[Not curable: Ramnit] ZBot.G Virus - Cannot access certain websites

By FLo711
Oct 28, 2011
  1. Hi,

    I have run MB on my infected Leptop - however It can;t connect to certain cites, AVG, trendmicor, microsoft and techspot - I assume this is related to the virus as I can access other sites just fine.

    My question is is it safe to use a USB key to transfer the log files to this PC in order to post them or is there another safe way to transfer the files so I can put them in this thread?

    Thanks in Advance.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You can use a flash drive and it can be disinfected if needed.. Malware will frequently prevent connecting to security sites.Once you get the programs on the infected system, if you have trouble running them, I will help with that.

    However, if possible, I'd like you to run this online virus scan irst- you need the internet connection to run it:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================================
    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    =========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. FLo711

    FLo711 Newcomer, in training Topic Starter

    Logs Postings

    Hi,

    The ESET site was blocked. Soinstead I ran the remaining logs they are listed below

    MB

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8014

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/25/2011 5:06:29 PM
    mbam-log-2011-10-25 (17-06-29).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 379162
    Time elapsed: 1 hour(s), 43 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(default) (Trojan.Agent) -> Value: (default) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    =============================================================

    GMER

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-10-29 16:27:39
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e FUJITSU_MHV2120BH_PL rev.00000029
    Running: kvr7c4h1.exe; Driver: C:\DOCUME~1\DameJo\LOCALS~1\Temp\axldypob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----

    ===============================================================

    DDS

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Run by DameJo at 16:28:40 on 2011-10-29
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.962 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: COMODO Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\bgsvcgen.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
    C:\Program Files\Sony\ISB Utility\ISBMgr.exe
    C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
    C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
    C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    D:\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://vaio-online.sony.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\damejo\local settings\application data\nwbyndug\vdpoxdbw.exe,
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
    TB: {DF4E7A0C-E233-4906-B4C1-A404356541FF} - No File
    uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
    uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
    uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
    uRun: [uTorrent] "c:\documents and settings\damejo\application data\utorrent\utorrent177.exe"
    uRun: [VdpOxdbw] c:\documents and settings\damejo\local settings\application data\nwbyndug\vdpoxdbw.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
    mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
    mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
    mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
    mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
    mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
    mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
    mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [4shared Update] "c:\program files\4shared desktop\checkUpdate.exe"
    mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll"
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-5B73U.exe" /REG /REGSVRMODE
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\damejo\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: &Download All using 4shared Desktop - c:\program files\4shared desktop\down_all.htm
    IE: &Download using 4shared Desktop - c:\program files\4shared desktop\down_link.htm
    IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
    DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: RDM+ - c:\program files\rdm+\notify.dll
    Notify: VESWinlogon - VESWinlogon.dll
    AppInit_DLLs: c:\windows\system32\guard32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\damejo\application data\mozilla\firefox\profiles\qgd6ev2o.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=au&.src=ym&.done=http%3A%2F%2Fmail.yahoo.com%2F
    FF - component: c:\documents and settings\damejo\application data\mozilla\firefox\profiles\qgd6ev2o.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: d:\itunes\mozilla plugins\npitunes.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.zencast -
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-14 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-14 29712]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-14 243152]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 242600]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 29400]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-26 218688]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-14 308136]
    R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1793712]
    R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
    R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-15 27992]
    R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-5-29 31896]
    R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-7-22 6609920]
    R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-8-28 30080]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-8-28 226304]
    S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
    S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-28 1251720]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 RDMPLocalService;RDM+ Local Service;"c:\program files\rdm+\rdmpserv.exe" --> c:\program files\rdm+\rdmpserv.exe [?]
    S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
    .
    =============== Created Last 30 ================
    .
    2011-10-25 18:18:56 -------- d-----w- c:\documents and settings\damejo\application data\4shared Desktop
    2011-10-25 18:16:25 -------- d-----w- c:\program files\4shared Desktop
    2011-10-24 22:10:25 709968 ----a-w- c:\windows\is-5B73U.exe
    2011-10-24 20:39:42 54016 ----a-w- c:\windows\system32\drivers\fjlh.sys
    2011-10-23 10:15:19 -------- d-----w- c:\documents and settings\damejo\local settings\application data\nwbyndug
    .
    ==================== Find3M ====================
    .
    2011-10-18 09:45:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\SET392.tmp
    2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\SET390.tmp
    2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\SET391.tmp
    2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-23 22:28:48 285256 ----a-w- c:\windows\system32\guard32.dll
    2011-08-23 22:28:47 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-08-23 22:28:47 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-08-23 22:28:47 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    ============= FINISH: 16:30:39.64 ===============


