[Not curable: Ramnit] ZBot.G Virus - Cannot access certain websites

[FLo711]

Hi,

I have run MB on my infected Leptop - however It can;t connect to certain cites, AVG, trendmicor, microsoft and techspot - I assume this is related to the virus as I can access other sites just fine.

My question is is it safe to use a USB key to transfer the log files to this PC in order to post them or is there another safe way to transfer the files so I can put them in this thread?

Thanks in Advance.

 

[Bobbye]

You can use a flash drive and it can be disinfected if needed.. Malware will frequently prevent connecting to security sites.Once you get the programs on the infected system, if you have trouble running them, I will help with that.

However, if possible, I'd like you to run this online virus scan irst- you need the internet connection to run it:

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===========================================
Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
=========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

 

[FLo711]

Logs Postings

Hi,

The ESET site was blocked. Soinstead I ran the remaining logs they are listed below

MB

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8014

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/25/2011 5:06:29 PM
mbam-log-2011-10-25 (17-06-29).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 379162
Time elapsed: 1 hour(s), 43 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(default) (Trojan.Agent) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


=============================================================

GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-29 16:27:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e FUJITSU_MHV2120BH_PL rev.00000029
Running: kvr7c4h1.exe; Driver: C:\DOCUME~1\DameJo\LOCALS~1\Temp\axldypob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

===============================================================

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Run by DameJo at 16:28:40 on 2011-10-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.962 [GMT 1:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://vaio-online.sony.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\damejo\local settings\application data\nwbyndug\vdpoxdbw.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {DF4E7A0C-E233-4906-B4C1-A404356541FF} - No File
uRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe -NoStart
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [uTorrent] "c:\documents and settings\damejo\application data\utorrent\utorrent177.exe"
uRun: [VdpOxdbw] c:\documents and settings\damejo\local settings\application data\nwbyndug\vdpoxdbw.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [SonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe"
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [4shared Update] "c:\program files\4shared desktop\checkUpdate.exe"
mRunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "c:\program files\malwarebytes' anti-malware\mbamext.dll"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [InnoSetupRegFile.0000000001] "c:\windows\is-5B73U.exe" /REG /REGSVRMODE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\damejo\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Download All using 4shared Desktop - c:\program files\4shared desktop\down_all.htm
IE: &Download using 4shared Desktop - c:\program files\4shared desktop\down_link.htm
IE: Add to &Evernote - c:\program files\evernote\evernote3.5\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Transfer by Image Converter 2 Plus - c:\program files\sony\image converter 2\menu.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {E0B8C461-F8FB-49b4-8373-FE32E92528A6} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEEE} - c:\program files\evernote\evernote3.5\enbar.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} -
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: RDM+ - c:\program files\rdm+\notify.dll
Notify: VESWinlogon - VESWinlogon.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\damejo\application data\mozilla\firefox\profiles\qgd6ev2o.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=au&.src=ym&.done=http%3A%2F%2Fmail.yahoo.com%2F
FF - component: c:\documents and settings\damejo\application data\mozilla\firefox\profiles\qgd6ev2o.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: d:\itunes\mozilla plugins\npitunes.dll
.
---- FIREFOX POLICIES ----
FF - user.js: general.useragent.extra.zencast -
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-9-14 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-9-14 29712]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-9-14 243152]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-6-4 242600]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-6-1 29400]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-26 218688]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-9-14 308136]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-6-1 1793712]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [2007-7-15 27992]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-5-29 31896]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-7-22 6609920]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2006-8-28 30080]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-8-28 226304]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-28 1251720]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RDMPLocalService;RDM+ Local Service;"c:\program files\rdm+\rdmpserv.exe" --> c:\program files\rdm+\rdmpserv.exe [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
.
=============== Created Last 30 ================
.
2011-10-25 18:18:56 -------- d-----w- c:\documents and settings\damejo\application data\4shared Desktop
2011-10-25 18:16:25 -------- d-----w- c:\program files\4shared Desktop
2011-10-24 22:10:25 709968 ----a-w- c:\windows\is-5B73U.exe
2011-10-24 20:39:42 54016 ----a-w- c:\windows\system32\drivers\fjlh.sys
2011-10-23 10:15:19 -------- d-----w- c:\documents and settings\damejo\local settings\application data\nwbyndug
.
==================== Find3M ====================
.
2011-10-18 09:45:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41:20 611328 ----a-w- c:\windows\system32\SET392.tmp
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\SET390.tmp
2011-09-26 10:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\SET391.tmp
2011-09-26 10:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 22:28:48 285256 ----a-w- c:\windows\system32\guard32.dll
2011-08-23 22:28:47 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-08-23 22:28:47 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-08-23 22:28:47 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 16:30:39.64 ===============


