also @ TechSpot: Microsoft launches YouTube app, Google demands it taken down

[Not curable - Ramnit] multi-infection?

Discussion in 'Virus and Malware Removal' started by adam88, Dec 4, 2012.

Post New Reply
Page 2 of 3

  1. adam88 Newcomer, in training Posts: 68

    Also, when I try to run MS Word what I get is:

    This file does not have a program associated with it for performing this action.
    Create an association in the Set Associations control panel.
    adam88, Dec 5, 2012
    #21

  2. Broni Malware Annihilator Posts: 39,231   +175

    If you looked at my instructions...
    Broni, Dec 5, 2012
    #22

  3. adam88 Newcomer, in training Posts: 68

    Sorry, I did not capture this ...
    Restarted (normal mode), proceed as your post # 18?
    adam88, Dec 5, 2012
    #23

  4. Broni Malware Annihilator Posts: 39,231   +175

    Yes.
    Broni, Dec 5, 2012
    #24

  5. adam88 Newcomer, in training Posts: 68

    ComboFix 12-12-04.01 - Michael 06/12/2012 0:39.3.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3036.1884 [GMT 8:00]
    Running from: c:\users\Michael\Desktop\your_name.exe
    Command switches used :: c:\users\Michael\Desktop\CFScript.txt
    AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
    FW: Sunbelt VIPRE *Enabled* {86665057-352D-7810-313F-4F92DEFBC8FA}
    SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    FILE ::
    "c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Michael\AppData\Local\bmjvusrj.log
    c:\users\Michael\AppData\Local\cjylsara.log
    c:\users\Michael\AppData\Local\ffwdeobe.log
    c:\users\Michael\AppData\Local\mldjvlsa.log
    c:\users\Michael\AppData\Local\oetgfkwd.log
    c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe
    c:\users\Michael\AppData\Local\ssmvktwb.log
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Service_Micorsoft Windows Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-05 to 2012-12-05 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-05 16:51 . 2012-12-05 16:54 -------- d-----w- c:\users\Michael\AppData\Local\temp
    2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-05 16:51 . 2012-12-05 16:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2012-12-05 03:10 . 2012-12-05 16:53 -------- d-----w- c:\users\Michael\AppData\Local\qjxavwgy
    2012-12-04 23:33 . 2012-12-04 23:33 14336 ----a-w- c:\windows\system32\drivers\TrueSight.sys
    2012-12-04 07:03 . 2012-12-04 07:06 -------- d-----w- C:\TDSSKiller_Quarantine
    2012-12-04 02:53 . 2012-12-04 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-12-04 02:53 . 2012-09-29 11:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-29 12:03 . 2012-11-30 01:48 -------- d-----w- c:\users\Michael\AppData\Roaming\foobar2000
    2012-11-29 12:03 . 2012-11-29 12:06 -------- d-----w- c:\program files\foobar2000
    2012-11-27 07:29 . 2012-11-27 07:29 -------- d-----w- c:\users\Michael\AppData\Roaming\FFSJ
    2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- C:\Brother
    2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Browny02
    2012-11-23 08:53 . 2010-08-02 12:57 217088 ------w- c:\windows\system32\NSSearch.dll
    2012-11-23 08:53 . 2007-12-13 14:16 5120 ------w- c:\windows\system32\BrDctF2L.dll
    2012-11-23 08:53 . 2012-11-23 08:53 -------- d-----w- c:\program files\Brother
    2012-11-23 08:53 . 2010-03-15 11:56 2560 ------w- c:\windows\system32\BrDctF2S.dll
    2012-11-23 08:53 . 2010-03-15 11:45 73728 ------w- c:\windows\system32\BrDctF2.dll
    2012-11-21 13:02 . 2012-11-22 00:43 100216 ----a-w- c:\windows\system32\drivers\idmwfp.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-23 05:51 . 2012-04-17 16:32 18440 ----a-w- c:\windows\system32\nitrolocalui2.dll
    2012-10-01 05:05 . 2009-12-23 12:54 4779592 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2012-05-25 01:09 . 2012-05-25 01:09 3993600 ----a-w- c:\program files\GUT23C6.tmp
    2009-07-10 04:39 . 2009-07-10 04:39 350720 ----a-w- c:\program files\hjsplit.exe
    2012-12-01 14:16 . 2012-12-01 14:16 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
    @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
    [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
    2012-11-15 23:07 21904 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Akamai NetSession Interface"="c:\users\Michael\AppData\Local\Akamai\netsession_win.exe" [2012-05-25 4327744]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-10-26 3540416]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2011-03-17 842048]
    "YppMgwpp"="c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe" [2012-12-05 102176]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FATrayAlert"="c:\program files\Sensible Vision\Fast Access\FATrayMon.exe" [2008-09-05 95488]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-07-29 128296]
    "MobileConnect"="c:\program files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe" [2009-09-18 2412032]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]
    "Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-01-09 405639]
    "Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
    "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-04-02 1185112]
    "BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
    "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-29 483428]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-20 1422632]
    "SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2011-05-11 1353040]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-11 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
    "FAStartup"="" [BU]
    .
    c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
    .
