TechSpot

[Not curable - Ramnit] VBS/Generic;Win32/Heur;Win32/Zbot.E problems!

By agringo
Oct 12, 2010
Topic Status:
Not open for further replies.
  1. Hi there guys,

    As the title says I'm having real trouble getting rid of this deep dug in, ever replicating virus. I have a feeling I will just have to bite the reformat bullet but on reading your hugely helpful forums I realised there may be hope yet!
    Any help would be greatly appreciated- many thanks.

    Here is the info your 8 steps asks for.....

    AVG overview:-

    "Scan ""Scan whole computer"" completed."
    "Infections";"14";"14";"0"
    "Warnings";"4";"4";"0"
    "Folders selected for scanning:";"Scan whole computer"
    "Scan started:";"12 October 2010, 14:39:29"
    "Scan finished:";"12 October 2010, 15:13:40 (34 minute(s) 10 second(s))"
    "Total object scanned:";"330576"
    "User who launched the scan:";"Owner"

    "Infections"
    "File";"Infection";"Result"
    "C:\Program Files\Webteh\BSplayer\bsplay.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Webteh\BSplayer\bslib\bslib.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Webteh\BSplayer\bplay.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow!\RecordNow.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Real\RealPlayer\rpplugins\rjbdll.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Java\jre6\bin\client\jvm.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Barbie\Barbie(TM) Sparkling Ice Show(TM)\fmod.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Barbie(TM)\Barbie(TM) Horse Adventures(TM)\fmod.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\Program Files\Analog Devices\Core\smax4pnp.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\DELL\drivers\R94481\SMAXWDM\W2K_XP\SMax4PNP.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\DELL\drivers\R94481\SM_Sensa\Sys\virtear.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\DELL\drivers\R106458\Win2000\iglicd32.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
    "C:\DELL\drivers\R106458\Win2000\igfxress.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"

    "Warnings"
    "File";"Infection";"Result"
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SoundMAXPnP";"Found registry key with reference to infected file C:\Program Files\Analog Devices\Core\smax4pnp.exe";"Moved to Virus Vault"
    "C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
    "C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Healed"

    Malwarebytes Anti-Malware log:-

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4800

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    12/10/2010 15:53:59
    mbam-log-2010-10-12 (15-53-59).txt

    Scan type: Quick scan
    Objects scanned: 139398
    Time elapsed: 6 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER Log:-

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-10-12 18:19:59
    Windows 5.1.2600 Service Pack 3
    Running: r2tzoqpu.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfxdrkob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xBA499F80]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \FileSystem\Fastfat \Fat B108FD20

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
    Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- EOF - GMER 1.0.15 ----

    DDS Logs: (Attach.txt is attached):-

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Owner at 18:21:26.26 on 12/10/2010
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uSearch Page = about:blank
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    uPolicies-explorer: StartMenuLogOff = 1 (0x1)
    dPolicies-explorer: DisallowRun = 1 (0x1)
    dPolicies-disallowrun: 1 = firefox.exe
    dPolicies-disallowrun: 2 = opera.exe
    dPolicies-disallowrun: 3 = chrome.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236285704328
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\bnhagsq3.default\
    FF - prefs.js: browser.search.selectedEngine - Mininova
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {64DE1CB1-F90D-4F18-A58F-5D7C48B3D017} - c:\documents and settings\owner\local settings\application data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2010-10-11 21:56:08 -------- d-----w- c:\program files\Trend Micro
    2010-10-11 21:04:31 23512 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
    2010-10-11 21:04:31 138712 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
    2010-10-11 20:09:21 -------- d-----w- c:\program files\tmp
    2010-10-11 20:08:49 -------- d-----w- c:\program files\windows
    2010-10-11 15:28:21 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
    2010-10-11 15:28:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-11 15:28:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-11 15:28:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-11 15:28:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-10-11 13:52:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-10-11 13:52:39 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-10-11 08:06:56 64000 -c--a-w- c:\windows\system32\dllcache\wmplayer.exe
    2010-10-11 08:06:56 243712 -c--a-w- c:\windows\system32\dllcache\mpvis.dll
    2010-10-11 08:06:55 215552 -c--a-w- c:\windows\system32\dllcache\wordpad.exe
    2010-10-10 15:13:54 -------- d-----w- c:\program files\Microsoft
    2010-10-03 00:09:35 -------- d-----w- c:\docume~1\owner\applic~1\Xaly

    ==================== Find3M ====================

    2010-09-26 10:37:20 604416 ----a-w- c:\windows\system32\TUProgSt.exe
    2010-09-26 10:37:17 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
    2010-08-31 17:30:00 286720 ----a-w- c:\windows\iun507.exe
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-08-10 04:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-08-10 04:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-07-27 01:51:09 3615 ----a-w- c:\windows\esamuqob.dll
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2010-07-17 15:49:37 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    ============= FINISH: 18:22:05.96 ===============

    Fingers crossed an Thanks again!