---------------------------------------------

DDS Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 9/14/2010 11:04:33 AM
System Uptime: 10/21/2011 9:51:22 PM (187 hours ago)
.
Motherboard: Sony Corporation | | VAIO
Processor: Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz | N/A | 1995/167mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 47 GiB total, 1.91 GiB free.
D: is FIXED (NTFS) - 59 GiB total, 8.757 GiB free.
E: is Removable
F: is CDROM ()
G: is CDROM ()
H: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\22E0C788004603
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\22E0C788004603
Service: NIC1394
.
==== System Restore Points ===================
.
RP290: 10/29/2011 6:59:17 AM - System Checkpoint
.
==== Installed Programs ======================
.
µTorrent
4shared Desktop
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Reader Japanese Fonts
Albumprinter Australia
Any Video Converter 3.2.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AVG Free 9.0
Bluetooth Stack for Windows by Toshiba
Bonjour
BrettspielWelt
Canon Camera Access Library
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC 8
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.7
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Combined Community Codec Pack 2008-09-21 16:18
COMODO Internet Security
DAEMON Tools Lite
DVgate Plus
Evernote
FileZilla Client 3.2.7.1
GearDrvs
GourmetGaming
HDAUDIO SoftV92 Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976002-v5)
Image Converter 2 Plus
ImageMixer VCD/DVD2 for OLYMPUS
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet/Wireless Software
InterVideo WinDVD for VAIO
InterVideo WinDVDX
iTunes
J2SE Runtime Environment 5.0 Update 7
Java(TM) 6 Update 17
Jessops Photo
LAME v3.98.2 for Audacity
LAN Setting Utility
LizardTech DjVu Control
Malwarebytes' Anti-Malware version 1.51.2.1300
mCore
mDriver
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft GB18030 Support Package
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Desktop Engine (VAIO_VEDB)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
mMHouse
MobileMe Control Panel
Mozilla Firefox 7.0.1 (x86 en-US)
MP3 To Ringtone Gold 3.50
mPfMgr
mProSafe
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
mXML
Nero 6 Ultra Edition
Norton 360
NVIDIA Drivers
OLYMPUS Master
OpenMG AAC Add-on Module 1.0.00
OpenMG Limited Patch 4.5-06-05-12-01
OpenMG Secure Module 4.5.01
Optus Wireless Broadband
PowerStrip 3 (remove only)
QuickTime
RDM+ 4.11
Rosetta Stone Version 3
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Setting Utility Series
SigmaTel Audio
Skype Click to Call
Skype™ 5.5
Sony MP4 Shared Library
Sony USB Mouse
Sony Utilities DLL
Sony Video Shared Library
StreamTorrent 1.0
Symantec KB-DocID:2003093015493306
TextPad 5
TreeSize Free V2.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Service
VAIO Aqua Breeze Wallpaper
VAIO Camera Utility
VAIO CameraVJ Screen Saver
VAIO Control Center
VAIO Cozy Orange Wallpaper
VAIO Edit Components 6.0
VAIO Entertainment Platform
VAIO Event Service
VAIO Launcher
VAIO Manual
VAIO Media 5.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 5.0
VAIO Media Redistribution 5.0
VAIO Media Registration Tool 5.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
VAIO Power Management
VAIO Tender Green Wallpaper
VAIO Update 2
VAIO Zone
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.0
WebFldrs XP
Windows Driver Package - Intel (NETw5x32) net (05/28/2009 12.4.3.9)
Windows Driver Package - Intel (w29n51) net (12/19/2007 9.0.4.39)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 8
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinRAR 4.01 (32-bit)
Wireless LAN Starter
Wireless Switch Setting Utility
Xvid 1.1.3 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
10/29/2011 4:29:04 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wab.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.6040.
10/29/2011 4:29:02 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5931.
10/29/2011 4:27:16 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4028.0.
10/29/2011 4:25:55 PM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
10/29/2011 4:21:44 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
10/26/2011 1:58:14 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000056' while processing the file 'iexplore.exe.new' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/25/2011 7:14:20 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000056' while processing the file 'moviemk.exe.new' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/25/2011 5:35:50 PM, error: DCOM [10000] - Unable to start a DCOM Server: {98D9A6F1-4696-4B5E-A2E8-36B3F9C1E12C}. The error: "%2" Happened while starting this command: "C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe" /PDFShell -Embedding
10/24/2011 11:09:08 PM, error: HTTP [15005] - Unable to bind to the underlying transport for 0.0.0.0:2869. The IP Listen-Only list may contain a reference to an interface which may not exist on this machine. The data field contains the error number.
10/23/2011 11:15:39 AM, error: Service Control Manager [7034] - The Symantec Core LC service terminated unexpectedly. It has done this 1 time(s).
10/23/2011 1:10:22 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000056' while processing the file 'vgx.dll.new' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
.
==== End Of File ===========================


