Froggy
Members-
Posts
7 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by Froggy
-
Ramnit-D infection: is this a new variant?
Froggy replied to Froggy's topic in Resolved Malware Removal Logs
Hi RP, thanks for all your help. I shouldn't back up any *.rar or *zip files either? I thought those were okay...but good to know...Thanks for the link, ...fun times ahead! -
Ramnit-D infection: is this a new variant?
Froggy replied to Froggy's topic in Resolved Malware Removal Logs
Hey RP...here are the first two that were ugly, back on Tuesday. desktoplayer.exe is/was in there...but my files are f'ed up now. Avast keeps finding some and deleting them. I'm just backing up everything personal, and am going to reformat/reinstall.... Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4798 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/10/2010 4:48:49 PM mbam-log-2010-10-12 (16-48-49).txt Scan type: Full scan (C:\|F:\|G:\|) Objects scanned: 303069 Time elapsed: 15 hour(s), 19 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 4 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Heuristics.Shuriken) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{24c3e02c-e734-82f5-26fc-5d4ee2092c0d} (Trojan.ZbotR.Gen) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{5D836F8B-2506-4CF4-B139-6C8894EFE848}\RP736\A0164735.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{5D836F8B-2506-4CF4-B139-6C8894EFE848}\RP745\A0172175.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\ExplorerSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qtplugin.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\_avast5_\unp17277494.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot. C:\Program Files\Mozilla Firefox\firefoxSrv.exe (Trojan.PWS) -> Quarantined and deleted successfully. C:\Documents and Settings\Digby\Application Data\Akuwb\ciivm.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully. -
Ramnit-D infection: is this a new variant?
Froggy replied to Froggy's topic in Resolved Malware Removal Logs
My java is out of date for the Kaspersky tool and when I try to update it I get this message: "bin\axbridge.dll: old file not found. however, a file of the same name was found. No update done since file contents do not match." Then I get an Error 1722 message from the Java installer as well. -
Ramnit-D infection: is this a new variant?
Froggy replied to Froggy's topic in Resolved Malware Removal Logs
I've attached the RKU report instead of pasting it here...it's pretty long. Report.txt -
Ramnit-D infection: is this a new variant?
Froggy replied to Froggy's topic in Resolved Malware Removal Logs
Cheers for the help RP...that's the answer I was somewhat expecting, but afraid of. DDS.txt DDS (Ver_10-10-10.03) - NTFSx86 Run by Digby at 19:19:50.10 on 14/10/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1315 [GMT -4:00] AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Digby\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.ca/ mWinlogon: SfcDisable=-99 (0xffffff9d) BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000 mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N dRunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 StartupFolder: c:\docume~1\digby\startm~1\programs\access~1\startup\setup_~1.lnk - c:\documents and settings\digby\desktop\virus removal tool\setup_9.0.0.722_13.10.2010_16-37[1]\startup.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250563155109 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: mwxdua.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyxXQGw Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\digby\applic~1\mozilla\firefox\profiles\3mv5ael9.default\ FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1266799219&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); ============= SERVICES / DRIVERS =============== R0 43765712;43765712 Boot Guard Driver;c:\windows\system32\drivers\43765712.sys [2010-10-13 37392] R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-11 64288] R1 43765711;43765711;c:\windows\system32\drivers\43765711.sys [2010-10-13 128016] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-11 165584] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R1 setup_9.0.0.722_13.10.2010_16-37[1]drv;setup_9.0.0.722_13.10.2010_16-37[1]drv;c:\windows\system32\drivers\4376571.sys [2010-10-13 315408] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-11 17744] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-13 136176] S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008] S3 