| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 83932 | 2007-10-18 06:12:00 | What's Indt.sys? Need help!!!!! | aklthomas (12936) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 602877 | 2007-11-14 00:42:00 | Run hijackthis again tick these entries then tick fix checked Close browser/s. O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE What have you got thats Symantec?? Is it a firewall and AV program ? O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe Whats this?? If you dont know tick it O4 - HKCU\..\Run: [MOMORacingFixCenter] "C:\Documents and Settings\Chip\MOMORacingFixCenter.exe" 0 Uninstall ALL versions of Sun Java. Yours is out of date. Link is in my sig. Try the files listed here (www.bleepingcomputer.com) SDfix and Combofix Follow what it says on this site. |
Speedy Gonzales (78) | ||
| 602878 | 2007-11-14 01:17:00 | Yo ! Speedy, check your PM on this problem, want a second opion before posting here. Cheers. | wainuitech (129) | ||
| 602879 | 2007-11-14 02:54:00 | First, the combofix report (while running there were 6 windows crash messages about send or not send to MS, I choose not to send each time) - ComboFix 07-11-08.3 - Chip 2007-11-13 20:02:37.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1648 [GMT -7:00] Running from: C:\Documents and Settings\Chip\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 ))))))))))))))))))))))))))))))) . 2007-11-13 19:38 <DIR> d-------- C:\WINDOWS\ERUNT 2007-11-13 18:54 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-13 17:43 <DIR> d-------- C:\Program Files\Spyware Doctor 2007-11-13 17:43 <DIR> d-------- C:\Documents and Settings\Chip\Application Data\PC Tools 2007-11-13 17:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-11-13 17:43 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys 2007-11-13 17:43 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys 2007-11-13 17:43 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys 2007-11-13 17:43 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys 2007-11-13 16:54 <DIR> d-------- C:\Program Files\RogueRemover FREE 2007-11-13 16:51 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat 2007-11-13 16:51 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat 2007-11-13 16:50 <DIR> d-------- C:\Program Files\Kaspersky Lab 2007-11-13 16:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-11-13 16:50 2,250,784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-13 16:50 23,584 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-13 16:49 <DIR> d-------- C:\KAV 2007-11-13 16:39 24,760,584 --a------ C:\temp\kav7.0.0.125en.exe 2007-11-13 16:22 250,880 --a------ C:\WINDOWS\system32\ndt2.sys 2007-11-13 16:22 40,960 --a------ C:\WINDOWS\system32\Indt2.sys 2007-11-12 22:09 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-11-12 22:07 <DIR> d-------- C:\Program Files\Trojan Remover 2007-11-12 22:07 <DIR> d-------- C:\Documents and Settings\Chip\Application Data\Simply Super Software 2007-11-12 22:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software 2007-11-12 22:07 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll 2007-11-12 22:07 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll 2007-11-12 22:07 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll 2007-11-12 22:07 75,264 --a------ C:\WINDOWS\system32\unacev2.dll 2007-11-12 22:07 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll 2007-11-12 22:06 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-12 19:53 <DIR> d-------- C:\temp\keys 2007-11-11 21:31 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-11-11 21:31 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-11-11 21:31 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-11-11 21:31 22,328 --a------ C:\Documents and Settings\Chip\Application Data\PnkBstrK.sys 2007-11-11 20:59 <DIR> d--hs---- C:\WINDOWS\ftpcache 2007-11-06 22:01 <DIR> d-------- C:\Program Files\ACTC 2007-10-25 12:59 991,232 --a------ C:\temp\d3d9.dll 2007-10-23 12:42 <DIR> d-------- C:\temp\New Folder 2007-10-22 16:57 <DIR> d-------- C:\temp\r 2007-10-22 14:34 <DIR> d-------- C:\temp\Chip Wiegand 2007-10-21 21:19 <DIR> d-------- C:\Program Files\Steam 2007-10-21 20:44 <DIR> d-------- C:\temp\SteamApps 2007-10-20 17:02 <DIR> d-------- C:\temp\Raleigh 2007-10-19 17:12 3,269,880 --a------ C:\temp\Steam.dll 2007-10-15 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles 2007-10-15 18:27 <DIR> d-------- C:\WINDOWS\nview 2007-10-15 18:27 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe 2007-10-15 18:26 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE 2007-10-15 18:24 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2007-10-15 18:24 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2007-10-15 18:19 38,426,896 --a------ C:\temp\163.71_forceware_winxp_32bit_english_whql. exe 2007-10-14 17:30 1,139,034 --a------ C:\temp\pics.zip . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-11-14 02:36 31,592 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2007-11-14 02:36 3,896 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2007-11-14 01:48 --------- d-----w C:\Program Files\Gigabyte 2007-11-14 01:45 --------- d--h--w C:\Documents and Settings\Chip\Application Data\GTek 2007-11-14 01:42 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-14 01:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-14 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-10-30 04:21 --------- d-----w C:\Program Files\rFactor 2007-10-12 22:12 --------- d-----w C:\Program Files\RACE 07 2007-10-10 04:47 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-05 03:14 --------- d-----w C:\Program Files\DivX 2007-10-03 05:38 51,600 ----a-w C:\WINDOWS\system32\RadLightMPCUninstall.exe 2007-10-02 16:34 --------- d-----w C:\Program Files\piPOol 2007-10-01 01:29 --------- d-----w C:\Program Files\Teamspeak2_RC2 2007-10-01 01:29 --------- d-----w C:\Documents and Settings\Chip\Application Data\teamspeak2 2007-10-01 01:19 --------- d-----w C:\Program Files\Realtek Sound Manager 2007-10-01 01:19 --------- d-----w C:\Program Files\Realtek AC97 2007-10-01 01:19 --------- d-----w C:\Program Files\AvRack 2007-09-28 16:08 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe 2007-09-28 16:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe 2007-09-28 16:07 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys 2007-09-28 16:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-09-28 16:07 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2007-09-28 16:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll 2007-09-28 16:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe 2007-09-28 16:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe 2007-09-28 16:07 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll 2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll 2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll 2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll 2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll 2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll 2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll 2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll 2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll 2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll 2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll 2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll 2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll 2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll 2007-09-17 08:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll 2007-09-17 08:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe 2007-09-17 08:07 6,853,088 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys 2007-09-17 08:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll 2007-09-17 08:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll 2007-09-17 08:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll 2007-09-17 08:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll 2007-09-17 08:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll 2007-09-17 08:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe 2007-09-17 08:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe 2007-09-17 08:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll 2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll 2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll 2007-09-17 08:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll 2007-09-17 08:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll 2007-09-17 08:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll 2007-09-17 08:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll 2007-09-17 08:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll 2007-09-17 08:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll 2007-09-17 08:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll 2007-09-17 08:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe 2007-09-17 08:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe 2007-09-17 08:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll 2007-09-17 08:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe 2007-09-17 08:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll 2007-09-17 08:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe 2007-09-17 08:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll 2007-09-17 08:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll 2007-08-31 02:37 1,385,984 ----a-w C:\WINDOWS\system32\telintf.DLL 2007-08-22 04:50 74,752 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2003-03-06 16:55 17,408 ----a-w C:\Documents and Settings\Chip\MOMORacingFixCenter.