    ---------------------------------------------

    DDS Attach

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/14/2010 11:04:33 AM
    System Uptime: 10/21/2011 9:51:22 PM (187 hours ago)
    .
    Motherboard: Sony Corporation | | VAIO
    Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz | N/A | 1995/167mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 47 GiB total, 1.91 GiB free.
    D: is FIXED (NTFS) - 59 GiB total, 8.757 GiB free.
    E: is Removable
    F: is CDROM ()
    G: is CDROM ()
    H: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\22E0C788004603
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\22E0C788004603
    Service: NIC1394
    .
    ==== System Restore Points ===================
    .
    RP290: 10/29/2011 6:59:17 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    4shared Desktop
    Adobe Common File Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 7.0.5 Language Support
    Adobe Reader 7.0.9
    Adobe Reader Japanese Fonts
    Albumprinter Australia
    Any Video Converter 3.2.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Audacity 1.2.6
    AVG Free 9.0
    Bluetooth Stack for Windows by Toshiba
    Bonjour
    BrettspielWelt
    Canon Camera Access Library
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MOV Decoder
    Canon MOV Encoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC
    Canon Utilities CameraWindow DC 8
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 3.7
    Canon Utilities MyCamera
    Canon Utilities MyCamera DC
    Canon Utilities PhotoStitch
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Combined Community Codec Pack 2008-09-21 16:18
    COMODO Internet Security
    DAEMON Tools Lite
    DVgate Plus
    Evernote
    FileZilla Client 3.2.7.1
    GearDrvs
    GourmetGaming
    HDAUDIO SoftV92 Data Fax Modem with SmartCP
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976002-v5)
    Image Converter 2 Plus
    ImageMixer VCD/DVD2 for OLYMPUS
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet/Wireless Software
    InterVideo WinDVD for VAIO
    InterVideo WinDVDX
    iTunes
    J2SE Runtime Environment 5.0 Update 7
    Java(TM) 6 Update 17
    Jessops Photo
    LAME v3.98.2 for Audacity
    LAN Setting Utility
    LizardTech DjVu Control
    Malwarebytes' Anti-Malware version 1.51.2.1300
    mCore
    mDriver
    Memory Stick Formatter
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft GB18030 Support Package
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Office XP Professional with FrontPage
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server Desktop Engine (VAIO_VEDB)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    mMHouse
    MobileMe Control Panel
    Mozilla Firefox 7.0.1 (x86 en-US)
    MP3 To Ringtone Gold 3.50
    mPfMgr
    mProSafe
    MSN
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    mWlsSafe
    mXML
    Nero 6 Ultra Edition
    Norton 360
    NVIDIA Drivers
    OLYMPUS Master
    OpenMG AAC Add-on Module 1.0.00
    OpenMG Limited Patch 4.5-06-05-12-01
    OpenMG Secure Module 4.5.01
    Optus Wireless Broadband
    PowerStrip 3 (remove only)
    QuickTime
    RDM+ 4.11
    Rosetta Stone Version 3
    Safari
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Setting Utility Series
    SigmaTel Audio
    Skype Click to Call
    Skype™ 5.5
    Sony MP4 Shared Library
    Sony USB Mouse
    Sony Utilities DLL
    Sony Video Shared Library
    StreamTorrent 1.0
    Symantec KB-DocID:2003093015493306
    TextPad 5
    TreeSize Free V2.4
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update Service
    VAIO Aqua Breeze Wallpaper
    VAIO Camera Utility
    VAIO CameraVJ Screen Saver
    VAIO Control Center
    VAIO Cozy Orange Wallpaper
    VAIO Edit Components 6.0
    VAIO Entertainment Platform
    VAIO Event Service
    VAIO Launcher
    VAIO Manual
    VAIO Media 5.0
    VAIO Media AC3 Decoder 1.0
    VAIO Media Integrated Server 5.0
    VAIO Media Redistribution 5.0
    VAIO Media Registration Tool 5.0
    VAIO Original Screen Saver
    VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
    VAIO Power Management
    VAIO Tender Green Wallpaper
    VAIO Update 2
    VAIO Zone
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.1.0
    WebFldrs XP
    Windows Driver Package - Intel (NETw5x32) net (05/28/2009 12.4.3.9)
    Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool
    Windows Internet Explorer 8
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR 4.01 (32-bit)
    Wireless LAN Starter
    Wireless Switch Setting Utility
    Xvid 1.1.3 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/29/2011 4:29:04 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wab.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.6040.
    10/29/2011 4:29:02 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5931.
    10/29/2011 4:27:16 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4028.0.
    10/29/2011 4:25:55 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    10/29/2011 4:21:44 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    10/26/2011 1:58:14 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000056' while processing the file 'iexplore.exe.new' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    10/25/2011 7:14:20 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000056' while processing the file 'moviemk.exe.new' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    10/25/2011 5:35:50 PM, error: DCOM [10000] - Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}. The error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe" /PDFShell -Embedding
    10/24/2011 11:09:08 PM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
    10/23/2011 11:15:39 AM, error: Service Control Manager [7034] - The Symantec Core LC service terminated unexpectedly. It has done this 1 time(s).
    10/23/2011 1:10:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000056' while processing the file 'vgx.dll.new' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    .
    ==== End Of File ===========================


