Can't delete a Trojan.

June 4, 2010 at 16:07:14
Specs: Windows XP
I found some trojans on my pc today, around 20. I managed to get rid of all of them except for trojan horse generic 17.bkcs, the antivirus keeps telling me it can't delete it. The trojan disables my firewall and after a while I get 4-7 another trojans. I tried Trojan Remover and Malwarebytes, but nothing helps. Is there anything else I could do besides formatting the hardrive? Please help.

See More: Cant delete a Trojan.

Report •


#1
June 4, 2010 at 20:43:50
go to the below link and complete the steps, let me know when you are through!

Please do this first, very important
http://www.computing.net/howtos/sho..


Report •

#2
June 5, 2010 at 02:24:41
Thank you so much for replying!

I've completed all of the steps.

Also, I've noticed that AVG Anti-Virus tells me that the trojan is in windows\system32\ services.exe whereas Malwarebytes says it's in windows\system32\ipsecndis.sys , system32\Drivers\ntndis.sys and c\lsass.exe, but it can't delete any of them..


Report •

#3
June 5, 2010 at 05:08:24
Download combofix from the following site and follow the instructions carefully:
http://www.bleepingcomputer.com/com...

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

Related Solutions

#4
June 5, 2010 at 10:24:34
Thanks, I ran ComboFix and it doesn't seem to have helped, but here is the log anyway:

ComboFix 10-06-03.01 - Yana-buh 05/06/2010 18:07:46.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.129 [GMT 1:00]
Running from: c:\documents and settings\Yana-buh\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\lsass.exe.vir
c:\windows\system32\msxsltsso.dll

