[Not curable - Ramnit] VBS/Generic;Win32/Heur;Win32/Zbot.E problems!

Status
Not open for further replies.
Hi there guys,

As the title says I'm having real trouble getting rid of this deep dug in, ever replicating virus. I have a feeling I will just have to bite the reformat bullet but on reading your hugely helpful forums I realised there may be hope yet!
Any help would be greatly appreciated- many thanks.

Here is the info your 8 steps asks for.....

AVG overview:-

"Scan ""Scan whole computer"" completed."
"Infections";"14";"14";"0"
"Warnings";"4";"4";"0"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"12 October 2010, 14:39:29"
"Scan finished:";"12 October 2010, 15:13:40 (34 minute(s) 10 second(s))"
"Total object scanned:";"330576"
"User who launched the scan:";"Owner"

"Infections"
"File";"Infection";"Result"
"C:\Program Files\Webteh\BSplayer\bsplay.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Webteh\BSplayer\bslib\bslib.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Webteh\BSplayer\bplay.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow!\RecordNow.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Real\RealPlayer\rpplugins\rjbdll.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Java\jre6\bin\client\jvm.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Barbie\Barbie(TM) Sparkling Ice Show(TM)\fmod.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Barbie(TM)\Barbie(TM) Horse Adventures(TM)\fmod.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\Program Files\Analog Devices\Core\smax4pnp.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\DELL\drivers\R94481\SMAXWDM\W2K_XP\SMax4PNP.exe";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\DELL\drivers\R94481\SM_Sensa\Sys\virtear.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\DELL\drivers\R106458\Win2000\iglicd32.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"
"C:\DELL\drivers\R106458\Win2000\igfxress.dll";"Virus identified Win32/Zbot.E";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SoundMAXPnP";"Found registry key with reference to infected file C:\Program Files\Analog Devices\Core\smax4pnp.exe";"Moved to Virus Vault"
"C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Moved to Virus Vault"
"C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Healed"

Malwarebytes Anti-Malware log:-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4800

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/10/2010 15:53:59
mbam-log-2010-10-12 (15-53-59).txt

Scan type: Quick scan
Objects scanned: 139398
Time elapsed: 6 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER Log:-

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-12 18:19:59
Windows 5.1.2600 Service Pack 3
Running: r2tzoqpu.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfxdrkob.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xBA499F80]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat B108FD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

DDS Logs: (Attach.txt is attached):-

DDS (Ver_10-10-10.03) - NTFSx86
Run by Owner at 18:21:26.26 on 12/10/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = about:blank
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = firefox.exe
dPolicies-disallowrun: 2 = opera.exe
dPolicies-disallowrun: 3 = chrome.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236285704328
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\bnhagsq3.default\
FF - prefs.js: browser.search.selectedEngine - Mininova
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {64DE1CB1-F90D-4F18-A58F-5D7C48B3D017} - c:\documents and settings\owner\local settings\application data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-10-11 21:56:08 -------- d-----w- c:\program files\Trend Micro
2010-10-11 21:04:31 23512 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-10-11 21:04:31 138712 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-10-11 20:09:21 -------- d-----w- c:\program files\tmp
2010-10-11 20:08:49 -------- d-----w- c:\program files\windows
2010-10-11 15:28:21 -------- d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-10-11 15:28:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 15:28:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 15:28:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-11 15:28:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-11 13:52:39 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-11 13:52:39 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-11 08:06:56 64000 -c--a-w- c:\windows\system32\dllcache\wmplayer.exe
2010-10-11 08:06:56 243712 -c--a-w- c:\windows\system32\dllcache\mpvis.dll
2010-10-11 08:06:55 215552 -c--a-w- c:\windows\system32\dllcache\wordpad.exe
2010-10-10 15:13:54 -------- d-----w- c:\program files\Microsoft
2010-10-03 00:09:35 -------- d-----w- c:\docume~1\owner\applic~1\Xaly

==================== Find3M ====================

2010-09-26 10:37:20 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2010-09-26 10:37:17 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-08-31 17:30:00 286720 ----a-w- c:\windows\iun507.exe
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-10 04:15:58 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 04:15:58 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-27 01:51:09 3615 ----a-w- c:\windows\esamuqob.dll
2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 15:49:37 12536 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 18:22:05.96 ===============

Fingers crossed an Thanks again!
 