    ======================================================

    BTW the link in the faq toGMER didn't work for me instead i went directly to gmer.net and d/lthe most recent windows version.

    Thnx for you help.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have 2 security suites running, both of which have antivirus program and firewall. In addition, you have AVG antivirus. This will have made the system more vulnerable, not less. You will need to remove 2 of these, but first, in the absence of the Eset scan, I'd like you to run the following:
    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org free on-line scan service
    • Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:

      c:\windows\system32\userinit.exe

      c:\windows\explorer.exe

      c:\window\system32\svchost.exe


    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.

    Please paste the log into your next reply.
  5. FLo711

    FLo711 Newcomer, in training Topic Starter

    Here are the logs vfrom virscan.og

    I could not use explorer as it shut itself when i tried to open it

    I used Firefox and safari for 1 file

    VirSCAN.org Scanned Report :
    Scanned time : 2011/10/29 20:15:30 (BST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://r.virscan.org/1877a1c66f2774e8e5b6ce3360d7f133

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.4 20111030030152 2011-10-30 0.27 -
    AhnLab V3 2011.10.30.00 2011.10.30 2011-10-30 2.81 -
    AntiVir 8.2.6.100 7.11.16.201 2011-10-28 0.27 -
    Antiy 2.0.18 20111030.13612243 2011-10-30 0.12 -
    Arcavir 2011 201110290805 2011-10-29 2.68 -
    Authentium 5.1.1 201110291122 2011-10-29 1.44 -
    AVAST! 4.7.4 111029-1 2011-10-29 0.01 -
    AVG 8.5.850 271.1.1/3941 2011-10-06 0.24 -
    BitDefender 7.90123.9372090 7.39681 2011-10-30 4.51 -
    ClamAV 0.97.1 13865 2011-10-29 0.01 -
    Comodo 5.1 10596 2011-10-29 1.87 -
    CP Secure 1.3.0.5 2011.10.30 2011-10-30 0.04 -
    Dr.Web 5.0.2.3300 2011.10.30 2011-10-30 15.95 -
    F-Prot 4.6.2.117 20111029 2011-10-29 0.80 -
    F-Secure 7.02.73807 2011.10.29.02 2011-10-29 0.81 -
    Fortinet 4.2.257 14.291 2011-10-29 0.10 -
    GData 22.2608 20111029 2011-10-29 0.11 -
    ViRobot 20111029 2011.10.29 2011-10-29 0.38 -
    Ikarus T3.1.32.20.0 2011.10.29.79684 2011-10-29 4.77 -
    JiangMin 13.0.900 2011.10.29 2011-10-29 1.78 -
    Kaspersky 5.5.10 2011.10.17 2011-10-17 0.17 -
    KingSoft 2009.2.5.15 2011.10.29.9 2011-10-29 0.86 -
    McAfee 5400.1158 6514 2011-10-29 10.76 -
    Microsoft 1.7801 2011.10.29 2011-10-29 3.40 -
    NOD32 3.0.21 6584 2011-10-28 0.00 -
    Norman 6.07.11 6.07.00 2011-09-17 16.02 -
    Panda 9.05.01 2011.10.29 2011-10-29 2.11 -
    Trend Micro 9.500-1005 8.532.05 2011-10-29 0.03 -
    Quick Heal 11.00 2011.10.29 2011-10-29 0.94 -
    Rising 20.0 23.81.04.01 2011-10-28 2.26 -
    Sophos 3.24.4 4.70 2011-10-30 4.39 -
    Sunbelt 3.9.2515.2 10910 2011-10-29 0.62 -
    Symantec 1.3.0.24 20111028.002 2011-10-28 0.05 -
    nProtect 20111025.01 13068067 2011-10-25 1.18 -
    The Hacker 6.7.0.1 v00335 2011-10-28 0.49 -
    VBA32 3.12.16.4 20111028.1049 2011-10-28 4.41 -
    VirusBuster 5.4.0.10 14.1.37.0/6623711 2011-10-29 0.00 -

