| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 83932 | 2007-10-18 06:12:00 | What's Indt.sys? Need help!!!!! | aklthomas (12936) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 602857 | 2007-10-18 06:12:00 | Hi there, Recently, the kaspersky IS keeps reporting that the file Indt.sys under System32 directory try to send confidential data without my acknowledge. However, when I googled this file name I can hardly find any information about this file. Moreover, this file doesn't even exist on my brother-in-law's computer (we are using the same OS). I try to delete it but it keeps coming back when I turn on the computer the next time. I also use a couple of AV programs to scan my machine but they all said that my computer is clean. Does anybody knows what this file is, what does it do and how do I delete it? BTW: I'm using Windows Vista Ultimate OS Any information would be much appreciated. |
aklthomas (12936) | ||
| 602858 | 2007-10-18 07:03:00 | From what I located in various places it appears to be some sort of very new spyware.( 22nd sept) I'm guessing it may be somehow in system restore, and thats why it keeps returning. Suggestion: Turn off system restore Vista Restore (vistasupport.mvps.org) Then rerun the virus scanner, reboot and run the scanner again, if its gone turn restore back on. If its not then reply back here and hopefully someone else can help. Here's (www.prevx.com) a bit more about it, but I don't know if the software on that site is any good - never tried it. |
wainuitech (129) | ||
| 602859 | 2007-10-18 21:50:00 | Hi Wainuitech, thanks for your reply. I'll do that and reply back when I've done it. Cheers | aklthomas (12936) | ||
| 602860 | 2007-10-19 06:37:00 | I've done everything you said but the file still keeps coming back. I've scanned the computer again using Kaspersky IS, Spyware Doctor, PreVX free scanner, they all reported that my machine is clean. All I want to do is to get rid of this file. Can anybody help me out please! | aklthomas (12936) | ||
| 602861 | 2007-10-19 06:57:00 | I've done everything you said but the file still keeps coming back. I've scanned the computer again using Kaspersky IS, Spyware Doctor, PreVX free scanner, they all reported that my machine is clean. All I want to do is to get rid of this file. Can anybody help me out please! If the scanners say its clean, what is saying its back ? Go to this persons Sig Speedy (pressf1.pcworld.co.nz) From his sig Download /install /update / Run Trojan remover. While there download Hijackthis. Put it in a folder( desktop will do) run it and select system scan Save log, then copy /paste the Hijack log back here, lets have a look where its hiding. Speedy is good at answering these logs. |
wainuitech (129) | ||
| 602862 | 2007-10-19 10:46:00 | Thanks for your suggestion, here is the HijackThis log ================================================== ======== Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:08:38 PM, on 10/19/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16546) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe C:\Windows\System32\rundll32.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Opera\Opera.exe C:\Windows\system32\conime.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\Thomas Ho\Documents\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slingshot.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = go.microsoft.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\ProgramData\Prevx\pxbho.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [Google IME Autoupdater] "C:\Program Files\Google\Google Pinyin\GooglePinyinDaemon.exe" O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O13 - Gopher Prefix: O15 - Trusted Zone: http://www.msi.com.tw O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - liveupdate.msi.com.tw O17 - HKLM\System\CCS\Services\Tcpip\..\{03AC8614-4A7D-434B-93D6-4970BEB2623A}: NameServer = 202.180.64.9,202.180.64.2 O17 - HKLM\System\CS1\Services\Tcpip\..\{03AC8614-4A7D-434B-93D6-4970BEB2623A}: NameServer = 202.180.64.9,202.180.64.2 O17 - HKLM\System\CS2\Services\Tcpip\..\{03AC8614-4A7D-434B-93D6-4970BEB2623A}: NameServer = 202.180.64.9,202.180.64.2 O17 - HKLM\System\CS3\Services\Tcpip\..\{03AC8614-4A7D-434B-93D6-4970BEB2623A}: NameServer = 202.180.64.9,202.180.64.2 O17 - HKLM\System\CS4\Services\Tcpip\..\{03AC8614-4A7D-434B-93D6-4970BEB2623A}: NameServer = 202.180.64.9,202.180.64.2 O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROG RA~1\KASPER~1\KASPER~1.0\adialhk.dll O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs.exe O23 - Service: PREVXAgent - Prevx - C:\Program Files\Prevx2\PXAgent.exe O23 - Service: PXVistaSvc - Prevx Ltd. - C:\Program Files\Prevx2\PXVistaSvc.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 10952 bytes ================================================== ======== |
aklthomas (12936) | ||
| 602863 | 2007-10-19 16:58:00 | Log looks ok to me. BUT run HJT again tick these entries then tick fix checked. Close browser/s. O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) These are safe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup 04 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx2\PXConsole.exe" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user') This maybe nasty O13 - Gopher Prefix: Get trojan remover in my sig, udate it then click on scan. See if it picks anything up. Then select all options under the utilities menu If you do a search for this file. how big is it?? And what else has it got in its properties. |
Speedy Gonzales (78) | ||
| 602864 | 2007-10-20 00:53:00 | Still an associated nasty there I think Speedy @ aklthomas - I recommend you also do the following as well Go to: Start > Run > type services . msc , then click OK Scroll down to " perfmons Service " Click it to highlight it, then <right-click> and select: Properties Select and set "Service Status" option to "Stop" Select: "Startup type" and set it to "Disabled", click Apply, then OK Open Task Manager (Ctrl/Alt/Delete) and select "Processes" tab If "perfs . exe" is there, right click on it and select "End Process/End Task" Download Killbox ( . net/downloads/KillBox . exe" target="_blank">killbox . net) and save it to your desktop . Double-click to open it and select "Delete on Reboot" Then select "All files" Then highlight and copy this complete filepath : C:\WINDOWS\system32\perfs . exe and go back to killbox - File menu - choose "Paste from Clipboard" . Click the red-and-white [Delete File] button . Click "Yes" at the Delete on Reboot prompt . Click "No" at the 'Pending Operations' prompt Close ALL browser windows . Do a hjt scan and select (check) this entry and fix it O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\Windows\system32\perfs . exe Now Reboot! This is a very recent malware and from what I've read includes (some/any of?) the following files, all in C:\WINDOWS\system32\ msspa . exe ndt . sys Indt . sys discover . exe wmiprves . exe ver . txt |
bevy121 (117) | ||
| 602865 | 2007-10-20 04:11:00 | Hi Speedy & Bevy, Thanks a lot for you guys help. I followed you guys instruction and did find another two, which are msspa.exe and perfs.exe. I managed to deleted these two, however the indt.sys is still there and is not being picked up by HijackThis and TrojanRemover. I scanned this file using few other programs like KIS, Spy Doctor, CounterSpy etc. and they all reported it's a clean file. Now I'm stuck!:groan: |
aklthomas (12936) | ||
| 602866 | 2007-10-20 04:22:00 | Don't worry! I deleted indt.sys using KillBox. I'll run the computer for few days and see what happen next. I'll let you guys know wether it's been fixed or not. Again, big big thanks for your great assistance. All the best |
aklthomas (12936) | ||
| 1 2 3 4 5 6 | |||||