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10] "P17Helper"="P17.dll" [2005-05-03 04:38 C:\WINDOWS\system32\P17.dll] "SoundMan"="SOUNDMAN.EXE" [2006-03-01 01:22 C:\WINDOWS\soundman.exe] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 01:07] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23] "Fraps"="C:\FRAPS\FRAPS.EXE" [2005-06-29 06:35] "MOMORacingFixCenter"="C:\Documents and Settings\Chip\MOMORacingFixCenter.exe" [2003-03-06 09:55] "Steam"="C:\Program Files\Steam\Steam.exe" [2007-10-21 21:19] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer] "NoToolbarCustomize"=0 (0x0) "NoBandCustomize"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice" *Newly Created Service* - CATCHME . ************************************************** ************************ catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-13 20:03:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run Creative Detector = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R????W?D~??A~??????A~???wV???????|???V??wb??w????? ??????s?????????????W??????????V???????????X??s??? ?????m??? ???????D??s????}??sV??wD??s ?????????4??W??????5!??@???4?A~V???????????????V?? w??????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************** ************************ . Completion time: 2007-11-13 20:04:57 C:\ComboFix2.txt ... 2007-11-13 19:59 . --- E O F --- Second, the SDFix report - SDFix: Version 1.114 Run by Chip on Tue 11/13/2007 at 07:38 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\Documents and Settings\Chip\Desktop\SDFix\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files... ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-13 19:43:13 Windows 5.1.2600 Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\d347prt\Cfg\0Jf40] scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019" "C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:t vprunner" "C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam" "C:\\Program Files\\Steam\\SteamApps\\chipw\\race 07\\Race_Steam.exe"="C:\\Program Files\\Steam\\SteamApps\\chipw\\race 07\\Race_Steam.exe:*:Enabled:RACE 07" "C:\\Program Files\\rFactor\\rFactor.exe"="C:\\Program Files\\rFactor\\rFactor.exe:*:Enabled:rFactor" "C:\\GTR2\\GTR2.exe"="C:\\GTR2\\GTR2.exe:*:Enabled:GTR2 - FIA GT Racing Game" "C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkB strA" "C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkB strB" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent" [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019" Remaining Files: --------------- Files with Hidden Attributes: Finished! Even after all this after I rebooted I still here the clicks of IE page loads and Kasperski still finds the ndt.sys file. It keeps coming back from somewhere. Kasperski even came up with an ip address that thing was trying to access - 74.125.19.97 on port 443. |
carvin (12937) | ||
| 602880 | 2007-11-14 05:18:00 | Disable system restore. Boot into safe mode. Open my computer / tools / folder options. Select all files and untick hide protected operating system files. Right mouse on system volume info folder. Properties / security tab / add. Type in the name that appears at the top of the start menu. Click on check names. If the name is right it'll appear. Click on OK, OK. Until youre out of that dialog window. If you did it right, open the system volume information folder, delete EVERYTHING in it. If you've got more than 1 partition / hard drive, do the same for those as well. Get ccleaner (http://www.ccleaner.com) as well. Install it run it then click on run cleaner. Find those files Kaspersky picked up then delete them. Then reboot back into window, then see if its still there. |
Speedy Gonzales (78) | ||
| 602881 | 2007-11-14 18:45:00 | Well, finally got the machine cleaned, thanks for your help, much appreciated. I think the key file is one called perfs.exe and it's log file called perfs.txt. Without those it appears the others do not get recreated at startup. I could be wrong, but that's what it appears to be. Thanks for all the great new apps as well. -- Chip |
carvin (12937) | ||
| 602882 | 2007-11-14 18:54:00 | Good to hear its gone! | Speedy Gonzales (78) | ||
| 602883 | 2007-11-14 19:01:00 | Sounds to me as if Kaspersky was picking up something all the other antispywares were missing - that perf.exe is actually a malwareHere (www.prevx.com) | wainuitech (129) | ||
| 602884 | 2007-11-15 01:31:00 | Yep - thats why I posted about it's removal earlier in this thread :) I been away a bit or may have noticed it's presence in Chips hjt log as well. Glad to see it's cleared up now, quite a nasty one. |
bevy121 (117) | ||
| 602885 | 2007-11-19 19:44:00 | i have the same problem. but i dont kow how to get rid of it. please if someone can write the steps. thanks. i found the Indt2.sys that i also found the perfs.exe but could not find perfs.txt. thanks again people. | mjaffrie (12938) | ||
| 602886 | 2007-11-19 20:12:00 | Well follow whats already here. I'm not typing the same thing again (whats already here). |
Speedy Gonzales (78) | ||
| 1 2 3 4 5 6 | |||||