======================================================

BTW the link in the faq toGMER didn't work for me instead i went directly to gmer.net and d/lthe most recent windows version.

Thnx for you help.

 

[Bobbye]

You have 2 security suites running, both of which have antivirus program and firewall. In addition, you have AVG antivirus. This will have made the system more vulnerable, not less. You will need to remove 2 of these, but first, in the absence of the Eset scan, I'd like you to run the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org free on-line scan service
• Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:
  
  c:\windows\system32\userinit.exe
  
  c:\windows\explorer.exe
  
  c:\window\system32\svchost.exe
  
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Please paste the log into your next reply.

 

[FLo711]

Here are the logs vfrom virscan.og

I could not use explorer as it shut itself when i tried to open it

I used Firefox and safari for 1 file

VirSCAN.org Scanned Report :
Scanned time : 2011/10/29 20:15:30 (BST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://r.virscan.org/1877a1c66f2774e8e5b6ce3360d7f133

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20111030030152 2011-10-30 0.27 -
AhnLab V3 2011.10.30.00 2011.10.30 2011-10-30 2.81 -
AntiVir 8.2.6.100 7.11.16.201 2011-10-28 0.27 -
Antiy 2.0.18 20111030.13612243 2011-10-30 0.12 -
Arcavir 2011 201110290805 2011-10-29 2.68 -
Authentium 5.1.1 201110291122 2011-10-29 1.44 -
AVAST! 4.7.4 111029-1 2011-10-29 0.01 -
AVG 8.5.850 271.1.1/3941 2011-10-06 0.24 -
BitDefender 7.90123.9372090 7.39681 2011-10-30 4.51 -
ClamAV 0.97.1 13865 2011-10-29 0.01 -
Comodo 5.1 10596 2011-10-29 1.87 -
CP Secure 1.3.0.5 2011.10.30 2011-10-30 0.04 -
Dr.Web 5.0.2.3300 2011.10.30 2011-10-30 15.95 -
F-Prot 4.6.2.117 20111029 2011-10-29 0.80 -
F-Secure 7.02.73807 2011.10.29.02 2011-10-29 0.81 -
Fortinet 4.2.257 14.291 2011-10-29 0.10 -
GData 22.2608 20111029 2011-10-29 0.11 -
ViRobot 20111029 2011.10.29 2011-10-29 0.38 -
Ikarus T3.1.32.20.0 2011.10.29.79684 2011-10-29 4.77 -
JiangMin 13.0.900 2011.10.29 2011-10-29 1.78 -
Kaspersky 5.5.10 2011.10.17 2011-10-17 0.17 -
KingSoft 2009.2.5.15 2011.10.29.9 2011-10-29 0.86 -
McAfee 5400.1158 6514 2011-10-29 10.76 -
Microsoft 1.7801 2011.10.29 2011-10-29 3.40 -
NOD32 3.0.21 6584 2011-10-28 0.00 -
Norman 6.07.11 6.07.00 2011-09-17 16.02 -
Panda 9.05.01 2011.10.29 2011-10-29 2.11 -
Trend Micro 9.500-1005 8.532.05 2011-10-29 0.03 -
Quick Heal 11.00 2011.10.29 2011-10-29 0.94 -
Rising 20.0 23.81.04.01 2011-10-28 2.26 -
Sophos 3.24.4 4.70 2011-10-30 4.39 -
Sunbelt 3.9.2515.2 10910 2011-10-29 0.62 -
Symantec 1.3.0.24 20111028.002 2011-10-28 0.05 -
nProtect 20111025.01 13068067 2011-10-25 1.18 -
The Hacker 6.7.0.1 v00335 2011-10-28 0.49 -
VBA32 3.12.16.4 20111028.1049 2011-10-28 4.41 -
VirusBuster 5.4.0.10 14.1.37.0/6623711 2011-10-29 0.00 -

