 -------- d-----w C:\Program Files\Uniblue
2007-06-09 12:36:43 -------- d-----w C:\Program Files\iPod
2007-06-09 05:24:53 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Uniblue
2007-06-08 03:32:25 -------- d-----w C:\Program Files\FlashGet
2007-06-07 01:20:08 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-06-05 02:34:41 -------- d-----w C:\Program Files\Common Files\Real
2007-05-07 04:07:02 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Real
2007-05-07 03:31:13 -------- d-----w C:\Program Files\HP Rhapsody
2007-05-03 17:54:12 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-28 19:20:10 -------- d-----w C:\Program Files\Winamp
2007-04-22 05:13:22 -------- d-----w C:\Program Files\Yahoo!
2007-04-19 04:34:55 -------- d-----w C:\Program Files\BitComet
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 14:44:40 -------- d-----w C:\Program Files\MySpace
2007-04-16 16:11:27 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\MySpace
2007-04-16 01:18:02 38 ----a-w C:\WINDOWS\SOLOSCAN.BAT
2007-04-16 01:18:02 146 ----a-w C:\AUTOEXEC.BAT
2007-04-14 20:16:30 512 ----a-w C:\ScanSectorLog.dat
2007-04-13 19:14:44 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll
2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys
2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-16 20:47:53 0 ----a-w C:\WINDOWS\ORUN32.EXE
2007-03-16 20:47:43 0 ----a-w C:\WINDOWS\system32\CMMGR32.EXE

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{601ED020-FB6C-11D3-87D8-0050DA59922B}=C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll [2004-08-16 13:51]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-01-20 00:55]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 19:19 C:\WINDOWS\arpwrmsg.exe]
"nwiz"="nwiz.exe" [2006-01-24 13:15 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-23 05:53 C:\WINDOWS\RTHDCPL.EXE]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 18:35]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 12:29]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 02:12]
"HostManager"="C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe" [2006-09-25 19:52]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50]
"ASM"="C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" [2006-11-07 16:11]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SoloSentry"="C:\SRNMIC~1\SOLOSENT.EXE" [2006-10-03 21:17]
"SoloSysCheck"="C:\SRNMIC~1\SYSCHECK.COM" [2006-02-09 23:56]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-04-25 10:44]
"RegistryMechanic"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 16:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-06-05 20:41:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-10 05:50:45 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-10 00:56:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-10 0:56:21
C:\ComboFix-quarantined-files.txt ... 2007-06-10 00:56
C:\ComboFix2.txt ... 2007-06-09 22:34
C:\ComboFix3.txt ... 2007-06-09 07:26

--- E O F ---

Thanks again for all your help! :)

sUBs · 06-10-2007, 05:26 AM

* C:\QooBox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe.vir
* C:\QooBox\Quarantine\C\WINDOWS\NCLAUNCH.EXe.vir
* C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ntndis.exe.vir
* C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ntndis.sys.vir

ComboFix has quarantined the above files. Please locate & upload them to this website. I need to check if they have hidden associates.

http://www.bleepingcomputer.com/subm....php?channel=4

ahart831 · 06-10-2007, 10:18 AM

It says they are all uploaded... do I need to do anything specific so you can get to them?

sUBs · 06-10-2007, 10:32 AM

Received them. Will look at it in awhile

sUBs · 06-10-2007, 10:48 AM

I have checked the files. There should be no other hidden accomplices lying wait in your machine

-----------

Of the stuff Kaspersky found,

C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start → Run → type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
IE-SPYAD
IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

ahart831 · 06-10-2007, 12:42 PM

Hi sUBs... thanks for all your help.