c:\windows\system32\drivers\ndis.sys . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-05 10:37 . 2010-02-27 19:46 3691384 ----a-w- c:\documents and settings\Yana-buh\Application Data\Simply Super Software\Trojan Remover\mfy1.exe
2010-06-04 21:10 . 2010-06-05 10:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-04 21:09 . 2006-06-19 11:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-04 21:09 . 2006-05-25 13:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-04 21:09 . 2005-08-25 23:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-04 21:09 . 2003-02-02 18:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-04 21:09 . 2002-03-05 23:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-04 21:09 . 2010-06-04 21:09 -------- d-----w- c:\program files\Trojan Remover
2010-06-04 21:09 . 2010-06-04 21:09 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\Simply Super Software
2010-06-04 21:09 . 2010-06-04 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-06-04 21:03 . 2010-06-04 21:03 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\Malwarebytes
2010-06-04 21:02 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 21:02 . 2010-06-04 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-04 21:02 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-04 21:02 . 2010-06-04 21:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-03 12:04 . 2010-06-03 12:04 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-03 12:04 . 2010-06-03 12:04 29512 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-06-02 20:13 . 2010-06-02 20:13 -------- d-----w- C:\$AVG
2010-06-02 14:54 . 2010-06-02 14:54 -------- d-----w- c:\program files\Corel
2010-06-01 21:13 . 2010-06-01 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-06-01 19:36 . 2010-06-01 19:36 -------- d-----w- C:\AeriaGames
2010-05-25 20:13 . 2010-05-25 20:13 503808 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19e9f2a7-n\msvcp71.dll
2010-05-25 20:13 . 2010-05-25 20:13 499712 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19e9f2a7-n\jmc.dll
2010-05-25 20:13 . 2010-05-25 20:13 348160 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-19e9f2a7-n\msvcr71.dll
2010-05-25 20:13 . 2010-05-25 20:13 61440 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5e41edc4-n\decora-sse.dll
2010-05-25 20:13 . 2010-05-25 20:13 12800 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-5e41edc4-n\decora-d3d.dll
2010-05-15 22:34 . 2010-05-15 22:34 -------- d-----w- c:\windows\Sun
2010-05-15 22:33 . 2010-05-15 22:33 61440 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-605293eb-n\decora-sse.dll
2010-05-15 22:33 . 2010-05-15 22:33 503808 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-273196ce-n\msvcp71.dll
2010-05-15 22:33 . 2010-05-15 22:33 499712 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-273196ce-n\jmc.dll
2010-05-15 22:33 . 2010-05-15 22:33 12800 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-605293eb-n\decora-d3d.dll
2010-05-15 22:33 . 2010-05-15 22:33 348160 ----a-w- c:\documents and settings\Yana-buh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-273196ce-n\msvcr71.dll
2010-05-15 22:33 . 2010-05-15 22:32 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-15 22:26 . 2010-05-15 22:26 -------- d-----w- c:\program files\Jnes 0.6
2010-05-15 22:24 . 2010-05-15 22:24 171520 ----a-w- c:\windows\system32\cncs32.dll
2010-05-10 17:29 . 2010-06-04 18:08 -------- d-----w- c:\documents and settings\Yana-buh\Local Settings\Application Data\NokiaAccount
2010-05-09 23:17 . 2010-05-10 15:07 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-05-09 23:17 . 2010-05-10 15:05 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-05-09 23:17 . 2010-05-10 15:05 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-05-09 23:17 . 2010-05-10 15:05 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-05-09 23:17 . 2010-05-10 15:05 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-05-09 23:17 . 2010-05-10 15:05 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Installer\CommonCustomActions\pcswpc.exe
2010-05-09 23:16 . 2010-05-09 23:15 98366952 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{DEE1E2E5-B553-4F88-9DE7-23CBEA5D739C}\Nokia_Ovi_Suite_11_update.exe
2010-05-09 23:16 . 2010-05-09 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\OviInstallerCache
2010-05-09 21:54 . 2010-02-23 12:51 1097000 ----a-w- c:\documents and settings\Yana-buh\Application Data\Mozilla\Firefox\Profiles\emhvmj9j.default\extensions\maps@ovi.com\plugins\npNMapNPRresources.dll
2010-05-09 21:54 . 2010-02-23 12:51 4082472 ----a-w- c:\documents and settings\Yana-buh\Application Data\Mozilla\Firefox\Profiles\emhvmj9j.default\extensions\maps@ovi.com\plugins\npNMapNPR.dll
2010-05-09 21:24 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2010-05-09 21:24 . 2010-05-09 21:24 -------- d-----w- c:\program files\PC Connectivity Solution
2010-05-09 21:15 . 2010-05-09 21:12 35748120 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{73C0DA51-DB32-4F66-970B-7298F3CAF37F}\NokiaSoftwareUpdaterSetup_2.5.1EN.exe
2010-05-09 21:13 . 2010-05-09 21:13 3351812 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{73C0DA51-DB32-4F66-970B-7298F3CAF37F}\Installer\CommonCustomActions\msxml6Exec.exe
2010-05-09 21:13 . 2010-05-09 21:13 36864 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{73C0DA51-DB32-4F66-970B-7298F3CAF37F}\Installer\CommonCustomActions\Sleep.exe
2010-05-09 21:13 . 2010-05-09 21:13 3203453 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{73C0DA51-DB32-4F66-970B-7298F3CAF37F}\Installer\CommonCustomActions\vcredistExec.exe
2010-05-09 21:12 . 2010-05-09 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Installations
2010-05-09 21:09 . 2010-05-09 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Nokia