VirSCAN.org Scanned Report :
Scanned time : 2008/04/28 13:50:23 (BST)
Scanner results: 3% Scanner(s) (1/36) found malware!
File Name : explorer.exe
File Size : 1033728 byte
File Type : MS-DOS executable (EXE), OS/2 or MS Windows
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
Online report : http://r.virscan.org/bc10cdd8fc1b56e4518b094b5da3a210

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.16 2008.04.27 2008-04-27 3.84 -
AhnLab V3 2008.04.28.00 2008.04.28 2008-04-28 1.13 -
AntiVir 7.8.0.10 7.0.3.220 2008-04-28 2.78 -
Arcavir 1.0.4 200804271350 2008-04-27 2.30 -
AVAST! 1.0.8 080428-0 2008-04-28 3.06 -
AVG 7.5.51.442 269.23.5/1401 2008-04-28 2.87 -
BitDefender 7.60825.1184481 7.18704 2008-04-28 4.08 -
CA (VET) 9.0.0.143 31.3.5741 2008-04-28 6.55 -
ClamAV 0.93 6863 2008-04-21 0.27 -
Comodo 2.11 2.0.0.509 2008-04-28 1.03 -
CP Secure 1.1.0.715 2008.04.28 2008-04-28 7.54 -
Dr.Web 4.44.0.9170 2008.04.28 2008-04-28 6.33 -
ewido 4.0.0.2 2008.04.28 2008-04-28 2.55 -
F-Prot 4.4.1.52 20080427 2008-04-27 1.60 -
F-Secure 5.51.6100 2008.04.28.01 2008-04-28 5.04 -
Fortinet 2.81-3.11 9.25 2008-04-28 2.31 -
ViRobot 20080428 2008.04.28 2008-04-28 0.39 -
Ikarus T3.1.01.26 2008.04.28.70668 2008-04-28 2.51 -
JiangMin 10.00.650 2008.04.28 2008-04-28 1.53 -
Kaspersky 5.5.10 2008.04.28 2008-04-28 10.89 -
KingSoft 2007.6.20.249 2008.4.28 2008-04-28 1.18 -
McAfee 5.2.00 5282 2008-04-25 6.31 -
Microsoft 1.3408 2008.04.24 2008-04-24 7.22 -
mks_vir 2.01 2008.04.28 2008-04-28 5.72 -
Norman 5.91.10 5.90 2008-04-22 16.99 -
Panda 9.04.03.0001 2008.04.27 2008-04-27 9.46 -
Trend Micro 8.500-1001 5.244.03 2008-04-28 0.04 -
Prevx V2 20080428 2008-04-28 8.40 TROJAN.DOWNLOADER.GEN
Quick Heal 9.00 2008.04.26 2008-04-26 6.32 -
Rising 20.0 20.42.01.00 2008-04-28 2.57 -
Sophos 2.72.0 4.28 2008-04-28 18.16 -
Symantec 1.3.0.24 20080427.009 2008-04-27 0.62 -
nProtect 2008-04-28.00 1437905 2008-04-28 13.80 -
The Hacker 6.2.92 v00294 2008-04-26 3.66 -
VBA32 3.12.6.5 20080428.0807 2008-04-28 5.85 -
VirusBuster 4.3.19:9 9.126.6/11.0 2008-04-27 6.81 -