    VirSCAN.org Scanned Report :
    Scanned time : 2008/04/28 13:50:23 (BST)
    Scanner results: 3% Scanner(s) (1/36) found malware!
    File Name : explorer.exe
    File Size : 1033728 byte
    File Type : MS-DOS executable (EXE), OS/2 or MS Windows
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    Online report : http://r.virscan.org/bc10cdd8fc1b56e4518b094b5da3a210

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 3.5.0.16 2008.04.27 2008-04-27 3.84 -
    AhnLab V3 2008.04.28.00 2008.04.28 2008-04-28 1.13 -
    AntiVir 7.8.0.10 7.0.3.220 2008-04-28 2.78 -
    Arcavir 1.0.4 200804271350 2008-04-27 2.30 -
    AVAST! 1.0.8 080428-0 2008-04-28 3.06 -
    AVG 7.5.51.442 269.23.5/1401 2008-04-28 2.87 -
    BitDefender 7.60825.1184481 7.18704 2008-04-28 4.08 -
    CA (VET) 9.0.0.143 31.3.5741 2008-04-28 6.55 -
    ClamAV 0.93 6863 2008-04-21 0.27 -
    Comodo 2.11 2.0.0.509 2008-04-28 1.03 -
    CP Secure 1.1.0.715 2008.04.28 2008-04-28 7.54 -
    Dr.Web 4.44.0.9170 2008.04.28 2008-04-28 6.33 -
    ewido 4.0.0.2 2008.04.28 2008-04-28 2.55 -
    F-Prot 4.4.1.52 20080427 2008-04-27 1.60 -
    F-Secure 5.51.6100 2008.04.28.01 2008-04-28 5.04 -
    Fortinet 2.81-3.11 9.25 2008-04-28 2.31 -
    ViRobot 20080428 2008.04.28 2008-04-28 0.39 -
    Ikarus T3.1.01.26 2008.04.28.70668 2008-04-28 2.51 -
    JiangMin 10.00.650 2008.04.28 2008-04-28 1.53 -
    Kaspersky 5.5.10 2008.04.28 2008-04-28 10.89 -
    KingSoft 2007.6.20.249 2008.4.28 2008-04-28 1.18 -
    McAfee 5.2.00 5282 2008-04-25 6.31 -
    Microsoft 1.3408 2008.04.24 2008-04-24 7.22 -
    mks_vir 2.01 2008.04.28 2008-04-28 5.72 -
    Norman 5.91.10 5.90 2008-04-22 16.99 -
    Panda 9.04.03.0001 2008.04.27 2008-04-27 9.46 -
    Trend Micro 8.500-1001 5.244.03 2008-04-28 0.04 -
    Prevx V2 20080428 2008-04-28 8.40 TROJAN.DOWNLOADER.GEN
    Quick Heal 9.00 2008.04.26 2008-04-26 6.32 -
    Rising 20.0 20.42.01.00 2008-04-28 2.57 -
    Sophos 2.72.0 4.28 2008-04-28 18.16 -
    Symantec 1.3.0.24 20080427.009 2008-04-27 0.62 -
    nProtect 2008-04-28.00 1437905 2008-04-28 13.80 -
    The Hacker 6.2.92 v00294 2008-04-26 3.66 -
    VBA32 3.12.6.5 20080428.0807 2008-04-28 5.85 -
    VirusBuster 4.3.19:9 9.126.6/11.0 2008-04-27 6.81 -