    c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    yppmgwpp.exe [2012-12-2 102176]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-28 1316192]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\system32\userinit.exe,,c:\users\Michael\AppData\Local\qjxavwgy\yppmgwpp.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\FastAccess]
    2008-09-05 22:16 140544 ----a-w- c:\program files\Sensible Vision\Fast Access\FALogNot.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2009-07-03 01:04 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer2"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli FAPassSync
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
    backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Camera Monitor HD.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Camera Monitor HD.lnk
    backup=c:\windows\pss\Camera Monitor HD.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
    path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
    backup=c:\windows\pss\Dell Dock.lnk.Startup
    backupExtension=.Startup
    .
    [HKLM\~\startupfolder\C:^Users^Michael^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^FaxAmatic.lnk]
    path=c:\users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FaxAmatic.lnk
    backup=c:\windows\pss\FaxAmatic.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-11-01 15:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLLEntry]
    2008-12-17 20:07 14848 ------w- c:\windows\System32\AmbRunE.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2011-01-26 09:05 15026056 ----a-r- c:\program files\Skype\Phone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2009-04-23 03:32 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
    2010-08-24 09:38 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "AntiVirusDisableNotify"=dword:00000001
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001
    "UacDisableNotify"=dword:00000001
    .
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - MICORSOFT_WINDOWS_SERVICE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    bthsvcs REG_MULTI_SZ BthServ
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-08 c:\windows\Tasks\Driver Robot.job
    - c:\program files\Driver Robot\1.2.0.5\DriverRobot.exe [2009-12-20 09:29]
    .
    2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
    .
    2012-12-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 09:32]
    .
    2012-11-21 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
    .
    2012-08-29 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-05-22 02:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com.au/advanced_search?hl=en
    uInternet Settings,ProxyOverride = <local>
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
    IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
    IE: Download with ImTOO iPhone Transfer Platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
    IE: Download with iphone-transfer-platinum - c:\program files\ImTOO\iPhone Transfer Platinum\upod_link.HTM
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    FF - ProfilePath -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-12-06 00:53
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
    "ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{62b5815b-3aff-4c89-b0a2-6a4cb4336d6a}]
    @Denied: (Full) (Everyone)
    @Allowed: (Read) (RestrictedCode)
    "Model"=dword:0000005f
    "Therad"=dword:00000022
    "MData"=hex(0):5d,3a,76,a6,e3,fe,72,b9,b9,9b,74,3f,a4,5c,0f,51,4d,10,4e,4e,e4,
    a1,1f,6f,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
    .
    [HKEY_USERS\S-1-5-21-99913640-511744193-596132334-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):4c,e2,3a,83,71,93,ed,db,b5,94,ad,bd,b4,2e,eb,fa,68,74,29,fb,a6,
    1d,cf,24,e5,61,bd,81,f8,99,be,8e,14,d3,19,18,2e,a5,d7,1e,00,00,00,00,00,00,\
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(736)
    c:\windows\system32\FAPassSync.dll
    .
    - - - - - - - > 'Explorer.exe'(6020)
    c:\windows\system32\btncopy.dll
    c:\windows\system32\mscms.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\atiesrxx.exe
    c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\STacSV.exe
    c:\program files\Creative\Shared Files\CTAudSvc.exe
    c:\program files\Dell\DellDock\DockLogin.exe
    c:\windows\system32\atieclxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\system32\crypserv.exe
    c:\program files\Sensible Vision\Fast Access\FAService.exe
    c:\program files\Nitro PDF\Professional 7\NitroPDFDriverService2.exe
    c:\program files\Nitro\Pro 8\NitroPDFDriverService8.exe
    c:\windows\system32\NLSSRV32.EXE
    c:\program files\Sunbelt Software\VIPRE\SBPIMSvc.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
    c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
    c:\program files\Common Files\SafeNet Sentinel\Sentinel Security Runtime\sntlsrtsrvr.exe
    c:\program files\TomTom HOME 2\TomTomHOMEService.exe
    c:\windows\system32\vmnat.exe
    c:\program files\VMware\VMware Player\vmware-authd.exe
    c:\program files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    c:\windows\system32\vmnetdhcp.exe
    c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Browny02\BrYNSvc.exe
    c:\program files\Sensible Vision\Fast Access\FATrayAlert.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\ehome\ehsched.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe
    c:\windows\ehome\ehRecvr.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    c:\windows\system32\WUDFHost.exe
    .
    **************************************************************************
    .
    Completion time: 2012-12-06 00:58:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-12-05 16:58
    ComboFix2.txt 2012-12-05 03:15
    ComboFix3.txt 2012-12-05 02:33
    .
    Pre-Run: 27,135,819,776 bytes free
    Post-Run: 26,778,341,376 bytes free
    .
    - - End Of File - - 7685FE674AE91F17B6B78FD3BAF4AB15
    adam88, Dec 5, 2012
    #25