Attachments

  • Attach.zip
    1.4 KB · Views: 0
Welcome aboard
yahooo.gif


Please, never zip any logs.

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Hi Broni and thankyou for your time.

Sorry about the zip - thought I had read to do that but was prob just brain fried from reading too many fix-it blogs, anyway here are the reports.......

MBR check:-

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 PCIIde.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF74C0000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A0000 fltmgr.sys
0xF748E000 sr.sys
0xF7479000 drvmcdb.sys
0xF7717000 PxHelp20.sys
0xF7462000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7435000 NDIS.sys
0xF741B000 Mup.sys
0xF7537000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA0B1000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xBA09D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77B7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA079000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77BF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7527000 \SystemRoot\system32\drivers\es1371mp.sys
0xBA055000 \SystemRoot\system32\drivers\portcls.sys
0xF7517000 \SystemRoot\system32\drivers\drmk.sys
0xBA032000 \SystemRoot\system32\drivers\ks.sys
0xBA00C000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7507000 \SystemRoot\system32\DRIVERS\serial.sys
0xF793F000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB9FF8000 \SystemRoot\system32\DRIVERS\parport.sys
0xF74F7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF79A1000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xBA458000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA448000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9FB8000 \SystemRoot\system32\drivers\smwdm.sys
0xB9F05000 \SystemRoot\system32\drivers\senfilt.sys
0xBA2F7000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA438000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7947000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9EEE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA428000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA418000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9EDD000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA408000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79A3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9DDF000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7F4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA3C8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7667000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79AB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA7BF000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF79AD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB1475000 \SystemRoot\System32\Drivers\Null.SYS
0xF79AF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7817000 \SystemRoot\system32\drivers\ssrtln.sys
0xF781F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF772F000 \SystemRoot\System32\drivers\vga.sys
0xF79B1000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79B3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7737000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF773F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA7A7000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB1394000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB133B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB1301000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB12DB000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7697000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF791B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF791F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7927000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB12B3000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB1291000 \SystemRoot\System32\drivers\afd.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB1266000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB11F6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF76C7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF774F000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB11C2000 \SystemRoot\System32\Drivers\avgldx86.sys
0xB9ECD000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB10E2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79F7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB1417000 \SystemRoot\System32\drivers\Dxapi.sys
0xF777F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A75000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB1192000 \SystemRoot\system32\drivers\drvnddm.sys
0xF7A8C000 \SystemRoot\system32\dla\tfsndres.sys
0xB102C000 \SystemRoot\system32\dla\tfsnifs.sys
0xBA7AF000 \SystemRoot\system32\dla\tfsnopio.sys
0xF798D000 \SystemRoot\system32\dla\tfsnpool.sys
0xF77AF000 \SystemRoot\system32\dla\tfsnboio.sys
0xB1182000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7A8D000 \SystemRoot\system32\dla\tfsndrct.sys
0xB1013000 \SystemRoot\system32\dla\tfsnudf.sys
0xB0FFA000 \SystemRoot\system32\dla\tfsnudfa.sys
0xB1066000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB0BD5000 \SystemRoot\system32\drivers\wdmaud.sys
0xB0F62000 \SystemRoot\system32\drivers\sysaudio.sys
0xF79D1000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB09B2000 \SystemRoot\System32\Drivers\PPSCAN.SYS
0xB07A3000 \SystemRoot\system32\DRIVERS\srv.sys
0xB037A000 \SystemRoot\System32\Drivers\HTTP.sys
0xAF840000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 28):
0 System Idle Process
4 System
840 C:\WINDOWS\system32\smss.exe
988 csrss.exe
1016 C:\WINDOWS\system32\winlogon.exe
1080 C:\WINDOWS\system32\services.exe
1092 C:\WINDOWS\system32\lsass.exe
1288 C:\WINDOWS\system32\svchost.exe
1372 svchost.exe
1468 C:\WINDOWS\system32\svchost.exe
1544 svchost.exe
1660 svchost.exe
1672 C:\Program Files\AVG\AVG9\avgchsvx.exe
1680 C:\Program Files\AVG\AVG9\avgrsx.exe
1980 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2012 C:\WINDOWS\explorer.exe
472 C:\WINDOWS\system32\spoolsv.exe
728 C:\PROGRA~1\AVG\AVG9\avgtray.exe
1516 C:\Program Files\AVG\AVG9\avgwdsvc.exe
2036 C:\WINDOWS\system32\svchost.exe
244 C:\WINDOWS\system32\TUProgSt.exe
992 C:\Program Files\AVG\AVG9\avgemc.exe
1452 C:\Program Files\AVG\AVG9\avgnsx.exe
1772 C:\Program Files\AVG\AVG9\avgcsrvx.exe
2828 alg.exe
3708 C:\WINDOWS\system32\svchost.exe
556 C:\Program Files\Internet Explorer\iexplore.exe
2472 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGSP0802N, Rev: TK100-28
PhysicalDrive1 Model Number: WDCWD5000AAKB-00H8A0, Rev: 05.04E05