    VirSCAN.org Scanned Report :
    Scanned time : 2011/10/29 20:20:49 (BST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://r.virscan.org/46ca4df87d03c0b5c071db8b8308a028

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 5.1.0.4 20111030030152 2011-10-30 0.26 -
    AhnLab V3 2011.10.30.00 2011.10.30 2011-10-30 2.85 -
    AntiVir 8.2.6.100 7.11.16.201 2011-10-28 0.27 -
    Antiy 2.0.18 20111030.13612243 2011-10-30 0.12 -
    Arcavir 2011 201110290805 2011-10-29 2.66 -
    Authentium 5.1.1 201110291122 2011-10-29 1.42 -
    AVAST! 4.7.4 111029-1 2011-10-29 0.01 -
    AVG 8.5.850 271.1.1/3941 2011-10-06 0.25 -
    BitDefender 7.90123.9372090 7.39681 2011-10-30 4.57 -
    ClamAV 0.97.1 13865 2011-10-29 0.01 -
    Comodo 5.1 10596 2011-10-29 1.92 -
    CP Secure 1.3.0.5 2011.10.30 2011-10-30 0.04 -
    Dr.Web 5.0.2.3300 2011.10.30 2011-10-30 15.29 -
    F-Prot 4.6.2.117 20111029 2011-10-29 0.77 -
    F-Secure 7.02.73807 2011.10.29.02 2011-10-29 0.18 -
    Fortinet 4.2.257 14.291 2011-10-29 0.10 -
    GData 22.2608 20111029 2011-10-29 0.11 -
    ViRobot 20111029 2011.10.29 2011-10-29 0.38 -
    Ikarus T3.1.32.20.0 2011.10.29.79684 2011-10-29 4.78 -
    JiangMin 13.0.900 2011.10.29 2011-10-29 1.93 -
    Kaspersky 5.5.10 2011.10.17 2011-10-17 0.10 -
    KingSoft 2009.2.5.15 2011.10.29.9 2011-10-29 0.87 -
    McAfee 5400.1158 6514 2011-10-29 10.82 -
    Microsoft 1.7801 2011.10.29 2011-10-29 3.96 -
    NOD32 3.0.21 6584 2011-10-28 0.01 -
    Norman 6.07.11 6.07.00 2011-09-17 18.02 -
    Panda 9.05.01 2011.10.29 2011-10-29 2.95 -
    Trend Micro 9.500-1005 8.532.05 2011-10-29 0.03 -
    Quick Heal 11.00 2011.10.29 2011-10-29 0.95 -
    Rising 20.0 23.81.04.01 2011-10-28 2.31 -
    Sophos 3.24.4 4.70 2011-10-30 4.37 -
    Sunbelt 3.9.2515.2 10910 2011-10-29 0.62 -
    Symantec 1.3.0.24 20111028.002 2011-10-28 0.05 -
    nProtect 20111025.01 13068067 2011-10-25 1.32 -
    The Hacker 6.7.0.1 v00335 2011-10-28 0.51 -
    VBA32 3.12.16.4 20111028.1049 2011-10-28 4.72 -
    VirusBuster 5.4.0.10 14.1.37.0/6623711 2011-10-29 0.00 -
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm sorry for the delay. Please tell me what is going on with the system.

