Infected with Win32/Zbot.g

Inactive
By Eldrac
Feb 22, 2011
Topic Status:
Not open for further replies.
  1. Hi there all,

    Decided to come here after it got a little too much, it seems my AVG has been coming up with infections related to Win32/Zbot.g, now mostly it was DLL's and so on but it escalated and today I could not use my PC that much at all, the dll's that AVG has touched has almost destroyed the programs. It started with redirects and pop ups on Firefox and after many scans I thought I was rid of it. But tonight it has messed it up completely, I will make another post with the logs from the Preliminery thread once I have done the scans.

    Thanks,

    Eldrac
  2. Eldrac

    Eldrac Newcomer, in training Topic Starter

    Logs

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5827

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    22/02/2011 21:01:08
    mbam-log-2011-02-22 (21-00-58).txt

    Scan type: Quick scan
    Objects scanned: 160787
    Time elapsed: 2 minute(s), 31 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\setiasworld (Malware.Trace) -> Value: setiasworld -> No action taken.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    -----

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-22 21:22:34
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD6400AAKS-00H2B0 rev.07.04C07
    Running: qyxmeulp.exe; Driver: C:\DOCUME~1\Karl\LOCALS~1\Temp\pxtdrpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 1250261359 (+255): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    SSDT spze.sys ZwEnumerateKey [0xF74F4CA4]
    SSDT spze.sys ZwEnumerateValueKey [0xF74F5032]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ADB7AEA
    Device \Driver\atapi \Device\Ide\IdePort0 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-24 8ADB7AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ADB7AEA
    Device \Driver\atapi \Device\Ide\IdePort1 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8ADB7AEA
    Device \Driver\atapi \Device\Ide\IdePort2 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8ADB7AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8ADB7AEA
    Device \Driver\atapi \Device\Ide\IdePort3 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-1c 8ADB7AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1c [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\aes7m0k0 \Device\Scsi\aes7m0k01Port5Path0Target0Lun0 8ABF81F8
    Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8AF001F8
    Device \Driver\JRAID \Device\Scsi\JRAID1 8AF001F8
    Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target1Lun0 8AF001F8
    Device \Driver\aes7m0k0 \Device\Scsi\aes7m0k01 8ABF81F8
    Device \Driver\aes7m0k0 \Device\Scsi\aes7m0k01Port5Path0Target1Lun0 8ABF81F8
    Device \FileSystem\Ntfs \Ntfs 8AEFF1F8
    Device \FileSystem\Fastfat \Fat 89C11500

    AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskWDC_WD6400AAKS-00H2B0___________________07.04C07#5&1714ff57&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    -----

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Karl at 21:57:44.04 on 22/02/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3581.2922 [GMT 0:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\CachemanXP\CachemanXP.exe
    C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
    C:\Program Files\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\RivaTuner v2.24\RivaTuner.exe
    C:\WINDOWS\vVX3000.exe
    C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\mmc.exe
    C:\WINDOWS\system32\mmc.exe
    c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Documents and Settings\Karl\Desktop\dds.scr
    C:\Documents and Settings\Karl\Local Settings\Temp\8.tmp\MBR.DAT
    C:\Documents and Settings\Karl\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = <local>
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\xudeflan\gbuqsljb.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
    mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24\RivaTuner.exe" /S
    mRun: [RivaTuner] "c:\program files\rivatuner v2.24\RivaTuner.exe" /T
    mRun: [VX3000] c:\windows\vVX3000.exe
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [UIExec] "c:\program files\t-mobile mobile broadband manager\UIExec.exe"
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBJAC0ATgBHAFkAMABWAC0AOQBKAFoASwBZAC0AMAA4AFoAMwBSAC0ANABXADAAUABBAC0ANABSADcAWQAwAA"&"inst=NwA2AC0ANQAxADQAMAA3ADAAMQA5ADQALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAFQAMgAtAFgATwAzADYAKwAxAC0AUwBUADEAKwAyAC0AVABCADkAKwAyAC0ATgAxAEQAKwAxAC0AUABMACsAOQA"&"prod=94"&"ver=9.0.872
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [jdqtthpo] c:\windows\temp\spuwggqsx\yowytofusbs.exe
    StartupFolder: c:\documents and settings\karl\start menu\programs\startup\CurseClientStartup.ccip
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
    uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    Trusted Zone: windowsupdate.com\download
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1287765214671
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245508215531
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\karl\applic~1\mozilla\firefox\profiles\r4y0gkzb.default\
    FF - prefs.js: network.proxy.ftp - 82.206.129.160
    FF - prefs.js: network.proxy.ftp_port - 3128
    FF - prefs.js: network.proxy.gopher - 82.206.129.160
    FF - prefs.js: network.proxy.gopher_port - 3128
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 50370
    FF - prefs.js: network.proxy.socks - 82.206.129.160
    FF - prefs.js: network.proxy.socks_port - 3128
    FF - prefs.js: network.proxy.ssl - 82.206.129.160
    FF - prefs.js: network.proxy.ssl_port - 3128
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\documents and settings\karl\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\downloader\npdd.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
    FF - plugin: c:\program files\sony online entertainment\npsoe.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: RAMBack: ramback@pavlov.net - %profile%\extensions\ramback@pavlov.net
    FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
    FF - Ext: Googlebar Lite: {79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f} - %profile%\extensions\{79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false