utiymzq1;AVZ Kernel Driver;c:\windows\system32\drivers\utiymzq1.sys [2010-10-14 7168] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464] =============== Created Last 30 ================ 2010-10-14 04:43:06 7168 ----a-w- c:\windows\system32\drivers\utiymzq1.sys 2010-10-14 02:15:28 -------- d-----w- C:\stdtsa 2010-10-14 01:13:50 37392 ----a-w- c:\windows\system32\drivers\43765712.sys 2010-10-14 01:13:50 128016 ----a-w- c:\windows\system32\drivers\43765711.sys 2010-10-14 01:13:49 315408 ----a-w- c:\windows\system32\drivers\4376571.sys 2010-10-14 00:44:11 -------- d-----w- c:\program files\Enigma Software Group 2010-10-14 00:43:45 -------- d-----w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP 2010-10-13 02:16:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-10-13 02:16:49 -------- d-----w- c:\docume~1\digby\applic~1\SUPERAntiSpyware.com 2010-10-13 02:15:28 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-10-13 01:17:00 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-10-12 13:38:15 -------- d-----w- c:\program files\windows 2010-10-12 04:01:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-10-12 04:01:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-10-12 04:01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-10-12 03:57:53 38848 ----a-w- c:\windows\avastSS.scr 2010-10-12 03:30:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software 2010-10-12 02:41:57 28672 ----a-w- c:\windows\system32\setupold.exe 2010-10-12 02:28:34 -------- d-----w- c:\docume~1\digby\applic~1\AVG10 2010-10-12 02:04:47 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files 2010-10-12 01:57:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-10-12 01:52:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10 2010-10-12 01:50:48 -------- d--h--w- C:\$AVG 2010-10-12 01:47:31 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70} 2010-10-12 01:45:22 -------- d-----w- c:\program files\Lavasoft 2010-10-12 01:41:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData 2010-10-12 00:31:26 -------- d-----w- c:\program files\win 2010-10-12 00:31:22 -------- d-----w- c:\program files\tmp 2010-10-12 00:31:16 -------- d-----w- c:\program files\Microsoft 2010-10-09 02:32:45 -------- d-----w- c:\program files\NVIDIA Corporation 2010-10-02 21:27:59 -------- d-----w- c:\program files\DAEMON Tools Lite 2010-10-01 18:06:04 14808 ----a-w- c:\program files\mozilla firefox\plugin-container.exe 2010-10-01 18:06:02 718296 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll 2010-09-28 04:31:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\t01x97GIiTqrf7M2Q 2010-09-28 04:27:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\19Rgeit2iTqrf7M2Ql65 2010-09-25 17:49:00 -------- d-----w- c:\docume~1\digby\applic~1\Miweaw ==================== Find3M ==================== 2010-09-26 01:54:08 202032 ----a-w- c:\windows\system32\PnkBstrB.exe 2010-08-27 00:41:15 224960 ----a-w- c:\windows\system32\PnkBstrB.xtr 2010-08-27 00:34:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2007-07-21 08:11:20 20480 ----a-w- c:\program files\WowMon.dll 2007-07-17 19:14:33 57344 ----a-w- c:\program files\loaderplus.exe 2007-06-20 22:53:12 53248 ----a-w- c:\program files\Loader.exe 2005-12-05 16:07:30 61136 ----a-w- c:\program files\xinput9_1_0.dll ============= FINISH: 19:21:02.93 =============== Have to put my kid to bed, so I'll try and get the Rootkit Unhooker log up later tonight once it is done. cheers, F. Attach.txt -
Ramnit-D infection: is this a new variant?
Froggy replied to Froggy's topic in Resolved Malware Removal Logs
bump to add that I'll post my last MBAM log once I get home... -
Hi all, New here, but have been a longtime lurker. I'm semi computer literate, and have figured my way out of removing some minor malware infections in the past. I have a ramnit-d infection on my home computer that's been spreading itself all over like a horny syphillitic. Not sure how/where I picked it up as I take great care to keep AV/malware software up to date, avoid certain sites, don't download excessively, etc, etc....I've read numerous threads about ramnit, and it seems to be pretty scary - although it ranges from low threat to severe. THIS Microsoft bulletin scares me however. So, ...based on how many ramnit threads here and elsewhere end, I was thinking of just nuking my drive and doing a clean install. At this point will this save me a lot of frustration and energy (as well as ensuring my comp is safe)? cheers, Froggy