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    Welcome aboard [​IMG]

    Please, never zip any logs.

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  3. agringo

    agringo TS Rookie Topic Starter

    Hi Broni and thankyou for your time.

    Sorry about the zip - thought I had read to do that but was prob just brain fried from reading too many fix-it blogs, anyway here are the reports.......

    MBR check:-

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Home Edition
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 129):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF7A4F000 PCIIde.sys
    0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
    0xF798B000 intelide.sys
    0xF7607000 MountMgr.sys
    0xF74D8000 ftdisk.sys
    0xF770F000 PartMgr.sys
    0xF7617000 VolSnap.sys
    0xF74C0000 atapi.sys
    0xF7627000 disk.sys
    0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF74A0000 fltmgr.sys
    0xF748E000 sr.sys
    0xF7479000 drvmcdb.sys
    0xF7717000 PxHelp20.sys
    0xF7462000 KSecDD.sys
    0xF7B52000 Ntfs.sys
    0xF7435000 NDIS.sys
    0xF741B000 Mup.sys
    0xF7537000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xBA0B1000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xBA09D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xBA079000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF77BF000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7527000 \SystemRoot\system32\drivers\es1371mp.sys
    0xBA055000 \SystemRoot\system32\drivers\portcls.sys
    0xF7517000 \SystemRoot\system32\drivers\drmk.sys
    0xBA032000 \SystemRoot\system32\drivers\ks.sys
    0xBA00C000 \SystemRoot\system32\DRIVERS\e100b325.sys
    0xF77C7000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF7507000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF793F000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB9FF8000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF74F7000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF79A1000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xBA458000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA448000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB9FB8000 \SystemRoot\system32\drivers\smwdm.sys
    0xB9F05000 \SystemRoot\system32\drivers\senfilt.sys
    0xBA2F7000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA438000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7947000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB9EEE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA428000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA418000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF77CF000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB9EDD000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA408000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF77D7000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF77DF000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA3E8000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF77E7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF77EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF79A3000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB9DDF000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA7F4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA3C8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7667000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF79AB000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA7BF000 \SystemRoot\system32\DRIVERS\gameenum.sys
    0xF79AD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB1475000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79AF000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF7817000 \SystemRoot\system32\drivers\ssrtln.sys
    0xF781F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF772F000 \SystemRoot\System32\drivers\vga.sys
    0xF79B1000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF79B3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF7737000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF773F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA7A7000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB1394000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB133B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB1301000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xB12DB000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF7697000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF791B000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF76A7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF7747000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF791F000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF7927000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xB12B3000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB1291000 \SystemRoot\System32\drivers\afd.sys
    0xF76B7000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB1266000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB11F6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF76C7000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF774F000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xB11C2000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xB9ECD000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB10E2000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79F7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB1417000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF777F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7A75000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF042000 \SystemRoot\System32\ialmdev5.DLL
    0xBF077000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB1192000 \SystemRoot\system32\drivers\drvnddm.sys
    0xF7A8C000 \SystemRoot\system32\dla\tfsndres.sys
    0xB102C000 \SystemRoot\system32\dla\tfsnifs.sys
    0xBA7AF000 \SystemRoot\system32\dla\tfsnopio.sys
    0xF798D000 \SystemRoot\system32\dla\tfsnpool.sys
    0xF77AF000 \SystemRoot\system32\dla\tfsnboio.sys
    0xB1182000 \SystemRoot\system32\dla\tfsncofs.sys
    0xF7A8D000 \SystemRoot\system32\dla\tfsndrct.sys
    0xB1013000 \SystemRoot\system32\dla\tfsnudf.sys
    0xB0FFA000 \SystemRoot\system32\dla\tfsnudfa.sys
    0xB1066000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB0BD5000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB0F62000 \SystemRoot\system32\drivers\sysaudio.sys
    0xF79D1000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xB09B2000 \SystemRoot\System32\Drivers\PPSCAN.SYS
    0xB07A3000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB037A000 \SystemRoot\System32\Drivers\HTTP.sys
    0xAF840000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 28):
    0 System Idle Process
    4 System
    840 C:\WINDOWS\system32\smss.exe
    988 csrss.exe
    1016 C:\WINDOWS\system32\winlogon.exe
    1080 C:\WINDOWS\system32\services.exe
    1092 C:\WINDOWS\system32\lsass.exe
    1288 C:\WINDOWS\system32\svchost.exe
    1372 svchost.exe
    1468 C:\WINDOWS\system32\svchost.exe
    1544 svchost.exe
    1660 svchost.exe
    1672 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1680 C:\Program Files\AVG\AVG9\avgrsx.exe
    1980 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    2012 C:\WINDOWS\explorer.exe
    472 C:\WINDOWS\system32\spoolsv.exe
    728 C:\PROGRA~1\AVG\AVG9\avgtray.exe
    1516 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    2036 C:\WINDOWS\system32\svchost.exe
    244 C:\WINDOWS\system32\TUProgSt.exe
    992 C:\Program Files\AVG\AVG9\avgemc.exe
    1452 C:\Program Files\AVG\AVG9\avgnsx.exe
    1772 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    2828 alg.exe
    3708 C:\WINDOWS\system32\svchost.exe
    556 C:\Program Files\Internet Explorer\iexplore.exe
    2472 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)
    \\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGSP0802N, Rev: TK100-28
    PhysicalDrive1 Model Number: WDCWD5000AAKB-00H8A0, Rev: 05.04E05