VirSCAN.org Scanned Report :
Scanned time : 2011/10/29 20:20:49 (BST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
Online report : http://r.virscan.org/46ca4df87d03c0b5c071db8b8308a028

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20111030030152 2011-10-30 0.26 -
AhnLab V3 2011.10.30.00 2011.10.30 2011-10-30 2.85 -
AntiVir 8.2.6.100 7.11.16.201 2011-10-28 0.27 -
Antiy 2.0.18 20111030.13612243 2011-10-30 0.12 -
Arcavir 2011 201110290805 2011-10-29 2.66 -
Authentium 5.1.1 201110291122 2011-10-29 1.42 -
AVAST! 4.7.4 111029-1 2011-10-29 0.01 -
AVG 8.5.850 271.1.1/3941 2011-10-06 0.25 -
BitDefender 7.90123.9372090 7.39681 2011-10-30 4.57 -
ClamAV 0.97.1 13865 2011-10-29 0.01 -
Comodo 5.1 10596 2011-10-29 1.92 -
CP Secure 1.3.0.5 2011.10.30 2011-10-30 0.04 -
Dr.Web 5.0.2.3300 2011.10.30 2011-10-30 15.29 -
F-Prot 4.6.2.117 20111029 2011-10-29 0.77 -
F-Secure 7.02.73807 2011.10.29.02 2011-10-29 0.18 -
Fortinet 4.2.257 14.291 2011-10-29 0.10 -
GData 22.2608 20111029 2011-10-29 0.11 -
ViRobot 20111029 2011.10.29 2011-10-29 0.38 -
Ikarus T3.1.32.20.0 2011.10.29.79684 2011-10-29 4.78 -
JiangMin 13.0.900 2011.10.29 2011-10-29 1.93 -
Kaspersky 5.5.10 2011.10.17 2011-10-17 0.10 -
KingSoft 2009.2.5.15 2011.10.29.9 2011-10-29 0.87 -
McAfee 5400.1158 6514 2011-10-29 10.82 -
Microsoft 1.7801 2011.10.29 2011-10-29 3.96 -
NOD32 3.0.21 6584 2011-10-28 0.01 -
Norman 6.07.11 6.07.00 2011-09-17 18.02 -
Panda 9.05.01 2011.10.29 2011-10-29 2.95 -
Trend Micro 9.500-1005 8.532.05 2011-10-29 0.03 -
Quick Heal 11.00 2011.10.29 2011-10-29 0.95 -
Rising 20.0 23.81.04.01 2011-10-28 2.31 -
Sophos 3.24.4 4.70 2011-10-30 4.37 -
Sunbelt 3.9.2515.2 10910 2011-10-29 0.62 -
Symantec 1.3.0.24 20111028.002 2011-10-28 0.05 -
nProtect 20111025.01 13068067 2011-10-25 1.32 -
The Hacker 6.7.0.1 v00335 2011-10-28 0.51 -
VBA32 3.12.16.4 20111028.1049 2011-10-28 4.72 -
VirusBuster 5.4.0.10 14.1.37.0/6623711 2011-10-29 0.00 -

 

[Bobbye]

I'm sorry for the delay. Please tell me what is going on with the system.

I see numerous malware entries and you are a sitting duck for malware with all the P2P programs you're using:
µTorrent
4shared Desktop
Bit Torrent
StreamTorrent 1.0

All of this puts you at risk:
uRun: [BitTorrent] "c:\program files\bittorrent\bittorrent.exe" --force_start_minimized
uRun: [uTorrent] "c:\documents and settings\damejo\application data\utorrent\utorrent177.exe"
uRun: [VdpOxdbw] c:\documents and settings\damejo\local settings\application data\nwbyndug\vdpoxdbw.exe
========================================
I'd like you to repeat a scan with the 3 processes, using a different site:
Virus Total for ID:

VirusTotal

• At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to the following file:
  
  c:\windows\system32\userinit.exe
  
  c:\windows\explorer.exe
  
  c:\window\system32\svchost.exe
  
• Click "Open".
• Then click the "Send" button at the top of the VirusTotal page.
• This will scan the file. Please be patient.
• Once scanned, copy and paste the results in your next reply.

