Jump to content

Win32/Heur - MBAM detects nothing


Recommended Posts

Hi,

I am having a variety of issues that seem to be due to Win32/Heur, perhaps other malware/viruses also. I'm pretty sure this got picked up when I accidentally visited a site which started loading some sort of java immediately. I shut down firefox before anything completed but I've been having trouble since. MBAM isn't picking up anything when I scan. Here is some of what I am experiencing:

-Can't open certain programs: MBAM (will open only if I rename the exe file to something else); Firefox (brings up a Mozilla Crash Reporter every time I try to load it, and if I click the "restart Firefox" button from the Crash Reporter, it just crashes over again); Mozilla Thunderbird, etc.

-A few times when I've rebooted my computer I saw a "Generic Host Process for Win32 Services has encountered a problem and needs to close. etc" error at start up

-AVG virus scan is picking up all kinds of false positives and flagging them as Win32/Heur or VBS/Generic. Some example programs and file types it has picked up are Adobe Photoshop, my Logitech wireless mouse software, Irfanview image viewer, Nero, WinRAR, HTML files, etc.

Any help cleaning up my system would be greatly appreciated. Attached are logs for MBAM, DDS, GMER, HJT (I couldn't compress them because WinRAR isn't working due to this virus).

Thanks in advance for any help!

DDS log:

----------------------------------------------------------------------------------------

DDS (Ver_10-10-21.02) - NTFSx86

Run by Justin at 20:43:30.45 on Thu 10/28/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.526 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files\Logitech\SetPointP\SetPoint.exe

C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Justin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/

uInternet Connection Wizard,ShellNext = iexplore

mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe

mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe

mRun: [securDisc] c:\program files\nero\nero 7\incd\NBHGui.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun

mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\justin\applic~1\mozilla\firefox\profiles\615a0a7p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\justin\application data\facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\justin\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-2 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-26 216400]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-24 29584]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-26 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-9-29 10448]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2010-3-18 40912]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2010-3-18 10448]

S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]

=============== Created Last 30 ================

2010-10-29 02:59:17 880640 ----a-w- c:\program files\windows media player\wmsetsdk.exe

2010-10-29 02:59:17 425984 ----a-w- c:\program files\windows media player\npdsplay.dll

2010-10-29 02:56:16 311296 ----a-w- c:\program files\mozilla firefox\freebl3.dll

2010-10-29 02:56:16 192512 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll

2010-10-29 02:56:16 110592 ----a-w- c:\program files\mozilla firefox\plugins\np32dsw.dll

2010-10-29 02:45:30 56832 ----a-w- c:\windows\explorerSrv.exe

2010-10-28 07:30:21 -------- d-----w- c:\program files\tmp

2010-10-28 06:24:23 -------- d-----w- c:\program files\MultiRes

2010-10-28 06:23:53 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe

2010-10-28 06:23:53 -------- d-----w- c:\program files\Radeon Omega Drivers

2010-10-18 05:58:53 0 ----a-w- c:\windows\ativpsrm.bin

2010-10-13 06:43:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation

2010-10-13 06:43:17 -------- d-----w- c:\program files\NVIDIA Corporation

2010-10-03 11:32:35 -------- d-sha-r- C:\cmdcons

2010-10-03 11:29:43 98816 ----a-w- c:\windows\sed.exe

2010-10-03 11:29:43 77312 ----a-w- c:\windows\MBR.exe

2010-10-03 11:29:43 256512 ----a-w- c:\windows\PEV.exe

2010-10-03 11:29:43 161792 ----a-w- c:\windows\SWREG.exe

2010-09-30 02:03:47 53248 ----a-r- c:\docume~1\justin\applic~1\microsoft\installer\{3ee9bcae-e9a9-45e5-9b1c-83a4d357e05c}\ARPPRODUCTICON.exe

2010-09-30 02:03:11 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2010-09-30 02:03:03 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

2010-09-30 02:01:17 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys

2010-09-30 02:00:18 -------- d-----w- c:\docume~1\justin\applic~1\Logishrd

==================== Find3M ====================

2010-08-04 08:59:12 53248 ----a-w- c:\windows\system32\aticalrt.dll

2010-08-04 08:59:02 53248 ----a-w- c:\windows\system32\aticalcl.dll

2010-08-04 08:57:42 4358144 ----a-w- c:\windows\system32\aticaldd.dll

2010-08-04 08:53:24 15900672 ----a-w- c:\windows\system32\atioglxx.dll

2010-08-04 08:47:50 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2010-08-04 08:47:02 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll

2010-08-04 08:46:06 300544 ----a-w- c:\windows\system32\ati2dvag.dll

2010-08-04 08:41:42 3901280 ----a-w- c:\windows\system32\ati3duag.dll

2010-08-04 08:31:18 208896 ----a-w- c:\windows\system32\atipdlxx.dll

2010-08-04 08:31:06 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2010-08-04 08:30:58 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2010-08-04 08:30:52 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2010-08-04 08:30:40 159744 ----a-w- c:\windows\system32\ati2evxx.dll

2010-08-04 08:29:28 606208 ----a-w- c:\windows\system32\ati2evxx.exe

2010-08-04 08:28:14 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2010-08-04 08:28:08 2537728 ----a-w- c:\windows\system32\ativvaxx.dll

2010-08-04 08:27:22 143360 ----a-w- c:\windows\system32\atiapfxx.exe

2010-08-04 08:24:06 610304 ----a-w- c:\windows\system32\atikvmag.dll

2010-08-04 08:23:54 393216 ----a-w- c:\windows\system32\atiok3x2.dll

2010-08-04 08:22:30 188416 ----a-w- c:\windows\system32\atiadlxx.dll

2010-08-04 08:22:10 17408 ----a-w- c:\windows\system32\atitvo32.dll

2010-08-04 08:16:52 700416 ----a-w- c:\windows\system32\ati2cqag.dll

2010-08-04 08:15:22 65024 ----a-w- c:\windows\system32\atimpc32.dll

2010-08-04 08:15:22 65024 ----a-w- c:\windows\system32\amdpcom32.dll

============= FINISH: 20:44:32.01 ===============

ark.log

Attach.txt

hjt.txt

mbam_log_2010_10_28__20_42_40_.txt

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the Quick Scan button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop

  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop

Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Hi Elise,

Thank you for the reply. Here are the logs you have requested:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 2)

Number of processors #1

==============================================

>Drivers

==============================================

0xF5AB5000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5582848 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xBD216000 C:\WINDOWS\System32\ati3duag.dll 3903488 bytes (ATI Technologies Inc. , ati3duag.dll)

0xF60C2000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 3788800 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0xBD5CF000 C:\WINDOWS\System32\ativvaxx.dll 2539520 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2058368 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2058368 bytes

0x804D7000 RAW 2058368 bytes

0x804D7000 WMIxWDM 2058368 bytes

0xBF800000 Win32k 1851392 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBD060000 C:\WINDOWS\System32\ati2cqag.dll 700416 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xBD10B000 C:\WINDOWS\System32\atikvmag.dll 679936 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xF71FD000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xAA922000 C:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)

0xA93E6000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xBD1B1000 C:\WINDOWS\System32\atiok3x2.dll 413696 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)

0xAC6B9000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0x9FA44000 C:\WINDOWS\System32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBD012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0x9F553000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xF603B000 C:\WINDOWS\system32\DRIVERS\NVNRM.SYS 262144 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)

0xAC67F000 C:\WINDOWS\System32\Drivers\avgtdix.sys 237568 bytes (AVG Technologies CZ, s.r.o., AVG Network connection watcher)

0xA936E000 C:\WINDOWS\System32\Drivers\avgldx86.sys 212992 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)

0xF5A00000 C:\WINDOWS\System32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)

0xF6008000 C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 208896 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)

0xF5A34000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xF7358000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xF71D0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0x9FB8B000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xA9455000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xA94A2000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF7302000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xF609E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF607B000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF645F000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xA9480000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xAAA5B000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)

0x806CE000 ACPI_HAL 131968 bytes

0x806CE000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF72B3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF7328000 ftdisk.sys 126976 bytes

0xAC724000 C:\WINDOWS\system32\drivers\InCDFs.sys 114688 bytes (Nero AG, InCD File System Driver)

0xF71B5000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF72EA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF728A000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF5A76000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xF72D3000 nvata.sys 94208 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

Hello again,

Unfortunately you have a nasty rootkit on your computer. Please read the following first before starting the cleaning process.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Hi Elise,

Are you able to tell when the backdoor was created, or is there a way I can check? I think my email is the only password I have entered in the past day or two so hopefully that will be the only thing that is potentially comprimised, and I will change that password later today at another computer.

