Inactive Infected with Win32/Zbot.g

Status
Not open for further replies.
Hi there all,

Decided to come here after it got a little too much, it seems my AVG has been coming up with infections related to Win32/Zbot.g, now mostly it was DLL's and so on but it escalated and today I could not use my PC that much at all, the dll's that AVG has touched has almost destroyed the programs. It started with redirects and pop ups on Firefox and after many scans I thought I was rid of it. But tonight it has messed it up completely, I will make another post with the logs from the Preliminery thread once I have done the scans.

Thanks,

Eldrac
 
Logs

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5827

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

22/02/2011 21:01:08
mbam-log-2011-02-22 (21-00-58).txt

Scan type: Quick scan
Objects scanned: 160787
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\setiasworld (Malware.Trace) -> Value: setiasworld -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-22 21:22:34
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD6400AAKS-00H2B0 rev.07.04C07
Running: qyxmeulp.exe; Driver: C:\DOCUME~1\Karl\LOCALS~1\Temp\pxtdrpow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 1250261359 (+255): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT spze.sys ZwEnumerateKey [0xF74F4CA4]
SSDT spze.sys ZwEnumerateValueKey [0xF74F5032]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8ADB7AEA
Device \Driver\atapi \Device\Ide\IdePort0 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-24 8ADB7AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-24 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8ADB7AEA
Device \Driver\atapi \Device\Ide\IdePort1 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8ADB7AEA
Device \Driver\atapi \Device\Ide\IdePort2 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8ADB7AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8ADB7AEA
Device \Driver\atapi \Device\Ide\IdePort3 [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-1c 8ADB7AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1c [F7849B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\aes7m0k0 \Device\Scsi\aes7m0k01Port5Path0Target0Lun0 8ABF81F8
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8AF001F8
Device \Driver\JRAID \Device\Scsi\JRAID1 8AF001F8
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target1Lun0 8AF001F8
Device \Driver\aes7m0k0 \Device\Scsi\aes7m0k01 8ABF81F8
Device \Driver\aes7m0k0 \Device\Scsi\aes7m0k01Port5Path0Target1Lun0 8ABF81F8
Device \FileSystem\Ntfs \Ntfs 8AEFF1F8
Device \FileSystem\Fastfat \Fat 89C11500

AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskWDC_WD6400AAKS-00H2B0___________________07.04C07#5&1714ff57&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

-----

DDS (Ver_10-12-12.02) - NTFSx86
Run by Karl at 21:57:44.04 on 22/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3581.2922 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
C:\Program Files\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\RivaTuner v2.24\RivaTuner.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\T-Mobile Mobile Broadband Manager\UIExec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\mmc.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Documents and Settings\Karl\Desktop\dds.scr
C:\Documents and Settings\Karl\Local Settings\Temp\8.tmp\MBR.DAT
C:\Documents and Settings\Karl\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\xudeflan\gbuqsljb.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24\RivaTuner.exe" /S
mRun: [RivaTuner] "c:\program files\rivatuner v2.24\RivaTuner.exe" /T
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UIExec] "c:\program files\t-mobile mobile broadband manager\UIExec.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OQBJAC0ATgBHAFkAMABWAC0AOQBKAFoASwBZAC0AMAA4AFoAMwBSAC0ANABXADAAUABBAC0ANABSADcAWQAwAA"&"inst=NwA2AC0ANQAxADQAMAA3ADAAMQA5ADQALQBCAEEAKwAxAC0ASwBWADMAKwA3AC0AWABMACsAMQAtAFQAMgAtAFgATwAzADYAKwAxAC0AUwBUADEAKwAyAC0AVABCADkAKwAyAC0ATgAxAEQAKwAxAC0AUABMACsAOQA"&"prod=94"&"ver=9.0.872
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [jdqtthpo] c:\windows\temp\spuwggqsx\yowytofusbs.exe
StartupFolder: c:\documents and settings\karl\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: windowsupdate.com\download
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1287765214671
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245508215531
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\karl\applic~1\mozilla\firefox\profiles\r4y0gkzb.default\
FF - prefs.js: network.proxy.ftp - 82.206.129.160
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.gopher - 82.206.129.160
FF - prefs.js: network.proxy.gopher_port - 3128
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.socks - 82.206.129.160
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 82.206.129.160
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\karl\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\downloader\npdd.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\sony online entertainment\npsoe.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: RAMBack: ramback@pavlov.net - %profile%\extensions\ramback@pavlov.net
FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
FF - Ext: Googlebar Lite: {79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f} - %profile%\extensions\{79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false

