Hi . Very worried about Ramnit warnings. Please review my logs. Avira Antivirus coming up with a lot of 'infected with Ramnit' type popups. Hope you can help! Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4717 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.11 30/09/2010 02:53:01 mbam-log-2010-09-30 (02-53-01).txt Scan type: Quick scan Objects scanned: 152928 Time elapsed: 12 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot. DDS Follows -------------- DDS (Ver_10-03-17.01) - NTFSx86 Run by A2 at 20:43:11.89 on 29/09/2010 Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1168 [GMT 1:00] AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch C:\WINDOWS\system32\svchost -k rpcss C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k NetworkService C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\IPSSVC.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\EzRecorder\ERService.exe C:\Program Files\Hotspot Shield\bin\openvpnas.exe C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe C:\Program Files\Hotspot Shield\bin\hsswd.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\ICO.EXE c:\program files\lenovo\system update\suservice.exe C:\WINDOWS\system32\FSRremoS.EXE C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\ThinkVantage\AMSG\Amsg.exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\WINDOWS\system32\Pelmiced.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Lenovo\AwayTask\AwaySch.EXE C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Lenovo\SafeGuard PrivateDisk\pdservice.exe C:\Program Files\Lenovo\Client Security Solution\cssauth.exe C:\WINDOWS\system32\Mxvgautil.EXE C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Samsung\EmoDio\SMSTray.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\NETGEAR\WPN111\wpn111.exe C:\Program Files\Orbitdownloader\orbitdm.exe C:\Program Files\Orbitdownloader\orbitnet.exe C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe C:\Program Files\Trusteer\Rapport\bin\RapportService.exe C:\Program Files\Common Files\Lenovo\Logger\logmon.exe C:\Program Files\Windows Media Player\WMPNetwk.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Hotspot Shield\bin\openvpntray.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\A2\Desktop\dds.scr C:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uStart Page = http://www.youtube.com/ uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR uSearch Bar = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll BHO: 1 (0x1) - No File BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe" mRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe mRun: [PDService.exe] "c:\program files\lenovo\safeguard privatedisk\pdservice.exe" mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent mRun: [Mxvgautil] c:\windows\system32\Mxvgautil.EXE mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe" mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe" mRun: [DXDllRegExe] dxdllreg.exe mRun: [sMSTray] c:\program files\samsung\emodio\SMSTray.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn111\wpn111.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201 IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204 IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203 IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202 IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {DA320635-F48C-4613-8325-D75A933C549E} - c:\program files\lenovo\system update\sulauncher.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://signin8.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\a2\applic~1\mozilla\firefox\profiles\pjzem7iq.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.kitco.com/ FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: XULRunner: {E96701EC-545C-4E1B-96C9-821A13A0A906} - c:\documents and settings\a2\local settings\application data\{E96701EC-545C-4E1B-96C9-821A13A0A906} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-9-29 11608] R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2010-7-1 59240] R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-7-1 166632] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-9-29 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-9-29 267432] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-9-29 60936] R2 ERService;ERService;c:\program files\ezrecorder\ERService.exe [2010-5-26 712704] R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?] R2 PrivateDisk;PrivateDisk;c:\program files\lenovo\safeguard privatedisk\privatediskm.sys [2006-3-14 58368] R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-7-1 840936] R2 smi2;smi2;c:\program files\smi2\smi2.sys [2006-5-13 3968] R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2008-7-2 17149] R3 EasyRecordAD;EzRecorder Audio Device;c:\windows\system32\drivers\easyrecord.sys [2010-5-26 18816] R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2008-7-2 362944] R3 xMrMINI;xMrMINI;c:\windows\system32\drivers\xMrMini.sys [2008-7-2 233984] R3 xVGAMINI;xVGAMINI;c:\windows\system32\drivers\xVgaMini.sys [2008-7-2 234368] R3 xVGAUSB;USB2.0 VGA DEVICE(USB);c:\windows\system32\drivers\xVGAUSB.sys [2008-7-2 22528] S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?] =============== Created Last 30 ================ 2010-09-29 19:41:26 0 ----a-w- c:\documents and settings\a2\defogger_reenable 2010-09-29 19:32:22 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-09-29 19:32:21 0 d-----w- c:\program files\Avira 2010-09-29 19:32:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira 2010-09-29 18:54:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-09-29 18:54:54 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-09-29 18:54:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-29 17:17:04 0 d-----w- c:\program files\tmp 2010-09-29 17:16:53 0 d-----w- c:\program files\Microsoft 2010-09-28 19:10:39 59392457 ----a-w- C:\A.wmv 2010-09-24 18:48:03 61176553 ----a-w- C:\K.wmv 2010-09-11 15:55:39 0 d-----w- c:\program files\Spybot - Search & Destroy 2010-09-11 15:55:39 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2010-09-10 21:25:22 0 d-----w- c:\docume~1\a2\applic~1\Canneverbe Limited 2010-09-10 21:25:21 0 d-----w- c:\docume~1\alluse~1\applic~1\Canneverbe Limited 2010-09-10 21:09:03 0 d-----w- c:\docume~1\alluse~1\applic~1\ReviverSoft 2010-09-10 21:08:14 7168 ----a-w- c:\windows\system32\drivers\StarOpen.sys 2010-09-10 21:08:03 0 d-----w- c:\docume~1\a2\applic~1\OpenCandy 2010-09-10 20:45:12 764868 ------w- c:\windows\system32\dllcache\apph_sp.sdb 2010-09-10 20:45:11 217118 ------w- c:\windows\system32\dllcache\apphelp.sdb 2010-09-10 20:42:18 0 d-----w- c:\windows\system32\LogFiles ==================== Find3M ==================== 2010-09-25 23:00:01 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2008-09-05 04:27:03 1906 -c----w- c:\program files\FXPrivateClient.lnk 2008-05-15 23:25:40 32768 -csh--w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat 2008-07-01 13:27:19 32768 -csh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070120080702\index.dat 2010-04-05 03:09:51 32768 -csha-w- c:\windows\temp\cookies\index.dat 2010-04-05 03:09:51 32768 -csha-w- c:\windows\temp\history\history.ie5\index.dat 2010-04-05 03:09:51 49152 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat ============= FINISH: 20:43:57.17 =============== ark.zip Attach.zip