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Combofix :-

ComboFix 10-10-12.03 - Owner 13/10/2010 9:35.1.1 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}
c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{64DE1CB1-F90D-4F18-A58F-5D7C48B3D017}\install.rdf
c:\windows\esamuqob.dll
c:\windows\system32\921310595.dat
c:\windows\system32\dmlconf.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCHOST


((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
.

2010-10-11 21:56 . 2010-10-11 21:56 -------- d-----w- c:\program files\Trend Micro
2010-10-11 21:04 . 2010-09-14 23:02 23512 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-10-11 21:04 . 2010-09-14 23:02 138712 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-10-11 20:09 . 2010-10-11 20:09 -------- d-----w- c:\program files\tmp
2010-10-11 20:08 . 2010-10-11 20:09 -------- d-----w- c:\program files\windows
2010-10-11 18:57 . 2010-10-11 18:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-11 15:28 . 2010-10-11 15:28 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-10-11 15:28 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 15:28 . 2010-10-11 15:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-11 15:28 . 2010-10-11 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-11 15:28 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 13:52 . 2010-10-11 13:52 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-11 08:06 . 2010-10-11 08:06 64000 -c--a-w- c:\windows\system32\dllcache\wmplayer.exe
2010-10-11 08:06 . 2010-10-11 08:06 243712 -c--a-w- c:\windows\system32\dllcache\mpvis.dll
2010-10-11 08:06 . 2010-10-11 08:06 215552 -c--a-w- c:\windows\system32\dllcache\wordpad.exe
2010-10-10 15:13 . 2010-10-12 12:05 -------- d-----w- c:\program files\Microsoft
2010-10-03 00:09 . 2010-10-11 07:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Xaly

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-09-27 11:32 2102600 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-09-27 2102600]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-05 2067808]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= firefox.exe
"2"= opera.exe
"3"= chrome.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-17 15:49 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\ApexDC++\\ApexDC.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 nomdmva;nomdmva;c:\windows\system32\drivers\ebkrxqqo.sys [x]
R1 kpef640;kpef640;c:\windows\System32\drivers\kpef640.sys [x]
R1 qjs9059;qjs9059;c:\windows\System32\drivers\qjs9059.sys [x]
R1 rcq17de;rcq17de;c:\windows\System32\drivers\rcq17de.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca1220f20475f4;Google Update Service (gupdate1ca1220f20475f4);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 133104]
R2 lanmanserverHidServ;Server lanmanserverHidServ; srv [x]
R2 SMPCLS;SMPCLS; [x]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-09-27 431432]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-17 216400]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-17 243024]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-22 921952]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-17 308136]
S2 PPSCAN;PPSCAN; [x]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-10-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 20:52]

2010-07-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2010-05-13 14:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bnhagsq3.default\
FF - prefs.js: browser.search.selectedEngine - Mininova
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserverHidServ]
"ImagePath"=" srv"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3324)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\TUProgSt.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-10-13 09:45:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-13 08:45

Pre-Run: 3,194,494,976 bytes free
Post-Run: 3,094,818,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E1EC8BA697757178E45AB71CFD52FDEB
 
I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
 
DAMN IT!!!

Well thank you very much for your time Broni.

Your efforts are well appreciated even if only to comfirm my worst suspisions. :(

Guess it be reformat time. :wave:

Thanks again!
 
Status
Not open for further replies.
Back