=======================================
I'd like you to go ahead and run Combofix- hopefully it will pick up some of the bad entries. You will need to temporarily uninstall AVG as Combofix won't run with it:
Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once installed, you should see a blue screen prompt that says:
  The Recovery Console was successfully installed.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
========================================

 

[FLo711]

Hi,

Thanks for replying.

Here are the results forVirusTotal

userinit.exe
Submission date:
2011-11-06 12:48:43 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

File name:
svchost.exe
Submission date:
2011-11-06 12:51:22 (UTC)
Current status:
finished
Result:
0/ 42 (0.0%)

File name:
explorer.exe
Submission date:
2011-11-06 12:54:41 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

==================================

And here are the combo fix results

ComboFix 11-11-08.02 - DameJo 11/08/2011 19:20:09.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1512 [GMT 0:00]
Running from: c:\documents and settings\DameJo\Desktop\ComboFix.exe
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\DameJo\Local Settings\Application Data\cnnbbxan.log
c:\documents and settings\DameJo\Local Settings\Application Data\jwthsurj.log
c:\documents and settings\DameJo\Local Settings\Application Data\lpkeftvm.log
c:\documents and settings\DameJo\Local Settings\Application Data\pedthdvk.log
c:\documents and settings\DameJo\Local Settings\Application Data\wesgyfjs.log
c:\documents and settings\DameJo\Local Settings\Application Data\xuatrcqs.log
c:\documents and settings\DameJo\Local Settings\Application Data\yupjpjqj.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Legacy_USNJSVC
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-10-08 to 2011-11-08 )))))))))))))))))))))))))))))))
.
.
2011-11-06 17:12 . 2011-11-08 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-11-06 17:12 . 2011-11-06 17:12 -------- d-----w- c:\program files\AVAST Software
2011-11-06 12:53 . 2011-11-06 12:53 -------- d-----w- c:\program files\ESET
2011-10-23 10:15 . 2011-11-06 19:04 -------- d-----w- c:\documents and settings\DameJo\Local Settings\Application Data\nwbyndug
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-18 09:45 . 2011-07-12 20:34 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 10:41 . 2011-09-26 10:41 611328 ----a-w- c:\windows\system32\SET392.tmp
2011-09-26 10:41 . 2011-09-26 10:41 220160 ----a-w- c:\windows\system32\SET390.tmp
2011-09-26 10:41 . 2008-07-29 09:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 10:41 . 2004-08-12 13:25 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 10:41 . 2011-09-26 10:41 20480 ----a-w- c:\windows\system32\SET391.tmp
2011-09-26 10:41 . 2004-08-12 13:25 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-12 13:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-12 13:33 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 16:00 . 2010-08-29 12:01 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 22:28 . 2010-06-01 09:00 285256 ----a-w- c:\windows\system32\guard32.dll
2011-08-23 22:28 . 2010-06-04 01:55 242600 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2011-08-23 22:28 . 2010-06-01 09:00 97504 ----a-w- c:\windows\system32\drivers\inspect.sys
2011-08-23 22:28 . 2010-06-01 09:00 29400 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2011-08-23 22:28 . 2010-06-01 09:00 17416 ----a-w- c:\windows\system32\drivers\cmderd.sys
2011-08-22 23:48 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-12 13:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-12 13:20 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-12 13:19 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-12 13:17 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-10-09 19:47 . 2011-05-10 14:55 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\documents and settings\DameJo\Application Data\uTorrent\utorrent177.exe" [2010-06-23 219952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-08 7561216]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-17 118784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2006-06-28 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2006-02-14 176128]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-27 69632]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2006-05-31 151552]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-10 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-08-23 2554696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2011-06-07 421160]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [N/A]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
E-Flyer.lnk - c:\program files\Sony\E-Flyer\E-Flyer.exe [N/A]
VAIO Launcher.lnk - c:\program files\Sony\VAIO Launcher\Launcher.exe [2006-10-29 778240]
.
c:\documents and settings\DameJo\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [N/A]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RDM+]
2009-05-29 11:30 61440 ------w- c:\program files\RDM+\notify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-03-09 21:51 73728 ----a-w- c:\windows\system32\VESWinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKLM\~\startupfolder\C:^Documents and Settings^DameJo^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
path=c:\documents and settings\DameJo\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\WINDOWS\\system32\\mspaint.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\EXCEL.EXE"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"=
"c:\\WINDOWS\\system32\\logon.scr"=
"c:\\Program Files\\Apoint\\Apoint.exe"=
"c:\\WINDOWS\\system32\\ICO.EXE"=
"c:\\Program Files\\Sony\\VAIO Power Management\\SPMgr.exe"=
"c:\\Program Files\\Sony\\ISB Utility\\ISBMgr.exe"=
"c:\\Program Files\\Sony\\Wireless Switch Setting Utility\\Switcher.exe"=
"c:\\Program Files\\Sony\\VAIO Camera Utility\\VCUServe.exe"=
"c:\\Program Files\\Sony\\VAIO Update 2\\VAIOUpdt.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jusched.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\Apoint\\Apntex.exe"=
"d:\\iTunes\\iTunesHelper.exe"=
"c:\\Documents and Settings\\DameJo\\Application Data\\uTorrent\\utorrent177.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6102:TCP"= 6102:TCP:RDM
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [6/4/2010 1:55 AM 242600]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [6/1/2010 9:00 AM 29400]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [7/26/2011 8:31 PM 218688]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PStrip;PStrip;c:\windows\system32\drivers\pstrip.sys [7/15/2007 1:37 AM 27992]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [5/29/2009 11:31 AM 31896]
R3 NETwLx32; Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [7/22/2011 9:55 PM 6609920]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [8/28/2006 1:46 AM 30080]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [8/28/2006 1:46 AM 226304]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 RDMPLocalService;RDM+ Local Service;"c:\program files\RDM+\rdmpserv.exe" --> c:\program files\RDM+\rdmpserv.exe [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2011-11-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-17 05:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://vaio-online.sony.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to &Evernote - c:\program files\Evernote\Evernote3.5\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\DameJo\Application Data\Mozilla\Firefox\Profiles\qgd6ev2o.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?.intl=au&.src=ym&.done=http%3A%2F%2Fmail.yahoo.com%2F
FF - user.js: general.useragent.extra.zencast -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-08 19:32
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1200)
c:\program files\RDM+\notify.dll
c:\windows\system32\VESWinlogon.dll
.
- - - - - - - > 'explorer.exe'(3936)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ICO.EXE
c:\program files\Apoint\Apntex.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2011-11-08 19:39:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-08 19:39
ComboFix2.txt 2011-11-06 16:50
.
Pre-Run: 5,188,714,496 bytes free
Post-Run: 5,067,616,256 bytes free
.
- - End Of File - - 6FD41A79848F53F3C56444135D870238