  6. Broni Malware Annihilator Posts: 39,231   +175

    Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Broni, Dec 5, 2012
    #26
     

  7. adam88 Newcomer, in training Posts: 68

    C:\Documents and Settings\Michael\AppData\Local\Application Data\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Documents and Settings\Michael\AppData\Local\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Documents and Settings\Michael\do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
    C:\Documents and Settings\Michael\Local Settings\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Qoobox\Quarantine\C\Users\Michael\AppData\Roaming\Ivzaqa\yhihi.exe.vir a variant of Win32/Kryptik.APVV trojan
    C:\Users\Michael\AppData\Local\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\Users\Michael\do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
    C:\Users\Michael\Local Settings\temp\qunklyrv.exe a variant of Win32/Ramnit.AX.Gen virus
    C:\zaladunek\OmniFormat.11.2.rar probably a variant of Win32/Agent.LUOIRVW trojan
    C:\zaladunek\PDFs from do uzytku\libtiff.pdf JS/Exploit.Pdfka.OTO.Gen trojan
    C:\zaladunek\zips\478c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
    C:\zaladunek\zips\560c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
    C:\zaladunek\zips\836c430788a177bf6d0366a54b5244aa00a.zip Win32/Packed.Themida.C trojan
    C:\zaladunek\zips\cscteddsaustraliaengineeringv10keygenlnd.zip Win32/Packed.Themida.C trojan
    Operating memory probably a variant of Win32/Ramnit.L virus
    adam88, Dec 6, 2012
    #27

  8. Broni Malware Annihilator Posts: 39,231   +175

    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
    Broni, Dec 6, 2012
    #28

  9. adam88 Newcomer, in training Posts: 68

    Thanks Broni.

    Could you please advise on the following:

    - I need to backup my data. Any chances of the infection being 'imported' via data blocks (content) to the backup drive/another computer?

    - How to effectively verify whether any portable drives/other PCs that possibly shared data from my infected computer are affected? I am using another PC now, how to (quickly) check whether this piece of equipment is affected (data sharing with infected PC)?

    - Is it possible to identify when and with which particular file(s) the computer was infected?

    Thanks for your help



    -
    adam88, Dec 6, 2012
    #29

  10. Broni Malware Annihilator Posts: 39,231   +175

    You can backup your data but do NOT back them up to another computer.
    Use external hard drive or USB flash drive to do so.
    Do NOT use them on another computer anymore.

    Format hard drive.
    Reinstall Windows install all updates and security tools (AV, firewall).

    Install Panda USB Vaccine, or BitDefender’s USB Immunizer on your computer to protect it from any infected USB device.

    Now you'll be safe to plugin your backup device and scan it with your AV program.

    If you exchanged any files between this and any computers, all other computers have to be checked.
    Create new topic for each computer.
    Broni, Dec 6, 2012
    #30

  11. adam88 Newcomer, in training Posts: 68

    I am using another computer now and it did not show any signs of infection. Which means really nothing, under the circumstances.
    What should be the first step to check the status of this particular PC?
    Thanks
    adam88, Dec 6, 2012
    #31

  12. Broni Malware Annihilator Posts: 39,231   +175

    You'd have to start new topic and complete all preliminary steps.
    Broni, Dec 6, 2012
    #32

  13. adam88 Newcomer, in training Posts: 68

    As described in your first, very general instruction?
    The best effective way to verify (the safety of the contents of) the portable disk where the data is stored?
    adam88, Dec 6, 2012
    #33

  14. Broni Malware Annihilator Posts: 39,231   +175

    Broni, Dec 6, 2012
    #34

  15. adam88 Newcomer, in training Posts: 68

    Thanks.

    Panda (feature not included) and BD )portable HD not detected) cannot process my NFTS portable HD, any alternatives?

    Is it possible to pinpoint which particular file(s)/source was the source, establish the approx. date of infection?

    Thanks.
    adam88, Dec 6, 2012
    #35

  16. Broni Malware Annihilator Posts: 39,231   +175

    No.

    As far as I know BD supports NTFS drives.
    Are you getting any error message?
    Broni, Dec 6, 2012
    #36

  17. adam88 Newcomer, in training Posts: 68

    When I am prompted to insert USB device and subsequently connect the external (NFTS) hard drive, it is not recognized by BD.
    Does it take a longer time for BD to recognize (and immune) 1.5TB HD?
    adam88, Dec 6, 2012
    #37

  18. Broni Malware Annihilator Posts: 39,231   +175

    I'm not sure.
    You may try BD forum.
    Broni, Dec 6, 2012
    #38

  19. adam88 Newcomer, in training Posts: 68

    'immunize' :)
    adam88, Dec 6, 2012
    #39

  20. adam88 Newcomer, in training Posts: 68

    I assume I can safely (no downloads done before) use my iPod for immediate communication purposes since my computers are now 'suspect' (one for sure), is it safe?
    adam88, Dec 6, 2012
    #40
Page 2 of 3

Add New Comment

Social Login & Guest Posting

TechSpot Members
Login here or sign up for free,
it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.