In the meantime I will try to remove the backdoor. I won't have an opportunity to reinstall my OS for a few days but I will likely end up doing that to be sure. I have partitions and a second hard drive for most of my data so reinstalling the OS should be relatively painless. I am assuming the backdoor would only require a format of C: and not my other drives - is that correct?

I will run TDSSKiller now and report back after it finishes.

Thanks again.

Hello again,

Unfortunately you have a nasty rootkit on your computer. Please read the following first before starting the cleaning process.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

2010/10/29 06:52:28.0265 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49

2010/10/29 06:52:28.0265 ================================================================================

2010/10/29 06:52:28.0265 SystemInfo:

2010/10/29 06:52:28.0265

2010/10/29 06:52:28.0265 OS Version: 5.1.2600 ServicePack: 2.0

2010/10/29 06:52:28.0265 Product type: Workstation

2010/10/29 06:52:28.0265 ComputerName: JS

2010/10/29 06:52:28.0265 UserName: Justin

2010/10/29 06:52:28.0265 Windows directory: C:\WINDOWS

2010/10/29 06:52:28.0265 System windows directory: C:\WINDOWS

2010/10/29 06:52:28.0265 Processor architecture: Intel x86

2010/10/29 06:52:28.0265 Number of processors: 1

2010/10/29 06:52:28.0265 Page size: 0x1000

2010/10/29 06:52:28.0265 Boot type: Normal boot

2010/10/29 06:52:28.0265 ================================================================================

2010/10/29 06:52:28.0515 Initialize success

2010/10/29 06:52:41.0562 ================================================================================

2010/10/29 06:52:41.0562 Scan started

2010/10/29 06:52:41.0562 Mode: Manual;

2010/10/29 06:52:41.0562 ================================================================================

2010/10/29 06:52:42.0328 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/10/29 06:52:42.0390 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/10/29 06:52:42.0500 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2010/10/29 06:52:42.0578 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

2010/10/29 06:52:42.0906 ALCXWDM (c881453898eec64027274ebb3c8cbc0f) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/10/29 06:52:43.0125 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2010/10/29 06:52:43.0343 AsIO (19a1dac5bc607c212e8a94c05886ed52) C:\WINDOWS\system32\drivers\AsIO.sys

2010/10/29 06:52:43.0421 Aspi32 (20d04091eba710f6988f710507d85868) C:\WINDOWS\system32\drivers\Aspi32.sys

2010/10/29 06:52:43.0484 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/10/29 06:52:43.0546 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/10/29 06:52:43.0828 ati2mtag (e7426973d081b6607056d1dd91bd9b01) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/10/29 06:52:44.0046 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/10/29 06:52:44.0140 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/10/29 06:52:44.0218 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys

2010/10/29 06:52:44.0265 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys

2010/10/29 06:52:44.0343 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys

2010/10/29 06:52:44.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/10/29 06:52:44.0546 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/10/29 06:52:44.0640 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/10/29 06:52:44.0703 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/10/29 06:52:44.0765 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/10/29 06:52:45.0062 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys

2010/10/29 06:52:45.0156 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/10/29 06:52:45.0359 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2010/10/29 06:52:45.0437 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2010/10/29 06:52:45.0484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/10/29 06:52:45.0546 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2010/10/29 06:52:45.0640 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/10/29 06:52:45.0703 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/10/29 06:52:45.0750 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/10/29 06:52:45.0828 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2010/10/29 06:52:45.0875 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/10/29 06:52:45.0921 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/10/29 06:52:45.0984 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/10/29 06:52:46.0046 Ftdisk (c46679a9e7b1f7f716fe89bdbe7d3c6f) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/29 06:52:46.0046 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftdisk.sys. Real md5: c46679a9e7b1f7f716fe89bdbe7d3c6f, Fake md5: 94e2a29ee3329fc07d54e405fae449d7

2010/10/29 06:52:46.0062 Ftdisk - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/10/29 06:52:46.0125 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/10/29 06:52:46.0187 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/10/29 06:52:46.0265 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/10/29 06:52:46.0406 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/10/29 06:52:46.0546 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys

2010/10/29 06:52:46.0609 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/10/29 06:52:46.0671 InCDfs (b02a8a25192ee1c5e653628637ab6aaa) C:\WINDOWS\system32\drivers\InCDFs.sys

2010/10/29 06:52:46.0734 InCDPass (b49bd5b663e1af9bf3233b782b70d865) C:\WINDOWS\system32\drivers\InCDPass.sys

2010/10/29 06:52:46.0765 InCDrec (8fd364edbd97983575cee3e8909e62b4) C:\WINDOWS\system32\drivers\InCDrec.sys