===================================================

I can now access all sites on the internet, including the ones blocked previously
Below are the results for the ESET

C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\13\2281260d-7e2a2977 probably a variant of Java/Agent.BR trojan
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\21\517408d5-2a675f49 multiple threats
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\26\21959da-6a007cb2 multiple threats
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\26\2d2ebe9a-6585ef89 multiple threats
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\35\5f24cc23-1fedb915 Java/Exploit.CVE-2009-3867.AL trojan
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\48\8891f30-4c2c9d54 a variant of Win32/Kryptik.UOT trojan
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\55\16a8b77-229f3cf6 a variant of Java/Agent.BR trojan
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\59\3d541bfb-5b40928f multiple threats
C:\Documents and Settings\DameJo\Local Settings\Temp\ninjafddhkfcghbo.exe a variant of Win32/Kryptik.UOT trojan
C:\Program Files\Common Files\System\ado\msadox.dll.tmp Win32/Ramnit.H virus
C:\Program Files\Common Files\System\msadc\msadco.dll.tmp Win32/Ramnit.H virus
C:\Program Files\Internet Explorer\hmmapi.dll.tmp Win32/Ramnit.H virus
C:\Program Files\Movie Maker\moviemk.exe.tmp Win32/Ramnit.H virus
C:\Program Files\Windows Media Player\mpvis.dll.tmp Win32/Ramnit.H virus
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Win32/Ramnit.H virus
C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP298\A0111847.exe a variant of Win32/Kryptik.UOT trojan
C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP298\A0111848.exe a variant of Win32/Kryptik.UOT trojan
C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP300\A0114518.exe a variant of Win32/Kryptik.UOT trojan
Operating memory a variant of Win32/Ramnit.L virus

Note this was run before combofix

Should I re-installAVG now or instead use one of the other secutiry tool suggested Avast or Avira?