    ============= SERVICES / DRIVERS ===============

    R2 CachemanXPService;CachemanXP;c:\program files\cachemanxp\CachemanXP.exe [2009-6-20 519008]
    R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-3 12672]
    R2 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
    R2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files\dragon age\tools\toolssql\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-3-30 632792]
    R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-6-20 22016]
    R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile mobile broadband manager\AssistantServices.exe [2010-5-1 241664]
    S1 MpKsl8eb75476;MpKsl8eb75476;\??\c:\windows\system32\mpenginestore\mpksl8eb75476.sys --> c:\windows\system32\mpenginestore\MpKsl8eb75476.sys [?]
    S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2011-2-22 256512]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-27 1691480]
    S3 cmudaxp;ASUS Xonar D2X Audio Interface;c:\windows\system32\drivers\cmudaxp.sys --> c:\windows\system32\drivers\cmudaxp.sys [?]
    S3 cpuz130;cpuz130;\??\c:\docume~1\karl\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\karl\locals~1\temp\cpuz130\cpuz_x32.sys [?]
    S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\karl\locals~1\temp\gjwc7.tmp --> c:\docume~1\karl\locals~1\temp\GJWC7.tmp [?]
    S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-6-20 24944]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-5-1 9728]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-6-20 28672]
    S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-6-20 17408]

    =============== Created Last 30 ================

    2011-02-22 20:31:23 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
    2011-02-22 20:31:23 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
    2011-02-22 20:31:22 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
    2011-02-22 19:43:24 -------- d-s---w- C:\ComboFix
    2011-02-22 18:46:42 -------- d-sha-r- C:\cmdcons
    2011-02-22 18:42:56 98816 ----a-w- c:\windows\sed.exe
    2011-02-22 18:42:56 89088 ----a-w- c:\windows\MBR.exe
    2011-02-22 18:42:56 256512 ----a-w- c:\windows\PEV.exe
    2011-02-22 18:42:56 161792 ----a-w- c:\windows\SWREG.exe
    2011-02-21 18:28:38 -------- d-----w- c:\program files\Cooler Master
    2011-02-21 18:26:19 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2011-02-21 18:26:19 21504 ----a-w- c:\windows\system32\hidserv.dll
    2011-02-20 17:44:27 -------- d-----w- c:\docume~1\karl\applic~1\Otxeoq
    2011-02-20 16:47:48 -------- d-----w- c:\program files\xudeflan
    2011-02-13 14:47:13 -------- d-----w- C:\Revival
    2011-02-13 14:06:35 -------- d-----w- c:\program files\Flagship Studios
    2011-02-12 13:36:06 -------- d-----w- c:\docume~1\karl\applic~1\RIFT
    2011-02-04 08:19:39 -------- dc-h--w- c:\windows\ie8
    2011-01-29 17:48:30 -------- d-----w- c:\docume~1\karl\locals~1\applic~1\EA Games
    2011-01-29 17:45:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Solidshield

    ==================== Find3M ====================

    2011-01-23 13:59:47 240332 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-01-23 13:59:47 240332 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-01-23 13:59:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-12-30 14:17:18 19972712 ----a-w- c:\windows\RTHDCPL.EXE
    2010-12-21 12:27:12 16608 ----a-w- c:\windows\gdrv.sys

    ============= FINISH: 21:58:47.18 ===============
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Welcome to TechSpot! This seems to be malware of the month! I'll help you sort it out.

    Please go back into Malwarebyte> Update> run another scan and be sure to check this line:
    Be sure that everything is checked, and click Remove Selected.
    The entries in your log say No Action Taken which means you forgot to do that.

    There is another log from DDS named Attach.txt, Please locate that and paste it in your next reply. Since I can't check the entries in that, I will have to ask if you have installed and are using the Ghost Surf Proxy from Tenebril? Several network.proxy settings are showing in Firefox. One of the entries in Mbam is for (PUM.Bad.Proxy) -> Value: ProxyServer so I will need to know if you did this or whether it is the malware. If you have installed it, it will be listed as Program Files%\GhostSurf 2005\
    ===========================================
    Edit: I notice that you have the AVG Uninstaller set to run. You will have to remove AVG to run Combofix, so you can run that uninstaller first.

    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  4. Eldrac

    Eldrac Newcomer, in training Topic Starter

    Thanks for the reply, I am running a scan at the moment with AVAST, so I shall have the other logs tomorrow once I manage to get back on. I did some reading so my previous query is null and void, though I was told to run Combofix a while back and it refused to go into the cycles and DDS program stalled out and I had to run it again to get the logs. Also I have not installed Ghostsurf myself, that is something new to me.
  5. Eldrac

    Eldrac Newcomer, in training Topic Starter

    Okay, it seems that I have to reinstall my whole OS right now, I have noticed there is Ramnit on my system after Avast picked it up and I saw from the rest of the site that this is not curable, is that right?
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Yes, that is correct. Most of us recommend the reformat/reinstall right up front. I had numerous entries marked for removal. But if you have seen Ramnit in the AVG scans, you would be wise to do the reformat/reinstall now. Here's some information about Ramnit:
    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

    This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    The words in blue are links if you would like more information.

    I'd like to suggest that after you gert set up again, that you not put these in the Trusted Zone:
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: microsoft.com\v4.windowsupdate
    Trusted Zone: microsoft.com\windowsupdate
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    Trusted Zone: windowsupdate.com\download

    Nothing needs to be in this zone and the security is not as high as the Internet Zone.

    You will find excellent reformat/reinstall instructions here:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.