I had a problem while visiting the windows update site: it says it's checking for updates but then I get this:
[Error number: 0x80245003]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
For self-help options:

Frequently Asked Questions

Find Solutions

Windows Update Newsgroup
For assisted support options:

Microsoft Online Assisted Support (no-cost for Windows Update issues)

Some other problems I am noticing is that when I start my computer the windows firewall is off... and I always have to turn it back on. Any idea on why that could be? Thanks again!

sUBs · 06-10-2007, 01:12 PM

Quote:

[Error number: 0x80245003]

Please try the solution proffered here > http://www.jsifaq.com/SF/Tips/Tip.aspx?id=10651

Let me know how that went

ahart831 · 06-10-2007, 01:17 PM

Thanks I tried that and it worked, then when I tried to update it said critical files were missing and it recommended that I reinstalled them... I clicked that and then I got the following error message:

[Error number: 0x8024D007]
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
For self-help options:

Frequently Asked Questions

Find Solutions

Windows Update Newsgroup
For assisted support options:

Microsoft Online Assisted Support (no-cost for Windows Update issues)

Thank you for all your help sUBs, I really appreciate it. :)

sUBs · 06-10-2007, 01:24 PM

Do this for your firewall issue.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000002

Save this as fix.reg Choose to "Save type as - All Files"
It should look like this:

Double click on fix.reg & allow it to merge into the registry

Reboot the machine & check if the firewall is running

ahart831 · 06-10-2007, 01:55 PM

hi sUBS... that worked! :)

Now I think I am just having problems with the updating from the Windows site.

sUBs · 06-10-2007, 02:00 PM

Error number: 0x8024D007 is supposedly an undocumented Windows Update error. Found some sites where some helpful suggestions have been posted:

http://www.mcse.ms/message1675586.html

http://channel9.msdn.com/ShowPost.aspx?PostID=202952

Please try the methods suggested. Let us know how it went

ahart831 · 06-10-2007, 02:19 PM

those two problems seem to be fixed, I just updated my Windows using the site... is there anything else you think I should do before we resolve the issue?

sUBs · 06-10-2007, 02:26 PM

Quote:

is there anything else you think I should do before we resolve the issue?

Surf Safe

06-09-2007, 12:18 AM	#1 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Hey guys… I am having the following problem. Whenever I start up my computer I get an error message (before my wallpaper is displayed) that says: “There is no disk in the drive Please insert disk into drive “\Device\Harddisk1\DR3” I usually click on cancel or continue and then three other pop ups follow saying the same exact thing except they say: “\Device\Harddisk2\DR4”, “\Device\Harddisk3\DR5”, and then “\Device\Harddisk4\DR6”. After I click continue or cancel on each of them, my computer finally starts and says there is a problem with "C:\Windows\system32\drivers\NTNDIS.exe”. Below I have listed my HijackThis Log, I would post my rootkit revealer but it says it is way too large to post. Thanks. Logfile of HijackThis v1.99.1 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe C:\HP\KBD\KBD.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\SRNMIC~1\SOLOSENT.EXE C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\NCLAUNCH.EXe C:\Program Files\America Online 9.0\waol.exe C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINDOWS\arservice.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\America Online 9.0\shellmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [xkstartup] C:\WINDOWS\system32\spool\drivers\w32x86\2\ssccgo.exe Xerox WorkCentre XK Series O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE O4 - HKLM\..\Run: [SoloSysCheck] C:\SRNMIC~1\SYSCHECK.COM O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: http://toolbar.imageshack.us O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing) O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

06-09-2007, 12:49 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Do a HijackThis scan & place a check next to these items and select "Fix checked": R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\ntndis.exe O15 - Trusted Zone: http://toolbar.imageshack.us O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing) --------------- 1. Download this file -> http://download.bleepingcomputer.com...a/ComboFix.exe 2. Open notepad and copy/paste the text in the quotebox below into it: Code: File:: C:\WINDOWS\system32\drivers\ntndis.exe C:\WINDOWS\system32\drivers\ntndis.sys: Drivers:: ntndis Save this as ComboFix-Do.txt Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe Then post the resultant log & a fresh HJT log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall __________________ Question - what have you done for the community today?