2010/10/29 06:52:46.0796 incdrm (fc04e827133d54ab79ca254708f76cd0) C:\WINDOWS\system32\drivers\InCDRm.sys

2010/10/29 06:52:46.0937 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/10/29 06:52:46.0984 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/10/29 06:52:47.0046 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/10/29 06:52:47.0109 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/10/29 06:52:47.0140 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/10/29 06:52:47.0187 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/10/29 06:52:47.0250 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/10/29 06:52:47.0296 itchfltr (51205dab5a3671d3e805f4981aa758b6) C:\WINDOWS\system32\Drivers\itchfltr.sys

2010/10/29 06:52:47.0343 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/10/29 06:52:47.0375 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/10/29 06:52:47.0437 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2010/10/29 06:52:47.0484 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/10/29 06:52:47.0546 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/10/29 06:52:47.0609 LBeepKE (ca63fe81705ad660e482bef210bf2c73) C:\WINDOWS\system32\Drivers\LBeepKE.sys

2010/10/29 06:52:47.0687 LCcfltr (257bfe68ca434393d6e7ae3c959a7d49) C:\WINDOWS\system32\drivers\lccfltr.sys

2010/10/29 06:52:47.0734 LEqdUsb (ed8f9311cae12c41a58dae2ea6d6c849) C:\WINDOWS\system32\Drivers\LEqdUsb.Sys

2010/10/29 06:52:47.0812 LHidEqd (9943f10c60eaf714c7010b37025a5ac5) C:\WINDOWS\system32\Drivers\LHidEqd.Sys

2010/10/29 06:52:47.0875 LHidFilt (b68309f25c5787385da842eb5b496958) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

2010/10/29 06:52:47.0921 LHidFlt2 (743f9e7421f347b9865c48f5ceff4550) C:\WINDOWS\system32\DRIVERS\LHidFlt2.sys

2010/10/29 06:52:47.0953 LHidUsb (dcbbf543f54debc96de7604f724da4ef) C:\WINDOWS\system32\drivers\lhidusb.sys

2010/10/29 06:52:48.0015 LKbdFlt2 (74ab237c1106216814c5052481a990d5) C:\WINDOWS\system32\DRIVERS\LKbdFlt2.sys

2010/10/29 06:52:48.0062 LMouFilt (63d3b1d3cd267fcc186a0146b80d453b) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

2010/10/29 06:52:48.0109 LMouFlt2 (90bfbcf6ef78e59466b8fb7d3b012688) C:\WINDOWS\system32\DRIVERS\LMouFlt2.sys

2010/10/29 06:52:48.0187 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/10/29 06:52:48.0234 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2010/10/29 06:52:48.0296 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/10/29 06:52:48.0328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/10/29 06:52:48.0375 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/10/29 06:52:48.0453 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/10/29 06:52:48.0515 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/10/29 06:52:48.0593 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2010/10/29 06:52:48.0640 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/10/29 06:52:48.0671 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/10/29 06:52:48.0703 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/10/29 06:52:48.0750 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/10/29 06:52:48.0812 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys

2010/10/29 06:52:48.0843 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys

2010/10/29 06:52:48.0890 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2010/10/29 06:52:48.0937 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2010/10/29 06:52:49.0000 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/10/29 06:52:49.0062 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/10/29 06:52:49.0109 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/10/29 06:52:49.0187 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/10/29 06:52:49.0234 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/10/29 06:52:49.0281 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/10/29 06:52:49.0343 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2010/10/29 06:52:49.0421 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/10/29 06:52:49.0484 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/10/29 06:52:49.0875 nv (cb0ce8de9f66a297cd86eb98921b8e58) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/10/29 06:52:50.0187 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys

2010/10/29 06:52:50.0234 NVENETFD (720cc533eecb65553bd86b139ca04433) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

2010/10/29 06:52:50.0265 nvnetbus (5f9f545cc5904dd8765f84ee1d056406) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

2010/10/29 06:52:50.0312 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/10/29 06:52:50.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/10/29 06:52:50.0406 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/10/29 06:52:50.0453 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/10/29 06:52:50.0484 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/10/29 06:52:50.0531 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/10/29 06:52:50.0593 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/10/29 06:52:50.0625 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/10/29 06:52:50.0843 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/10/29 06:52:50.0875 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/10/29 06:52:50.0906 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/10/29 06:52:50.0937 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/10/29 06:52:50.0968 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/10/29 06:52:51.0171 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/10/29 06:52:51.0203 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/10/29 06:52:51.0250 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/10/29 06:52:51.0281 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/10/29 06:52:51.0328 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/10/29 06:52:51.0359 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/10/29 06:52:51.0406 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/10/29 06:52:51.0468 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/10/29 06:52:51.0515 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/10/29 06:52:51.0609 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys

2010/10/29 06:52:51.0656 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2010/10/29 06:52:51.0718 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/10/29 06:52:51.0765 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/10/29 06:52:51.0796 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/10/29 06:52:51.0843 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/10/29 06:52:51.0984 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2010/10/29 06:52:52.0046 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/10/29 06:52:52.0140 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/10/29 06:52:52.0250 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/10/29 06:52:52.0312 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2010/10/29 06:52:52.0500 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/10/29 06:52:52.0562 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/10/29 06:52:52.0625 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/10/29 06:52:52.0671 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/10/29 06:52:52.0718 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/10/29 06:52:52.0812 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2010/10/29 06:52:52.0890 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

2010/10/29 06:52:52.0953 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/10/29 06:52:53.0015 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/10/29 06:52:53.0062 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/10/29 06:52:53.0125 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2010/10/29 06:52:53.0203 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/10/29 06:52:53.0265 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/10/29 06:52:53.0312 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/10/29 06:52:53.0375 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2010/10/29 06:52:53.0453 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/10/29 06:52:53.0500 w300bus (d4baa1ac8dcea1382e81aa6fe48cdd7c) C:\WINDOWS\system32\DRIVERS\w300bus.sys

2010/10/29 06:52:53.0562 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/10/29 06:52:53.0625 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

2010/10/29 06:52:53.0718 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys

2010/10/29 06:52:53.0843 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/10/29 06:52:54.0109 ================================================================================

2010/10/29 06:52:54.0109 Scan finished

2010/10/29 06:52:54.0109 ================================================================================

2010/10/29 06:52:54.0125 Detected object count: 1

2010/10/29 06:53:15.0546 Ftdisk (c46679a9e7b1f7f716fe89bdbe7d3c6f) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/10/29 06:53:15.0546 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftdisk.sys. Real md5: c46679a9e7b1f7f716fe89bdbe7d3c6f, Fake md5: 94e2a29ee3329fc07d54e405fae449d7

2010/10/29 06:53:16.0890 Backup copy found, using it..

2010/10/29 06:53:16.0890 C:\WINDOWS\system32\DRIVERS\ftdisk.sys - will be cured after reboot

2010/10/29 06:53:16.0890 Rootkit.Win32.TDSS.tdl3(Ftdisk) - User select action: Cure

2010/10/29 06:53:31.0968 Deinitialize success

Link to post
Share on other sites

Hi Elise,

There was a redirect when I tried to go to the Combofix URL to re-download. I had a local copy though so I used that. After running Combofix I tried the URL again and there was no redirect any longer.

You may have missed my reply above the TDSSKiller log, but is there a way you can tell when the backdoor was installed? Just trying to narrow down how far back I should go for password changes, etc. Also, if I choose to reinstall my OS, is it necessary to format my other drives, or just C: where my OS and programs are installed?

My Combofix log is below. I am off to work now so won't be able to run anything else until I return.

Thanks again for your help so far!

ComboFix 10-10-27.A3 - Justin 10/29/2010 7:15.5.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.497 [GMT -7:00]

Running from: c:\documents and settings\Justin\Desktop\CoboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Documents\Server\admin.txt

c:\documents and settings\Justin\Application Data\avdrn.dat

c:\documents and settings\Justin\Application Data\Start Menu\Programs\Startup\logtec32.exe

c:\windows\ExplorerSrv.exe

c:\windows\system32\dmlconf.dat

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - c:\windows\ERDNT\cache\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

.

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-29 )))))))))))))))))))))))))))))))

.