2010-05-09 21:03 . 2010-05-09 21:03 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\Nseries
2010-05-09 20:50 . 2004-08-03 22:10 38016 -c--a-w- c:\windows\system32\dllcache\bthmodem.sys
2010-05-09 20:50 . 2004-08-03 22:10 38016 ----a-w- c:\windows\system32\drivers\bthmodem.sys
2010-05-09 20:48 . 2004-08-03 21:58 100992 -c--a-w- c:\windows\system32\dllcache\bthpan.sys
2010-05-09 20:48 . 2004-08-03 21:58 100992 ----a-w- c:\windows\system32\drivers\bthpan.sys
2010-05-09 20:47 . 2004-08-03 22:10 59648 -c--a-w- c:\windows\system32\dllcache\rfcomm.sys
2010-05-09 20:47 . 2004-08-03 22:10 59648 ----a-w- c:\windows\system32\drivers\rfcomm.sys
2010-05-09 20:47 . 2004-08-03 22:10 17024 -c--a-w- c:\windows\system32\dllcache\bthenum.sys
2010-05-09 20:47 . 2004-08-03 22:10 17024 ----a-w- c:\windows\system32\drivers\BthEnum.sys
2010-05-09 20:47 . 2004-08-03 23:56 152576 -c--a-w- c:\windows\system32\dllcache\irftp.exe
2010-05-09 20:47 . 2004-08-03 23:56 152576 ----a-w- c:\windows\system32\irftp.exe
2010-05-09 20:47 . 2004-08-03 23:56 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-05-09 20:47 . 2004-08-03 23:56 8192 ----a-w- c:\windows\system32\wshirda.dll
2010-05-09 20:46 . 2004-08-03 22:10 18944 -c--a-w- c:\windows\system32\dllcache\bthusb.sys
2010-05-09 20:46 . 2004-08-03 22:10 18944 ----a-w- c:\windows\system32\drivers\BTHUSB.SYS
2010-05-07 19:05 . 2010-05-09 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Suite
2010-05-07 19:04 . 2010-05-10 17:41 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\PC Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 10:55 . 2010-04-05 11:08 0 ----a-w- c:\documents and settings\Yana-buh\Local Settings\Application Data\prvlcl.dat
2010-06-04 19:20 . 2010-02-27 23:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-04 19:19 . 2010-04-07 23:07 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\uTorrent
2010-06-04 19:18 . 2010-04-04 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-04 19:00 . 2004-08-04 10:00 211072 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-06-03 12:00 . 2010-04-04 20:09 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-03 12:00 . 2010-04-04 20:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-01 21:14 . 2010-02-27 18:03 64176 ----a-w- c:\documents and settings\Yana-buh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-30 16:48 . 2010-03-13 13:53 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\ICQ
2010-05-10 19:28 . 2010-04-08 23:38 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\vlc
2010-05-10 17:32 . 2010-04-10 15:38 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\Nokia
2010-05-09 23:20 . 2010-04-10 16:07 -------- d-----w- c:\program files\Common Files\Nokia
2010-05-09 23:18 . 2010-04-10 16:01 -------- d-----w- c:\program files\Nokia
2010-05-09 21:06 . 2010-05-09 21:06 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2010-05-09 21:06 . 2010-05-09 21:06 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2010-05-07 22:48 . 2010-04-12 21:33 129904 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-04-17 07:59 . 2010-04-17 07:59 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\Berlitz
2010-04-17 07:54 . 2010-04-17 07:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Berlitz
2010-04-17 07:54 . 2010-04-17 07:49 -------- d-----w- c:\program files\Berlitz
2010-04-17 07:54 . 2010-02-27 18:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-17 07:47 . 2010-04-17 07:43 -------- d-----w- c:\program files\QuickTime
2010-04-17 07:43 . 2010-04-17 07:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-04-17 07:42 . 2010-04-17 07:42 -------- d-----w- c:\program files\Apple Software Update
2010-04-10 16:13 . 2010-04-10 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2010-04-10 16:03 . 2010-04-10 16:03 -------- d-----w- c:\program files\DIFX
2010-04-10 15:58 . 2010-04-10 15:58 -------- d-----w- c:\program files\MSBuild
2010-04-10 15:57 . 2010-04-10 15:57 -------- d-----w- c:\program files\Reference Assemblies
2010-04-10 15:27 . 2010-04-10 15:27 -------- d-----w- c:\program files\MSXML 6.0
2010-04-09 22:10 . 2010-04-09 22:10 -------- d-----w- c:\documents and settings\Yana-buh\Application Data\dvdcss
2010-04-08 23:35 . 2010-04-08 23:35 -------- d-----w- c:\program files\VideoLAN
2010-04-08 23:21 . 2010-04-08 23:21 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-08 23:21 . 2010-04-08 23:21 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-08 23:21 . 2010-04-08 23:21 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-08 23:21 . 2010-04-08 23:21 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-08 23:21 . 2010-04-08 23:21 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-08 23:21 . 2010-04-08 23:21 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-08 23:21 . 2010-04-08 23:21 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-08 23:21 . 2010-04-08 23:21 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-08 23:21 . 2010-04-08 23:21 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-08 23:21 . 2010-04-08 23:20 -------- d-----w- c:\program files\Common Files\Real
2010-04-08 23:21 . 2010-04-08 23:20 -------- d-----w- c:\program files\Real
2010-04-08 23:21 . 2010-04-08 23:21 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-07 22:21 . 2010-04-07 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-04-04 20:09 . 2010-04-04 20:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-04 20:09 . 2010-04-04 20:09 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-26 20:23 . 2010-03-26 20:23 50354 ----a-w- c:\documents and settings\Yana-buh\Application Data\Facebook\uninstall.exe
2010-03-20 16:57 . 2010-03-20 16:57 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-03-10 08:02 . 2004-08-04 10:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 21:33 . 2010-03-07 21:33 0 ----a-w- c:\documents and settings\Yana-buh\Application Data\wklnhst.dat
.