06-09-2007, 06:31 AM	#3 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! thanks sUBs! Here's the ComboFix log: ComboFix 07-06-09.4 - C:\Downloads\software\ComboFix.exe "HP_Administrator" - 2007-06-09 5:19:10 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\HP_Administrator\My Documents\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\144.exe C:\WINDOWS\system32\8_exception.nls C:\WINDOWS\system32\alt.exe.exe C:\WINDOWS\system32\drivers\ip6fw.sys C:\WINDOWS\system32\drivers\runtime2.sys C:\WINDOWS\system32\koos.exe C:\WINDOWS\system32\poof C:\WINDOWS\system32\spoolsvv.exe C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\windev-peers.ini C:\WINDOWS\system32\winsub.xml C:\WINDOWS\winsock64.dll ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_POOF -------\LEGACY_RUNTIME -------\LEGACY_RUNTIME2 -------\runtime ((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 ))))))))))))))))))))))))))))))) 2007-06-09 07:17 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-08 23:31 6,963,200 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat 2007-06-08 23:06 <DIR> d-------- C:\Program Files\Free Window Registry Repair 2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\ymsgsmx.dll 2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\spmsmtsmxpfx.dll 2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\smtsmxpfx.dll 2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\gtalsmx.dll 2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\aosmx.dll 2007-06-08 21:04 854 --a------ C:\WINDOWS\system32\aimsmx.dll 2007-06-08 21:04 53,248 --a------ C:\WINDOWS\system32\drivers\ntndis.exe 2007-06-08 21:04 4,864 --a------ C:\WINDOWS\system32\drivers\ntndis.sys 2007-06-08 21:04 153,728 --a------ C:\WINDOWS\system32\windev-492-3bd2.sys 2007-06-06 17:19 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Skype 2007-06-06 17:18 <DIR> d-------- C:\Program Files\Skype 2007-06-06 17:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype 2007-06-04 21:34 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys 2007-06-04 21:34 <DIR> d-------- C:\Program Files\Real 2007-06-04 21:34 <DIR> d-------- C:\My Music 2007-05-10 19:48 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-05-10 19:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-09 05:24:53 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Uniblue 2007-06-09 05:24:02 -------- d-----w C:\Program Files\Uniblue 2007-06-08 03:32:25 -------- d-----w C:\Program Files\FlashGet 2007-06-07 01:20:08 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-06-05 02:34:41 -------- d-----w C:\Program Files\Common Files\Real 2007-05-07 04:07:02 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Real 2007-05-07 03:31:13 -------- d-----w C:\Program Files\HP Rhapsody 2007-05-03 17:54:12 -------- d-----w C:\Program Files\Common Files\AOL 2007-04-28 19:20:10 -------- d-----w C:\Program Files\Winamp 2007-04-22 05:13:22 -------- d-----w C:\Program Files\Yahoo! 2007-04-19 04:34:55 -------- d-----w C:\Program Files\BitComet 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-18 14:44:40 -------- d-----w C:\Program Files\MySpace 2007-04-16 16:11:27 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\MySpace 2007-04-16 01:18:02 38 ----a-w C:\WINDOWS\SOLOSCAN.BAT 2007-04-16 01:18:02 146 ----a-w C:\AUTOEXEC.BAT 2007-04-14 20:16:30 512 ----a-w C:\ScanSectorLog.dat 2007-04-13 19:14:44 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat 2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll 2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys 2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-16 20:47:53 0 ----a-w C:\WINDOWS\ORUN32.EXE 2007-03-16 20:47:43 0 ----a-w C:\WINDOWS\system32\CMMGR32.EXE ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46] {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] {601ED020-FB6C-11D3-87D8-0050DA59922B}=C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll [2004-08-16 13:51] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-01-20 00:55] {F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 19:19 C:\WINDOWS\arpwrmsg.exe] "nwiz"="nwiz.exe" [2006-01-24 13:15 C:\WINDOWS\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-01-23 05:53 C:\WINDOWS\RTHDCPL.EXE] "HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 18:35] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 12:29] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 02:12] "HostManager"="C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe" [2006-09-25 19:52] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50] "ASM"="C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" [2006-11-07 16:11] "KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20] "SoloSentry"="C:\SRNMIC~1\SOLOSENT.EXE" [2006-10-03 21:17] "SoloSysCheck"="C:\SRNMIC~1\SYSCHECK.COM" [2006-02-09 23:56] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-04-25 10:44] "RegistryMechanic"="" [] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 13:15] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 16:00] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-06 23:04] "NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [2007-02-18 22:46] "Uniblue RegistryBooster2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [2007-05-16 10:18] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs Contents of the 'Scheduled Tasks' folder 2007-06-05 20:41:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-06-09 12:16:28 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-09 07:25:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\windev-492-3bd2.sys C:\WINDOWS\system32\windev-peers.ini C:\WINDOWS\system32\drivers\ntndis.exe C:\WINDOWS\system32\drivers\ntndis.sys scan completed successfully hidden files: 4 ********************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\windev-492-3bd2] "ImagePath"="\??\C:\WINDOWS\system32\windev-492-3bd2.sys" Completion time: 2007-06-09 7:26:38 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-09 07:26 --- E O F --- And the fresh Hijack This:** Logfile of HijackThis v1.99.1 Scan saved at 5:28:35 AM, on 6/9/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16441) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe C:\WINDOWS\arservice.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe C:\Program Files\HP\HP Software Update\HPwuSchd2.exe C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe C:\Program Files\Common Files\AOL\ACS\AOLDial.exe C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe C:\HP\KBD\KBD.EXE C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\SRNMIC~1\SOLOSENT.EXE C:\WINDOWS\eHome\ehRecvr.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\NCLAUNCH.EXe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe c:\windows\system\hpsysdrv.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [ASM] "C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" HIDEMAIN O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SoloSentry] C:\SRNMIC~1\SOLOSENT.EXE O4 - HKLM\..\Run: [SoloSysCheck] C:\SRNMIC~1\SYSCHECK.COM O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: F - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\F.exe (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

