Froggy

Hi RP, thanks for all your help. I shouldn't back up any *.rar or *zip files either? I thought those were okay...but good to know...Thanks for the link, ...fun times ahead!

Hey RP...here are the first two that were ugly, back on Tuesday. desktoplayer.exe is/was in there...but my files are f'ed up now. Avast keeps finding some and deleting them. I'm just backing up everything personal, and am going to reformat/reinstall.... Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4798 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/10/2010 4:48:49 PM mbam-log-2010-10-12 (16-48-49).txt Scan type: Full scan (C:\|F:\|G:\|) Objects scanned: 303069 Time elapsed: 15 hour(s), 19 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 4 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrymonitor1 (Heuristics.Shuriken) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{24c3e02c-e734-82f5-26fc-5d4ee2092c0d} (Trojan.ZbotR.Gen) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nonep (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{5D836F8B-2506-4CF4-B139-6C8894EFE848}\RP736\A0164735.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{5D836F8B-2506-4CF4-B139-6C8894EFE848}\RP745\A0172175.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\ExplorerSrv.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qtplugin.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully. C:\WINDOWS\Temp\_avast5_\unp17277494.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot. C:\Program Files\Mozilla Firefox\firefoxSrv.exe (Trojan.PWS) -> Quarantined and deleted successfully. C:\Documents and Settings\Digby\Application Data\Akuwb\ciivm.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

My java is out of date for the Kaspersky tool and when I try to update it I get this message: "bin\axbridge.dll: old file not found. however, a file of the same name was found. No update done since file contents do not match." Then I get an Error 1722 message from the Java installer as well.

I've attached the RKU report instead of pasting it here...it's pretty long. Report.txt

Cheers for the help RP...that's the answer I was somewhat expecting, but afraid of. DDS.txt DDS (Ver_10-10-10.03) - NTFSx86 Run by Digby at 19:19:50.10 on 14/10/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1315 [GMT -4:00] AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe C:\WINDOWS\system32\Ati2evxx.exe svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Digby\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.ca/ mWinlogon: SfcDisable=-99 (0xffffff9d) BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000 mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N dRunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32 StartupFolder: c:\docume~1\digby\startm~1\programs\access~1\startup\setup_~1.lnk - c:\documents and settings\digby\desktop\virus removal tool\setup_9.0.0.722_13.10.2010_16-37[1]\startup.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250563155109 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: mwxdua.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyxXQGw Hosts: 127.0.0.1 www.spywareinfo.com ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\digby\applic~1\mozilla\firefox\profiles\3mv5ael9.default\ FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1266799219&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); ============= SERVICES / DRIVERS =============== R0 43765712;43765712 Boot Guard Driver;c:\windows\system32\drivers\43765712.sys [2010-10-13 37392] R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680] R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-11 64288] R1 43765711;43765711;c:\windows\system32\drivers\43765711.sys [2010-10-13 128016] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-10-11 165584] R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R1 setup_9.0.0.722_13.10.2010_16-37[1]drv;setup_9.0.0.722_13.10.2010_16-37[1]drv;c:\windows\system32\drivers\4376571.sys [2010-10-13 315408] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-10-11 17744] R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384] R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384] R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-11 40384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-13 136176] S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?] S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008] S3 utiymzq1;AVZ Kernel Driver;c:\windows\system32\drivers\utiymzq1.sys [2010-10-14 7168] S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1357464] =============== Created Last 30 ================ 2010-10-14 04:43:06 7168 ----a-w- c:\windows\system32\drivers\utiymzq1.sys 2010-10-14 02:15:28 -------- d-----w- C:\stdtsa 2010-10-14 01:13:50 37392 ----a-w- c:\windows\system32\drivers\43765712.sys 2010-10-14 01:13:50 128016 ----a-w- c:\windows\system32\drivers\43765711.sys 2010-10-14 01:13:49 315408 ----a-w- c:\windows\system32\drivers\4376571.sys 2010-10-14 00:44:11 -------- d-----w- c:\program files\Enigma Software Group 2010-10-14 00:43:45 -------- d-----w- c:\windows\9EFA732347A048E28F7735DB5EED500A.TMP 2010-10-13 02:16:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2010-10-13 02:16:49 -------- d-----w- c:\docume~1\digby\applic~1\SUPERAntiSpyware.com 2010-10-13 02:15:28 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-10-13 01:17:00 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-10-12 13:38:15 -------- d-----w- c:\program files\windows 2010-10-12 04:01:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-10-12 04:01:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-10-12 04:01:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-10-12 03:57:53 38848 ----a-w- c:\windows\avastSS.scr 2010-10-12 03:30:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software 2010-10-12 02:41:57 28672 ----a-w- c:\windows\system32\setupold.exe 2010-10-12 02:28:34 -------- d-----w- c:\docume~1\digby\applic~1\AVG10 2010-10-12 02:04:47 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files 2010-10-12 01:57:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-10-12 01:52:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10 2010-10-12 01:50:48 -------- d--h--w- C:\$AVG 2010-10-12 01:47:31 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70} 2010-10-12 01:45:22 -------- d-----w- c:\program files\Lavasoft 2010-10-12 01:41:34 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData 2010-10-12 00:31:26 -------- d-----w- c:\program files\win 2010-10-12 00:31:22 -------- d-----w- c:\program files\tmp 2010-10-12 00:31:16 -------- d-----w- c:\program files\Microsoft 2010-10-09 02:32:45 -------- d-----w- c:\program files\NVIDIA Corporation 2010-10-02 21:27:59 -------- d-----w- c:\program files\DAEMON Tools Lite 2010-10-01 18:06:04 14808 ----a-w- c:\program files\mozilla firefox\plugin-container.exe 2010-10-01 18:06:02 718296 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll 2010-09-28 04:31:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\t01x97GIiTqrf7M2Q 2010-09-28 04:27:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\19Rgeit2iTqrf7M2Ql65 2010-09-25 17:49:00 -------- d-----w- c:\docume~1\digby\applic~1\Miweaw ==================== Find3M ==================== 2010-09-26 01:54:08 202032 ----a-w- c:\windows\system32\PnkBstrB.exe 2010-08-27 00:41:15 224960 ----a-w- c:\windows\system32\PnkBstrB.xtr 2010-08-27 00:34:35 75064 ----a-w- c:\windows\system32\PnkBstrA.exe 2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2007-07-21 08:11:20 20480 ----a-w- c:\program files\WowMon.dll 2007-07-17 19:14:33 57344 ----a-w- c:\program files\loaderplus.exe 2007-06-20 22:53:12 53248 ----a-w- c:\program files\Loader.exe 2005-12-05 16:07:30 61136 ----a-w- c:\program files\xinput9_1_0.dll ============= FINISH: 19:21:02.93 =============== Have to put my kid to bed, so I'll try and get the Rootkit Unhooker log up later tonight once it is done. cheers, F. Attach.txt

bump to add that I'll post my last MBAM log once I get home...

Hi all, New here, but have been a longtime lurker. I'm semi computer literate, and have figured my way out of removing some minor malware infections in the past. I have a ramnit-d infection on my home computer that's been spreading itself all over like a horny syphillitic. Not sure how/where I picked it up as I take great care to keep AV/malware software up to date, avoid certain sites, don't download excessively, etc, etc....I've read numerous threads about ramnit, and it seems to be pretty scary - although it ranges from low threat to severe. THIS Microsoft bulletin scares me however. So, ...based on how many ramnit threads here and elsewhere end, I was thinking of just nuking my drive and doing a clean install. At this point will this save me a lot of frustration and energy (as well as ensuring my comp is safe)? cheers, Froggy