============= SERVICES / DRIVERS ===============

R2 CachemanXPService;CachemanXP;c:\program files\cachemanxp\CachemanXP.exe [2009-6-20 519008]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-3 12672]
R2 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
R2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files\dragon age\tools\toolssql\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-3-30 632792]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-6-20 22016]
R2 UI Assistant Service;UI Assistant Service;c:\program files\t-mobile mobile broadband manager\AssistantServices.exe [2010-5-1 241664]
S1 MpKsl8eb75476;MpKsl8eb75476;\??\c:\windows\system32\mpenginestore\mpksl8eb75476.sys --> c:\windows\system32\mpenginestore\MpKsl8eb75476.sys [?]
S2 PEVSystemStart;PEVSystemStart;c:\combofix\PEV.cfxxe [2011-2-22 256512]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-27 1691480]
S3 cmudaxp;ASUS Xonar D2X Audio Interface;c:\windows\system32\drivers\cmudaxp.sys --> c:\windows\system32\drivers\cmudaxp.sys [?]
S3 cpuz130;cpuz130;\??\c:\docume~1\karl\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\karl\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\karl\locals~1\temp\gjwc7.tmp --> c:\docume~1\karl\locals~1\temp\GJWC7.tmp [?]
S3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-6-20 24944]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-5-1 9728]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-6-20 28672]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-6-20 17408]

=============== Created Last 30 ================

2011-02-22 20:31:23 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-02-22 20:31:23 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-02-22 20:31:22 66520 ----a-w- c:\program files\mozilla firefox\plugins\npnul32.dll
2011-02-22 19:43:24 -------- d-s---w- C:\ComboFix
2011-02-22 18:46:42 -------- d-sha-r- C:\cmdcons
2011-02-22 18:42:56 98816 ----a-w- c:\windows\sed.exe
2011-02-22 18:42:56 89088 ----a-w- c:\windows\MBR.exe
2011-02-22 18:42:56 256512 ----a-w- c:\windows\PEV.exe
2011-02-22 18:42:56 161792 ----a-w- c:\windows\SWREG.exe
2011-02-21 18:28:38 -------- d-----w- c:\program files\Cooler Master
2011-02-21 18:26:19 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-02-21 18:26:19 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-02-20 17:44:27 -------- d-----w- c:\docume~1\karl\applic~1\Otxeoq
2011-02-20 16:47:48 -------- d-----w- c:\program files\xudeflan
2011-02-13 14:47:13 -------- d-----w- C:\Revival
2011-02-13 14:06:35 -------- d-----w- c:\program files\Flagship Studios
2011-02-12 13:36:06 -------- d-----w- c:\docume~1\karl\applic~1\RIFT
2011-02-04 08:19:39 -------- dc-h--w- c:\windows\ie8
2011-01-29 17:48:30 -------- d-----w- c:\docume~1\karl\locals~1\applic~1\EA Games
2011-01-29 17:45:55 -------- d-----w- c:\docume~1\alluse~1\applic~1\Solidshield

==================== Find3M ====================

2011-01-23 13:59:47 240332 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-01-23 13:59:47 240332 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-01-23 13:59:47 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-12-30 14:17:18 19972712 ----a-w- c:\windows\RTHDCPL.EXE
2010-12-21 12:27:12 16608 ----a-w- c:\windows\gdrv.sys

============= FINISH: 21:58:47.18 ===============
 
Welcome to TechSpot! This seems to be malware of the month! I'll help you sort it out.

Please go back into Malwarebyte> Update> run another scan and be sure to check this line:
Be sure that everything is checked, and click Remove Selected.
The entries in your log say No Action Taken which means you forgot to do that.

There is another log from DDS named Attach.txt, Please locate that and paste it in your next reply. Since I can't check the entries in that, I will have to ask if you have installed and are using the Ghost Surf Proxy from Tenebril? Several network.proxy settings are showing in Firefox. One of the entries in Mbam is for (PUM.Bad.Proxy) -> Value: ProxyServer so I will need to know if you did this or whether it is the malware. If you have installed it, it will be listed as Program Files%\GhostSurf 2005\
===========================================
Edit: I notice that you have the AVG Uninstaller set to run. You will have to remove AVG to run Combofix, so you can run that uninstaller first.

Download Combofix to your desktop from one of these locations:
Link 1
Link 2
http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
Thanks for the reply, I am running a scan at the moment with AVAST, so I shall have the other logs tomorrow once I manage to get back on. I did some reading so my previous query is null and void, though I was told to run Combofix a while back and it refused to go into the cycles and DDS program stalled out and I had to run it again to get the logs. Also I have not installed Ghostsurf myself, that is something new to me.
 
Okay, it seems that I have to reinstall my whole OS right now, I have noticed there is Ramnit on my system after Avast picked it up and I saw from the rest of the site that this is not curable, is that right?
 
Yes, that is correct. Most of us recommend the reformat/reinstall right up front. I had numerous entries marked for removal. But if you have seen Ramnit in the AVG scans, you would be wise to do the reformat/reinstall now. Here's some information about Ramnit:
Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files.

This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

The words in blue are links if you would like more information.

I'd like to suggest that after you gert set up again, that you not put these in the Trusted Zone:
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: microsoft.com\v4.windowsupdate
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: soe.com
Trusted Zone: sony.com
Trusted Zone: windowsupdate.com\download

Nothing needs to be in this zone and the security is not as high as the Internet Zone.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html
 
Status
Not open for further replies.
Back