06-09-2007, 07:06 AM	#4 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! just wanted to follow up... problem seemed to fix itself. I don't get those error messages before start up anymore, nor do I get any error messages after my Background is displayed. However I did get a message from my Windows Firewall asking to block something called "Launcher" and it said something to the extent of it trying to take over my Internet. I selected 'Keep Blocking".... let me know if there's anything else you think I should check out, as i'm sure there's some more wrong stuff with my comp! :) thanks again :)

06-09-2007, 03:57 PM	#5 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Open notepad and copy/paste the text in the quotebox below into it: Code: File:: C:\WINDOWS\system32\ymsgsmx.dll C:\WINDOWS\system32\spmsmtsmxpfx.dll C:\WINDOWS\system32\smtsmxpfx.dll C:\WINDOWS\system32\gtalsmx.dll C:\WINDOWS\system32\aosmx.dll C:\WINDOWS\system32\aimsmx.dll C:\WINDOWS\system32\drivers\ntndis.exe C:\WINDOWS\system32\drivers\ntndis.sys C:\WINDOWS\system32\windev-492-3bd2.sys C:\WINDOWS\system32\windev-peers.ini Drivers:: ntndis windev-492-3bd2 Registry:: [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ntndis] [-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\windev-492-3bd2] Save this as ComboFix-Do.txt Drag ComboFix-Do.txt into ComboFix.exe & then post the resultant log --------------- Please perform an online scan using Internet Explorer at http://www.kaspersky.com/virusscanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. We only require a report from it. It does not provide an option to clean/disinfect. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. --------------- In your next post, please include fresh logs from: Fresh Hijackthis log taken just before replying Online scan ComboFix's log Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?

06-09-2007, 11:31 PM	#7 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs: ViewPoint Please note any other programs that you dont recognize in that list in your next response --------------- Do a HijackThis scan & place a check next to these items and select "Fix checked": O23 - Service: F - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\F.exe (file missing) ---------------- We need to perform another run with ComboFix-Do. Please run the script listed below. Code: File:: C:\Documents and Settings\HP_Administrator\.housecall\Quarantine C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\WINDOWS\NCLAUNCH.EXe C:\WINDOWS\system32\drivers\ntndis.exe C:\WINDOWS\system32\drivers\ntndis.sys Folder:: C:\Program Files\Viewpoint Then post the log that's produced __________________ Question - what have you done for the community today? Last edited by sUBs; 06-09-2007 at 11:37 PM.