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

    Done!

    Combofix :-

    ComboFix 10-10-12.03 - Owner 13/10/2010 9:35.1.1 - x86
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}
    c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\chrome.manifest
    c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\chrome\content\_cfg.js
    c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\chrome\content\overlay.xul
    c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\install.rdf
    c:\windows\esamuqob.dll
    c:\windows\system32\921310595.dat
    c:\windows\system32\dmlconf.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SVCHOST


    ((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
    .

    2010-10-11 21:56 . 2010-10-11 21:56 -------- d-----w- c:\program files\Trend Micro
    2010-10-11 21:04 . 2010-09-14 23:02 23512 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
    2010-10-11 21:04 . 2010-09-14 23:02 138712 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
    2010-10-11 20:09 . 2010-10-11 20:09 -------- d-----w- c:\program files\tmp
    2010-10-11 20:08 . 2010-10-11 20:09 -------- d-----w- c:\program files\windows
    2010-10-11 18:57 . 2010-10-11 18:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-10-11 15:28 . 2010-10-11 15:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-10-11 15:28 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-11 15:28 . 2010-10-11 15:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-11 15:28 . 2010-10-11 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-11 15:28 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-11 13:52 . 2010-10-11 13:52 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-10-11 08:06 . 2010-10-11 08:06 64000 -c--a-w- c:\windows\system32\dllcache\wmplayer.exe
    2010-10-11 08:06 . 2010-10-11 08:06 243712 -c--a-w- c:\windows\system32\dllcache\mpvis.dll
    2010-10-11 08:06 . 2010-10-11 08:06 215552 -c--a-w- c:\windows\system32\dllcache\wordpad.exe
    2010-10-10 15:13 . 2010-10-12 12:05 -------- d-----w- c:\program files\Microsoft
    2010-10-03 00:09 . 2010-10-11 07:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Xaly

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-09-27 11:32 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-05 2067808]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "DisallowRun"= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
    "1"= firefox.exe
    "2"= opera.exe
    "3"= chrome.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-17 15:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\ApexDC++\\ApexDC.exe"=
    "%windir%\\system32\\sessmgr.exe"=

    R0 nomdmva;nomdmva;c:\windows\system32\drivers\ebkrxqqo.sys [x]
    R1 kpef640;kpef640;c:\windows\System32\drivers\kpef640.sys [x]
    R1 qjs9059;qjs9059;c:\windows\System32\drivers\qjs9059.sys [x]
    R1 rcq17de;rcq17de;c:\windows\System32\drivers\rcq17de.sys [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate1ca1220f20475f4;Google Update Service (gupdate1ca1220f20475f4);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 133104]
    R2 lanmanserverHidServ;Server lanmanserverHidServ; srv [x]
    R2 SMPCLS;SMPCLS; [x]
    R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-09-27 431432]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-17 216400]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-17 243024]
    S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-22 921952]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-17 308136]
    S2 PPSCAN;PPSCAN; [x]


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-13 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

    2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 20:52]

    2010-07-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-05-13 14:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bnhagsq3.default\
    FF - prefs.js: browser.search.selectedEngine - Mininova
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserverHidServ]
    "ImagePath"=" srv"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3324)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\windows\System32\TUProgSt.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-13 09:45:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-13 08:45

    Pre-Run: 3,194,494,976 bytes free
    Post-Run: 3,094,818,816 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - E1EC8BA697757178E45AB71CFD52FDEB
  4. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
  5. agringo

    agringo TS Rookie Topic Starter

    DAMN IT!!!

    Well thank you very much for your time Broni.

    Your efforts are well appreciated even if only to comfirm my worst suspisions. :(

    Guess it be reformat time. :wave:

    Thanks again!
  6. Broni

    Broni Malware Annihilator Posts: 46,787   +254

    I wish, I had better news :(
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.