2010-10-29 02:59 . 2010-10-29 02:59 425984 ----a-w- c:\program files\Windows Media Player\npdsplay.dll

2010-10-29 02:59 . 2010-10-29 02:59 880640 ----a-w- c:\program files\Windows Media Player\wmsetsdk.exe

2010-10-29 02:56 . 2010-10-29 02:56 311296 ----a-w- c:\program files\Mozilla Firefox\freebl3.dll

2010-10-29 02:56 . 2010-10-29 02:56 192512 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

2010-10-29 02:56 . 2010-10-29 02:56 110592 ----a-w- c:\program files\Mozilla Firefox\plugins\np32dsw.dll

2010-10-28 07:30 . 2010-10-29 06:21 -------- d-----w- c:\program files\tmp

2010-10-28 06:24 . 2010-10-28 06:24 -------- d-----w- c:\program files\MultiRes

2010-10-28 06:23 . 2010-10-28 06:23 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe

2010-10-28 06:23 . 2010-10-28 06:23 -------- d-----w- c:\program files\Radeon Omega Drivers

2010-10-18 05:58 . 2010-10-18 05:58 0 ----a-w- c:\windows\ativpsrm.bin

2010-10-13 06:43 . 2010-10-13 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2010-10-13 06:43 . 2010-10-13 06:43 -------- d-----w- c:\program files\NVIDIA Corporation

2010-09-30 02:03 . 2010-09-30 02:03 -------- d-----w- c:\documents and settings\Justin\Application Data\Leadertech

2010-09-30 02:03 . 2010-09-30 02:03 53248 ----a-r- c:\documents and settings\Justin\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2010-09-30 02:03 . 2010-09-30 02:03 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2010-09-30 02:03 . 2008-11-08 01:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

2010-09-30 02:01 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys

2010-09-30 02:00 . 2010-09-30 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd

2010-09-30 02:00 . 2010-09-30 02:03 -------- d-----w- c:\program files\Common Files\LogiShrd

2010-09-30 02:00 . 2010-09-30 02:07 -------- d-----w- c:\documents and settings\Justin\Application Data\Logitech

2010-09-30 02:00 . 2010-09-30 02:00 -------- d-----w- c:\documents and settings\Justin\Application Data\Logishrd

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-29 13:54 . 2001-08-23 15:00 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys

2010-08-04 09:20 . 2006-09-29 20:56 5243392 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2010-08-04 08:59 . 2010-08-04 08:59 53248 ----a-w- c:\windows\system32\aticalrt.dll

2010-08-04 08:59 . 2010-08-04 08:59 53248 ----a-w- c:\windows\system32\aticalcl.dll

2010-08-04 08:57 . 2010-08-04 08:57 4358144 ----a-w- c:\windows\system32\aticaldd.dll

2010-08-04 08:53 . 2010-08-04 08:53 15900672 ----a-w- c:\windows\system32\atioglxx.dll

2010-08-04 08:47 . 2010-08-04 08:47 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2010-08-04 08:47 . 2010-08-04 08:47 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll

2010-08-04 08:46 . 2006-09-29 20:56 300544 ----a-w- c:\windows\system32\ati2dvag.dll

2010-08-04 08:41 . 2006-09-29 21:25 3901280 ----a-w- c:\windows\system32\ati3duag.dll

2010-08-04 08:31 . 2010-08-04 08:31 208896 ----a-w- c:\windows\system32\atipdlxx.dll

2010-08-04 08:31 . 2010-08-04 08:31 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2010-08-04 08:30 . 2010-08-04 08:30 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2010-08-04 08:30 . 2010-08-04 08:30 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2010-08-04 08:30 . 2010-08-04 08:30 159744 ----a-w- c:\windows\system32\ati2evxx.dll

2010-08-04 08:29 . 2010-08-04 08:29 606208 ----a-w- c:\windows\system32\ati2evxx.exe

2010-08-04 08:28 . 2010-08-04 08:28 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2010-08-04 08:28 . 2006-09-29 21:25 2537728 ----a-w- c:\windows\system32\ativvaxx.dll

2010-08-04 08:27 . 2010-08-04 08:27 143360 ----a-w- c:\windows\system32\atiapfxx.exe

2010-08-04 08:24 . 2010-08-04 08:24 610304 ----a-w- c:\windows\system32\atikvmag.dll

2010-08-04 08:23 . 2010-08-04 08:23 393216 ----a-w- c:\windows\system32\atiok3x2.dll

2010-08-04 08:22 . 2010-08-04 08:22 188416 ----a-w- c:\windows\system32\atiadlxx.dll

2010-08-04 08:22 . 2010-08-04 08:22 17408 ----a-w- c:\windows\system32\atitvo32.dll

2010-08-04 08:16 . 2006-09-29 21:25 700416 ----a-w- c:\windows\system32\ati2cqag.dll

2010-08-04 08:15 . 2010-08-04 08:15 65024 ----a-w- c:\windows\system32\atimpc32.dll