Thanks again for your help.

 

[Bobbye]

Bad news, I'm affraid. I suspected a Ramnit infections which was why I had you run those online scans.

Here is is in the Eset log:
C:\Program Files\Common Files\System\msadc\msadco.dll.tmp Win32/Ramnit.H virus
C:\Program Files\Internet Explorer\hmmapi.dll.tmp Win32/Ramnit.H virus
C:\Program Files\Movie Maker\moviemk.exe.tmp Win32/Ramnit.H virus
C:\Program Files\Windows Media Player\mpvis.dll.tmp Win32/Ramnit.H virus
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Win32/Ramnit.H virus
========================================

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. file infector often seen with this infection. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS. The malware injects code in legitimate files- these files, which can number in the thousands cannot be disinfected properly by your anti-virus.

When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump)[/b] where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote crack and keygen sites. These type of sites are infested with and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
(Some text help courtesy of Broni).

 

[FLo711]

Cleaning Flash drives that may be infected?

Hi Broni,

Thanks for the response - I will read the attached literature and determine the best next steps.

Can you advise if we are able to clean the flash drives used to trasfer data (logs) to and from the PC initially?

Thanks

 

[Bobbye]

I'm Bobbye. I mentioned Broni because he helped draft the information. didn't mean to confuse you.

A consideration should be given to replace the flash drive with a new one.You can clean the flash drive, but I recommend great care being taken in it's use until or unless you can verify that it's clean. For instance, keep in mind how many virus scans we had to run in order to actually reveal Ramnit.

Here are 2 disinfection program for the flash: Select one of them:

• Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
• Install and run it.
• Plug in USB drive and click on Vaccinate USB and Vaccinate computer.

-----------------------------------------
You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

Please disinfect all movable drives

1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
   Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
4. Wait until it has finished scanning and then exit the program.
5. Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
=================

 

[FLo711]

Hi - Apologies Bobbye I answered your last post on my phone and read Broni in the text post so that's who I thought it was.

I have been using the flash tools and also Eset on the flashdrives and they seem to be clean afterwards.

I also re-ran Eset on the laptop as the first time I ran it was before running combofix - the log results are below



C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Documents and Settings\DameJo\Application Data\F429AC447DD031DA1DAAC37BCB67FBC4\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\26\21959da-6a007cb2 Java/Exploit.Agent.NAO trojan deleted - quarantined
C:\Documents and Settings\DameJo\Application Data\Sun\Java\Deployment\cache\6.0\55\16a8b77-229f3cf6 a variant of Java/Agent.BR trojan deleted - quarantined
C:\System Volume Information\_restore{B5AD2F44-4C4B-486D-848D-2D951450AEE1}\RP306\A0116100.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined


Ramnit is not present - does that mean it was removed by combofix? If not is it hiding from Eset now?

Thanks

 

[Bobbye]

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

The additional text I left-if you read it-should make this clear to you. And although I suspected Ramnit from the beginning, please go back and note how many virus scans were run before Ramnit was finally revealed.

 

[FLo711]

Thanks for the quick response and all your help.

One more question

I;m planning on reformatting - I Just need to find a good way to backup the photos on the laptop before reformatting the hard drive - any suggestions on how I an do this without infecting another PC?

Cheers

 

[Bobbye]

You really must be extremely careful on what you backup before the reinstall. All executable files, all HTML files and more may be infected. Reusing just one of them after a reinstall, can cause the infection to respawn all over again.

• Backup all your documents and important items only.
• DON'T backup any executable files (,exe .scr .html or .htm)
• DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files