    I see numerous malware entries and you are a sitting duck for malware with all the P2P programs you're using:
    µTorrent
    4shared Desktop
    Bit Torrent
    StreamTorrent 1.0


    All of this puts you at risk:
    uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
    uRun: [uTorrent] "c:\documents and settings\damejo\application data\utorrent\utorrent177.exe"
    uRun: [VdpOxdbw] c:\documents and settings\damejo\local settings\application data\nwbyndug\vdpoxdbw.exe
    ========================================
    I'd like you to repeat a scan with the 3 processes, using a different site:
    Virus Total for ID:

    VirusTotal
    • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to the following file:

      c:\windows\system32\userinit.exe

      c:\windows\explorer.exe

      c:\window\system32\svchost.exe

    • Click "Open".
    • Then click the "Send" button at the top of the VirusTotal page.
    • This will scan the file. Please be patient.
    • Once scanned, copy and paste the results in your next reply.
    =======================================
    I'd like you to go ahead and run Combofix- hopefully it will pick up some of the bad entries. You will need to temporarily uninstall AVG as Combofix won't run with it:
    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ========================================
  7. FLo711

    FLo711 Newcomer, in training Topic Starter

    Hi,

    Thanks for replying.

    Here are the results forVirusTotal

    userinit.exe
    Submission date:
    2011-11-06 12:48:43 (UTC)
    Current status:
    finished
    Result:
    0/ 43 (0.0%)

    File name:
    svchost.exe
    Submission date:
    2011-11-06 12:51:22 (UTC)
    Current status:
    finished
    Result:
    0/ 42 (0.0%)

    File name:
    explorer.exe
    Submission date:
    2011-11-06 12:54:41 (UTC)
    Current status:
    finished
    Result:
    0/ 43 (0.0%)