06-10-2007, 12:01 AM	#8 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Here are some programs I found that I don't know: Customer Experience Enhancement Enhanced Multimedia Keyboard Solution HP Boot Optimizer HP Deskjet Printer Preload HP Digital Media Archive Twain Driver Uninstaller Here's the latest ComboFix results: ComboFix 07-06-09.4 - C:\Downloads\software\ComboFix.exe "HP_Administrator" - 2007-06-10 0:54:31 - Service Pack 2 NTFS Command switches used :: C:\Documents and Settings\HP_Administrator\My Documents\ComboFix-Do.txt ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Documents and Settings\HP_Administrator\.housecall\Quarantine C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Viewpoint C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll C:\WINDOWS\NCLAUNCH.EXe C:\WINDOWS\system32\drivers\ntndis.exe C:\WINDOWS\system32\drivers\ntndis.sys ((((((((((((((((((((((((( Files Created from 2007-05-10 to 2007-06-10 ))))))))))))))))))))))))))))))) 2007-06-09 22:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2007-06-09 22:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab 2007-06-09 07:17 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-08 23:31 7,077,888 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat 2007-06-08 23:06 <DIR> d-------- C:\Program Files\Free Window Registry Repair 2007-06-06 17:19 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\Skype 2007-06-06 17:18 <DIR> d-------- C:\Program Files\Skype 2007-06-06 17:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype 2007-06-04 21:34 8,552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys 2007-06-04 21:34 <DIR> d-------- C:\Program Files\Real 2007-06-04 21:34 <DIR> d-------- C:\My Music 2007-05-10 19:48 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys 2007-05-10 19:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-09 12:38:55 -------- d-----w C:\Program Files\Uniblue 2007-06-09 12:36:43 -------- d-----w C:\Program Files\iPod 2007-06-09 05:24:53 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Uniblue 2007-06-08 03:32:25 -------- d-----w C:\Program Files\FlashGet 2007-06-07 01:20:08 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-06-05 02:34:41 -------- d-----w C:\Program Files\Common Files\Real 2007-05-07 04:07:02 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Real 2007-05-07 03:31:13 -------- d-----w C:\Program Files\HP Rhapsody 2007-05-03 17:54:12 -------- d-----w C:\Program Files\Common Files\AOL 2007-04-28 19:20:10 -------- d-----w C:\Program Files\Winamp 2007-04-22 05:13:22 -------- d-----w C:\Program Files\Yahoo! 2007-04-19 04:34:55 -------- d-----w C:\Program Files\BitComet 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-18 14:44:40 -------- d-----w C:\Program Files\MySpace 2007-04-16 16:11:27 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\MySpace 2007-04-16 01:18:02 38 ----a-w C:\WINDOWS\SOLOSCAN.BAT 2007-04-16 01:18:02 146 ----a-w C:\AUTOEXEC.BAT 2007-04-14 20:16:30 512 ----a-w C:\ScanSectorLog.dat 2007-04-13 19:14:44 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat 2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll 2007-04-13 17:30:43 33,592 ----a-w C:\WINDOWS\system32\drivers\atwpkt264.sys 2007-04-13 17:30:39 25,136 ----a-w C:\WINDOWS\system32\drivers\atwpkt2.sys 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-16 20:47:53 0 ----a-w C:\WINDOWS\ORUN32.EXE 2007-03-16 20:47:43 0 ----a-w C:\WINDOWS\system32\CMMGR32.EXE ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-01-29 04:46] {53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04] {601ED020-FB6C-11D3-87D8-0050DA59922B}=C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll [2004-08-16 13:51] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43] {AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-01-20 00:55] {F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-14 22:40] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 19:19 C:\WINDOWS\arpwrmsg.exe] "nwiz"="nwiz.exe" [2006-01-24 13:15 C:\WINDOWS\system32\nwiz.exe] "RTHDCPL"="RTHDCPL.EXE" [2006-01-23 05:53 C:\WINDOWS\RTHDCPL.EXE] "HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 18:35] "HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 12:29] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 02:12] "HostManager"="C:\Program Files\Common Files\AOL\1148773181\ee\AOLSoftware.exe" [2006-09-25 19:52] "AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 07:50] "ASM"="C:\Program Files\AOL\Active Security Monitor\ASMonitor.exe" [2006-11-07 16:11] "KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20] "SoloSentry"="C:\SRNMIC~1\SOLOSENT.EXE" [2006-10-03 21:17] "SoloSysCheck"="C:\SRNMIC~1\SYSCHECK.COM" [2006-02-09 23:56] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-04-25 10:44] "RegistryMechanic"="" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 16:00] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [] "NCLaunch"="C:\WINDOWS\NCLAUNCH.EXe" [] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"=Narrator.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t "MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost netsvcs Contents of the 'Scheduled Tasks' folder 2007-06-05 20:41:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2007-06-10 05:50:45 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************************************ catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-10 00:56:02 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ Completion time: 2007-06-10 0:56:21 C:\ComboFix-quarantined-files.txt ... 2007-06-10 00:56 C:\ComboFix2.txt ... 2007-06-09 22:34 C:\ComboFix3.txt ... 2007-06-09 07:26 --- E O F --- Thanks again for all your help! :)