------- Sigcheck -------

[-] 2010-06-04 19:00 . 93B984ECAFF503D80C61E76A9959CEEA . 211072 . . [------] . . c:\windows\system32\drivers\ndis.sys
[-] 2010-06-04 19:00 . 93B984ECAFF503D80C61E76A9959CEEA . 211072 . . [------] . . c:\windows\system32\dllcache\ndis.sys
[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-04 20:09 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ICQ7.0\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ICQ7.0\\ICQ.exe"=
"c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [04/04/2010 21:09 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [04/04/2010 21:09 242896]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [04/04/2010 21:08 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [04/04/2010 21:07 308064]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [13/03/2010 14:54 246520]
S0 yyhuek;yyhuek; [x]
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 13:21]

2010-06-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-73586283-1972579041-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-05-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-73586283-1972579041-839522115-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
FF - ProfilePath - c:\documents and settings\Yana-buh\Application Data\Mozilla\Firefox\Profiles\emhvmj9j.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&tb_ver=2.0.0.1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Yana-buh\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Yana-buh\Application Data\Mozilla\Firefox\Profiles\emhvmj9j.default\extensions\maps@ovi.com\plugins\npNMapNPR.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SSODL-GootkitSSO-{644D1F0A-B64E-4CDE-A8AB-ECD6DE3001F0} - c:\windows\System32\msxsltsso.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 18:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-06-05 18:17:06
ComboFix-quarantined-files.txt 2010-06-05 17:17

Pre-Run: 39,614,189,568 bytes free
Post-Run: 40,344,739,840 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 9943E7DDDA7A19D2A77BB9E9FD4C0D40


Report •

#5
June 5, 2010 at 10:49:51
msxsltsso.dll is a BAD one.
Use Unhackme:
http://www.greatis.com/unhackme/dow...
Follow the instructions on unhackme for beginners to run the program

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#6
June 5, 2010 at 11:14:02
I downloaded the program, but I can't find the instructions on how to use it..
------------------------------------------

Okay, I found out how to run it. The first time it said there were no trojans on the computer, but when I clicked on Advanced Scan, C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS keeps coming up like it did before, I'm afraid to delete it, it seems like a system file. What should I do now?


Report •

#7
June 5, 2010 at 11:49:36
what does unhackme recommend for that file?

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#8
June 5, 2010 at 12:56:39
Hm, the options are:
Add to ignore list
Program database...
Google it
View in Regedit
Delete marked items and False Positive.


Also, that msxsltsso.dll virus is back. I really don't get them, I keep different programs running one after another to get rid of the viruses becuase I still don't have control over the firewall and the icons beside the time don't show anymore so I'm not sure if the anti-virus is running all the time, and all of the different trojans come back. Another one that bugs me a lot is the one that's called catchme.sys or something like that...


Report •

#9
June 5, 2010 at 13:11:51
Try some of the options in unhackme like google it

Did you try hitman pro yet?
http://www.surfright.nl/en

That is also real good at removing hidden rootkits.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#10
June 5, 2010 at 13:44:43
I tried hitman pro, it removed msxsltsso.dll, but when it comes to ndis.sys, it says that in order to delete it, it would need to replace it with the oridinal file since it's a system file. It asks me to insert the windows xp installation disk, but when I do, a black window pops up like the one in ComboFix with something written in it, it closes and nothing happens.. it just doesn't delete it for some reason. Maybe there is a way to get that file on the internet and replace the virus with it?

Report •

#11
June 5, 2010 at 13:53:01
it's hard to say because I'm not there.

I know if I had the PC here I could get it working pretty snappy. I've been repairing PC's for 9 yrs now.

Maybe try running combofix again and see how that works out for you.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#12
June 5, 2010 at 14:01:12
Yeah, I tried it 30 minutes ago, that ndis.sys seems to be the only one left=/

It turns out there are three of them on the pc. One in C:\WINDOWS\system32\dllcache. One in C:\WINDOWS\system32\drivers and one in C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e . Is that how it's supposed to be?

I'm so sorry to keep bothering you..


Report •

#13
June 5, 2010 at 14:11:40
It's no bother. I'm not really sure on your Q though, you may have to google it.

Here, check this out:
http://www.file.net/process/ndis.sy...

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#14
June 5, 2010 at 14:15:58
Oh, I found that if I delete it, it's possible to replace it with the same file taken from another pc, I'm just afraid that the computer would crash if I get rid of it..

Report •

#15
June 5, 2010 at 14:23:59
Thanks, does that mean anything not in the system32 folder is a virus and can be deleted?

Report •

#16
June 5, 2010 at 14:27:59
ndis.sys looks like it is the ethernet driver?

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#17
June 5, 2010 at 14:33:18
I don't know what an ethernet driver is. So what should I do? Try to replace it? Nothing else seems to work..

Report •

#18
June 5, 2010 at 14:43:15
ethernet is the input on your tower that looks like a phone jack, only it is larger and let's you connect to your modem or router.

When you don't understand something, try google,
http://www.google.com/
it is full of answers.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#19
June 5, 2010 at 14:48:20
I did google it, but nothing came up..
Ah, maybe thats why I've been having such a bad connection all day today..

Report •

#20
June 5, 2010 at 15:38:36
Well, I don't know what to do anymore, so I guess I'll just leave it for now.

Thank you for your time and kind help:)


Report •


Ask Question