    ==================================

    And here are the combo fix results

    ComboFix 11-11-08.02 - DameJo 11/08/2011 19:20:09.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1512 [GMT 0:00]
    Running from: c:\documents and settings\DameJo\Desktop\ComboFix.exe
    FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\DameJo\Local Settings\Application Data\cnnbbxan.log
    c:\documents and settings\DameJo\Local Settings\Application Data\jwthsurj.log
    c:\documents and settings\DameJo\Local Settings\Application Data\lpkeftvm.log
    c:\documents and settings\DameJo\Local Settings\Application Data\pedthdvk.log
    c:\documents and settings\DameJo\Local Settings\Application Data\wesgyfjs.log
    c:\documents and settings\DameJo\Local Settings\Application Data\xuatrcqs.log
    c:\documents and settings\DameJo\Local Settings\Application Data\yupjpjqj.log
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MICORSOFT_WINDOWS_SERVICE
    -------\Legacy_USNJSVC
    -------\Service_usnjsvc
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-08 to 2011-11-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-06 17:12 . 2011-11-08 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-11-06 17:12 . 2011-11-06 17:12 -------- d-----w- c:\program files\AVAST Software
    2011-11-06 12:53 . 2011-11-06 12:53 -------- d-----w- c:\program files\ESET
    2011-10-23 10:15 . 2011-11-06 19:04 -------- d-----w- c:\documents and settings\DameJo\Local Settings\Application Data\nwbyndug
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-18 09:45 . 2011-07-12 20:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-26 10:41 . 2011-09-26 10:41 611328 ----a-w- c:\windows\system32\SET392.tmp
    2011-09-26 10:41 . 2011-09-26 10:41 220160 ----a-w- c:\windows\system32\SET390.tmp
    2011-09-26 10:41 . 2008-07-29 09:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 10:41 . 2004-08-12 13:25 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 10:41 . 2011-09-26 10:41 20480 ----a-w- c:\windows\system32\SET391.tmp
    2011-09-26 10:41 . 2004-08-12 13:25 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-06 13:20 . 2004-08-12 13:33 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 16:00 . 2010-08-29 12:01 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-23 22:28 . 2010-06-01 09:00 285256 ----a-w- c:\windows\system32\guard32.dll
    2011-08-23 22:28 . 2010-06-04 01:55 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
    2011-08-23 22:28 . 2010-06-01 09:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
    2011-08-23 22:28 . 2010-06-01 09:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2011-08-23 22:28 . 2010-06-01 09:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2011-08-22 23:48 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-12 13:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-12 13:20 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-12 13:19 385024 ----a-w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2004-08-12 13:17 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-10-09 19:47 . 2011-05-10 14:55 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\documents and settings\DameJo\Application Data\uTorrent\utorrent177.exe" [2010-06-23 219952]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
    "SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-28 217088]
    "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
    "Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
    "VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
    "VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2006-05-31 151552]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-08-23 2554696]
    "iTunesHelper"="d:\itunes\iTunesHelper.exe" [2011-06-07 421160]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [N/A]
    .
    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [N/A]
    VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-10-29 778240]
    .
    c:\documents and settings\DameJo\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
    Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [N/A]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RDM+]
    2009-05-29 11:30 61440 ------w- c:\program files\RDM+\notify.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\guard32.dll
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^DameJo^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
    path=c:\documents and settings\DameJo\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
    backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\WINDOWS\\system32\\netsh.exe"=
    "c:\\WINDOWS\\system32\\mspaint.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE"=
    "c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\WINDOWS\\system32\\taskmgr.exe"=
    "c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=
    "c:\\WINDOWS\\system32\\logon.scr"=
    "c:\\Program Files\\Apoint\\Apoint.exe"=
    "c:\\WINDOWS\\system32\\ICO.EXE"=
    "c:\\Program Files\\Sony\\VAIO Power Management\\SPMgr.exe"=
    "c:\\Program Files\\Sony\\ISB Utility\\ISBMgr.exe"=
    "c:\\Program Files\\Sony\\Wireless Switch Setting Utility\\Switcher.exe"=
    "c:\\Program Files\\Sony\\VAIO Camera Utility\\VCUServe.exe"=
    "c:\\Program Files\\Sony\\VAIO Update 2\\VAIOUpdt.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
    "c:\\Program Files\\Apoint\\Apntex.exe"=
    "d:\\iTunes\\iTunesHelper.exe"=
    "c:\\Documents and Settings\\DameJo\\Application Data\\uTorrent\\utorrent177.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "d:\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
    "c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6102:TCP"= 6102:TCP:RDM
    .
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 1:55 AM 242600]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 9:00 AM 29400]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [7/26/2011 8:31 PM 218688]
    R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
    R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/15/2007 1:37 AM 27992]
    R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [5/29/2009 11:31 AM 31896]
    R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [7/22/2011 9:55 PM 6609920]
    R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [8/28/2006 1:46 AM 30080]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/28/2006 1:46 AM 226304]
    S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 RDMPLocalService;RDM+ Local Service;"c:\program files\RDM+\rdmpserv.exe" --> c:\program files\RDM+\rdmpserv.exe [?]
    S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
    .
    2011-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 05:35]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://vaio-online.sony.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\DameJo\Application Data\Mozilla\Firefox\Profiles\qgd6ev2o.default\
    FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=au&.src=ym&.done=http%3A%2F%2Fmail.yahoo.com%2F
    FF - user.js: general.useragent.extra.zencast -
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-08 19:32
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    detected NTDLL code modification:
    ZwClose
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1200)
    c:\program files\RDM+\notify.dll
    c:\windows\system32\VESWinlogon.dll
    .
    - - - - - - - > 'explorer.exe'(3936)
    c:\windows\system32\WININET.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\hnetcfg.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\windows\system32\bgsvcgen.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    c:\windows\system32\nvsvc32.exe
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\Sony\VAIO Event Service\VESMgr.exe
    c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
    c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
    c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\ICO.EXE
    c:\program files\Apoint\Apntex.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\taskmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2011-11-08 19:39:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-08 19:39
    ComboFix2.txt 2011-11-06 16:50
    .
    Pre-Run: 5,188,714,496 bytes free
    Post-Run: 5,067,616,256 bytes free
    .
    - - End Of File - - 6FD41A79848F53F3C56444135D870238

    ===================================================

    I can now access all sites on the internet, including the ones blocked previously
    Below are the results for the ESET