06-10-2007, 05:26 AM	#9 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! * C:\QooBox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe.vir * C:\QooBox\Quarantine\C\WINDOWS\NCLAUNCH.EXe.vir * C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ntndis.exe.vir * C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ntndis.sys.vir ComboFix has quarantined the above files. Please locate & upload them to this website. I need to check if they have hidden associates. http://www.bleepingcomputer.com/subm....php?channel=4 __________________ Question - what have you done for the community today?

06-10-2007, 10:18 AM	#10 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! It says they are all uploaded... do I need to do anything specific so you can get to them?

06-10-2007, 10:32 AM	#11 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Received them. Will look at it in awhile __________________ Question - what have you done for the community today?

06-10-2007, 10:48 AM	#12 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! I have checked the files. There should be no other hidden accomplices lying wait in your machine ----------- Of the stuff Kaspersky found, C:\QooBox\ is ComboFix's quarantine folder. You can safely delete it C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while ---------------------- Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start → Run → type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html Microsoft Windows Update → http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html SPYWAREBLASTER SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites. Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows. http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: http://www.winpatrol.com/features.html To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

06-10-2007, 12:42 PM	#13 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Hi sUBs... thanks for all your help. I had a problem while visiting the windows update site: it says it's checking for updates but then I get this: [Error number: 0x80245003] The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. For self-help options: Frequently Asked Questions Find Solutions Windows Update Newsgroup For assisted support options: Microsoft Online Assisted Support (no-cost for Windows Update issues) Some other problems I am noticing is that when I start my computer the windows firewall is off... and I always have to turn it back on. Any idea on why that could be? Thanks again!

06-10-2007, 01:17 PM	#15 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Thanks I tried that and it worked, then when I tried to update it said critical files were missing and it recommended that I reinstalled them... I clicked that and then I got the following error message: [Error number: 0x8024D007] The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. For self-help options: Frequently Asked Questions Find Solutions Windows Update Newsgroup For assisted support options: Microsoft Online Assisted Support (no-cost for Windows Update issues) Thank you for all your help sUBs, I really appreciate it. :)

06-10-2007, 01:55 PM	#17 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! hi sUBS... that worked! :) Now I think I am just having problems with the updating from the Windows site.

06-10-2007, 02:00 PM	#18 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,479 OS: N/A	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! Error number: 0x8024D007 is supposedly an undocumented Windows Update error. Found some sites where some helpful suggestions have been posted: http://www.mcse.ms/message1675586.html http://channel9.msdn.com/ShowPost.aspx?PostID=202952 Please try the methods suggested. Let us know how it went __________________ Question - what have you done for the community today?

06-10-2007, 02:19 PM	#19 (permalink)
ahart831 Registered User Join Date: Jun 2007 Posts: 14 OS: Windows XP	Re: Need help with C:\Windows\system32\drivers\NTNDIS.exe error please!! those two problems seem to be fixed, I just updated my Windows using the site... is there anything else you think I should do before we resolve the issue?