2010-08-04 08:15 . 2010-08-04 08:15 65024 ----a-w- c:\windows\system32\amdpcom32.dll

2010-08-04 08:14 . 2010-08-04 08:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-10-29_02.40.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-09-29 20:55 . 2007-06-13 11:26 1033216 c:\windows\explorer.exe

- 2006-09-29 20:55 . 2007-06-13 10:23 1033216 c:\windows\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-09-03 536576]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 16:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\utorrent\\utorrent.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"18564:TCP"= 18564:TCP:BitComet 18564 TCP

"18564:UDP"= 18564:UDP:BitComet 18564 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2010 11:13 PM 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:41 PM 216400]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2008 8:41 PM 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:49 AM 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:50 AM 308136]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/29/2010 7:01 PM 10448]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 2:01 AM 40912]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 2:01 AM 10448]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-10-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.ca/

uInternet Connection Wizard,ShellNext = iexplore

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\615a0a7p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-29 07:22

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2010-10-29 07:25:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-29 14:25

ComboFix2.txt 2010-10-29 02:43

ComboFix3.txt 2010-10-08 04:25

ComboFix4.txt 2010-10-03 11:49

ComboFix5.txt 2010-10-29 14:15

Pre-Run: 17,747,333,120 bytes free

Post-Run: 17,718,370,304 bytes free

- - End Of File - - 193B7282942A61CB3982A83B7881FDC5

That did the trick. :) Please redownload Combofix and rerun it. Post me the new log.

How are things running now?

Link to post
Share on other sites

You may have missed my reply above the TDSSKiller log, but is there a way you can tell when the backdoor was installed? Just trying to narrow down how far back I should go for password changes, etc. Also, if I choose to reinstall my OS, is it necessary to format my other drives, or just C: where my OS and programs are installed?
You had multiple infections on this computer, so it is difficult to say, but generally speaking, as long as you had the redirect problems.

A reformat of the system drive is the best thing, no need to reformat other drives, however, you should make sure they do not contain other malware.

Can you try now to download a new copy of combofix and run it? I see some evidence of new malware and combofix has been updated in the mean time.

Link to post
Share on other sites

Thanks again for your help so far. I downloaded a new copy of Combofix and ran it. Here is the log:

ComboFix 10-10-28.09 - Justin 10/29/2010 17:00:36.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.500 [GMT -7:00]

Running from: c:\documents and settings\Justin\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Justin\Application Data\avdrn.dat

c:\documents and settings\Justin\Application Data\Start Menu\Programs\Startup\logtec32.exe

c:\program files\microsoft\watermark.exe

c:\program files\Xvid\StatsReader.exe

c:\windows\system32\dmlconf.dat

----- File Replicators -----

c:\program files\Microsoft\WaterMark.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\InCDsrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\InCDsrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\InCDsrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\InCDsrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\InCDsrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.ex

e .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

Srv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe .. failed to delete

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.e

x

e

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

Srv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\program files\Nero\Nero 7\InCD\NBHGuiSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSr

v

SrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrvSrv.exe

c:\system volume information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1\A0000178.exe

c:\system volume information\_restore{009115BA-081F-47FE-BFD4-EA3B22D01B23}\RP1\A0000187.exe

.

.

((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-30 )))))))))))))))))))))))))))))))

.

2010-10-29 02:59 . 2010-10-29 02:59 425984 ----a-w- c:\program files\Windows Media Player\npdsplay.dll

2010-10-29 02:59 . 2010-10-29 02:59 880640 ----a-w- c:\program files\Windows Media Player\wmsetsdk.exe

2010-10-29 02:56 . 2010-10-29 02:56 311296 ----a-w- c:\program files\Mozilla Firefox\freebl3.dll

2010-10-29 02:56 . 2010-10-29 02:56 192512 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

2010-10-29 02:56 . 2010-10-29 02:56 110592 ----a-w- c:\program files\Mozilla Firefox\plugins\np32dsw.dll

2010-10-28 07:30 . 2010-10-29 23:53 -------- d-----w- c:\program files\tmp

2010-10-28 06:24 . 2010-10-28 06:24 -------- d-----w- c:\program files\MultiRes

2010-10-28 06:23 . 2010-10-28 06:23 472576 ----a-w- c:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe

2010-10-28 06:23 . 2010-10-28 06:23 -------- d-----w- c:\program files\Radeon Omega Drivers