    C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\13\2281260d-7e2a2977 probably a variant of Java/Agent.BR trojan
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\21\517408d5-2a675f49 multiple threats
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\26\21959da-6a007cb2 multiple threats
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\26\2d2ebe9a-6585ef89 multiple threats
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\35\5f24cc23-1fedb915 Java/Exploit.CVE-2009-3867.AL trojan
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\48\8891f30-4c2c9d54 a variant of Win32/Kryptik.UOT trojan
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\55\16a8b77-229f3cf6 a variant of Java/Agent.BR trojan
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\59\3d541bfb-5b40928f multiple threats
    C:\Documents and Settings\DameJo\Local Settings\Temp\ninjafddhkfcghbo.exe a variant of Win32/Kryptik.UOT trojan
    C:\Program Files\Common Files\System\ado\msadox.dll.tmp Win32/Ramnit.H virus
    C:\Program Files\Common Files\System\msadc\msadco.dll.tmp Win32/Ramnit.H virus
    C:\Program Files\Internet Explorer\hmmapi.dll.tmp Win32/Ramnit.H virus
    C:\Program Files\Movie Maker\moviemk.exe.tmp Win32/Ramnit.H virus
    C:\Program Files\Windows Media Player\mpvis.dll.tmp Win32/Ramnit.H virus
    C:\Program Files\Windows Media Player\wmplayer.exe.tmp Win32/Ramnit.H virus
    C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP298\A0111847.exe a variant of Win32/Kryptik.UOT trojan
    C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP298\A0111848.exe a variant of Win32/Kryptik.UOT trojan
    C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP300\A0114518.exe a variant of Win32/Kryptik.UOT trojan
    Operating memory a variant of Win32/Ramnit.L virus

    Note this was run before combofix

    Should I re-installAVG now or instead use one of the other secutiry tool suggested Avast or Avira?

    Thanks again for your help.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Bad news, I'm affraid. I suspected a Ramnit infections which was why I had you run those online scans.

    Here is is in the Eset log:
    C:\Program Files\Common Files\System\msadc\msadco.dll.tmp Win32/Ramnit.H virus
    C:\Program Files\Internet Explorer\hmmapi.dll.tmp Win32/Ramnit.H virus
    C:\Program Files\Movie Maker\moviemk.exe.tmp Win32/Ramnit.H virus
    C:\Program Files\Windows Media Player\mpvis.dll.tmp Win32/Ramnit.H virus
    C:\Program Files\Windows Media Player\wmplayer.exe.tmp Win32/Ramnit.H virus
    ========================================

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. file infector often seen with this infection. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS. The malware injects code in legitimate files- these files, which can number in the thousands cannot be disinfected properly by your anti-virus.

    When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump)[/b] where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote crack and keygen sites. These type of sites are infested with and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
    (Some text help courtesy of Broni).
  9. FLo711

    FLo711 Newcomer, in training Topic Starter

    Cleaning Flash drives that may be infected?

    Hi Broni,

    Thanks for the response - I will read the attached literature and determine the best next steps.

    Can you advise if we are able to clean the flash drives used to trasfer data (logs) to and from the PC initially?

    Thanks
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm Bobbye. I mentioned Broni because he helped draft the information. didn't mean to confuse you.

    A consideration should be given to replace the flash drive with a new one.You can clean the flash drive, but I recommend great care being taken in it's use until or unless you can verify that it's clean. For instance, keep in mind how many virus scans we had to run in order to actually reveal Ramnit.

    Here are 2 disinfection program for the flash: Select one of them:
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    -----------------------------------------
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
  11. FLo711

    FLo711 Newcomer, in training Topic Starter

    Hi - Apologies Bobbye I answered your last post on my phone and read Broni in the text post so that's who I thought it was.

    I have been using the flash tools and also Eset on the flashdrives and they seem to be clean afterwards.

    I also re-ran Eset on the laptop as the first time I ran it was before running combofix - the log results are below



    C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
    C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\26\21959da-6a007cb2 Java/Exploit.Agent.NAO trojan deleted - quarantined
    C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\55\16a8b77-229f3cf6 a variant of Java/Agent.BR trojan deleted - quarantined
    C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP306\A0116100.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined


    Ramnit is not present - does that mean it was removed by combofix? If not is it hiding from Eset now?

    Thanks
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The additional text I left-if you read it-should make this clear to you. And although I suspected Ramnit from the beginning, please go back and note how many virus scans were run before Ramnit was finally revealed.
  13. FLo711

    FLo711 Newcomer, in training Topic Starter

    Thanks for the quick response and all your help.

    One more question :)

    I;m planning on reformatting - I Just need to find a good way to backup the photos on the laptop before reformatting the hard drive - any suggestions on how I an do this without infecting another PC?

    Cheers
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You really must be extremely careful on what you backup before the reinstall. All executable files, all HTML files and more may be infected. Reusing just one of them after a reinstall, can cause the infection to respawn all over again.
    • Backup all your documents and important items only.
    • DON'T backup any executable files (,exe .scr .html or .htm)
    • DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.