2010-10-18 05:58 . 2010-10-18 05:58 0 ----a-w- c:\windows\ativpsrm.bin

2010-10-13 06:43 . 2010-10-13 06:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation

2010-10-13 06:43 . 2010-10-13 06:43 -------- d-----w- c:\program files\NVIDIA Corporation

2010-09-30 02:03 . 2010-09-30 02:03 -------- d-----w- c:\documents and settings\Justin\Application Data\Leadertech

2010-09-30 02:03 . 2010-09-30 02:03 53248 ----a-r- c:\documents and settings\Justin\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe

2010-09-30 02:03 . 2010-09-30 02:03 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys

2010-09-30 02:03 . 2008-11-08 01:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll

2010-09-30 02:01 . 2010-03-18 09:01 10448 ----a-w- c:\windows\system32\drivers\LBeepKE.sys

2010-09-30 02:00 . 2010-09-30 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd

2010-09-30 02:00 . 2010-09-30 02:03 -------- d-----w- c:\program files\Common Files\LogiShrd

2010-09-30 02:00 . 2010-09-30 02:07 -------- d-----w- c:\documents and settings\Justin\Application Data\Logitech

2010-09-30 02:00 . 2010-09-30 02:00 -------- d-----w- c:\documents and settings\Justin\Application Data\Logishrd

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-10-29 13:54 . 2001-08-23 15:00 125056 ----a-w- c:\windows\system32\drivers\ftdisk.sys

2010-08-04 09:20 . 2006-09-29 20:56 5243392 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2010-08-04 08:59 . 2010-08-04 08:59 53248 ----a-w- c:\windows\system32\aticalrt.dll

2010-08-04 08:59 . 2010-08-04 08:59 53248 ----a-w- c:\windows\system32\aticalcl.dll

2010-08-04 08:57 . 2010-08-04 08:57 4358144 ----a-w- c:\windows\system32\aticaldd.dll

2010-08-04 08:53 . 2010-08-04 08:53 15900672 ----a-w- c:\windows\system32\atioglxx.dll

2010-08-04 08:47 . 2010-08-04 08:47 311296 ----a-w- c:\windows\system32\atiiiexx.dll

2010-08-04 08:47 . 2010-08-04 08:47 450560 ----a-w- c:\windows\system32\ATIDEMGX.dll

2010-08-04 08:46 . 2006-09-29 20:56 300544 ----a-w- c:\windows\system32\ati2dvag.dll

2010-08-04 08:41 . 2006-09-29 21:25 3901280 ----a-w- c:\windows\system32\ati3duag.dll

2010-08-04 08:31 . 2010-08-04 08:31 208896 ----a-w- c:\windows\system32\atipdlxx.dll

2010-08-04 08:31 . 2010-08-04 08:31 155648 ----a-w- c:\windows\system32\Oemdspif.dll

2010-08-04 08:30 . 2010-08-04 08:30 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe

2010-08-04 08:30 . 2010-08-04 08:30 43520 ----a-w- c:\windows\system32\ati2edxx.dll

2010-08-04 08:30 . 2010-08-04 08:30 159744 ----a-w- c:\windows\system32\ati2evxx.dll

2010-08-04 08:29 . 2010-08-04 08:29 606208 ----a-w- c:\windows\system32\ati2evxx.exe

2010-08-04 08:28 . 2010-08-04 08:28 53248 ----a-w- c:\windows\system32\ATIDDC.DLL

2010-08-04 08:28 . 2006-09-29 21:25 2537728 ----a-w- c:\windows\system32\ativvaxx.dll

2010-08-04 08:27 . 2010-08-04 08:27 143360 ----a-w- c:\windows\system32\atiapfxx.exe

2010-08-04 08:24 . 2010-08-04 08:24 610304 ----a-w- c:\windows\system32\atikvmag.dll

2010-08-04 08:23 . 2010-08-04 08:23 393216 ----a-w- c:\windows\system32\atiok3x2.dll

2010-08-04 08:22 . 2010-08-04 08:22 188416 ----a-w- c:\windows\system32\atiadlxx.dll

2010-08-04 08:22 . 2010-08-04 08:22 17408 ----a-w- c:\windows\system32\atitvo32.dll

2010-08-04 08:16 . 2006-09-29 21:25 700416 ----a-w- c:\windows\system32\ati2cqag.dll

2010-08-04 08:15 . 2010-08-04 08:15 65024 ----a-w- c:\windows\system32\atimpc32.dll

2010-08-04 08:15 . 2010-08-04 08:15 65024 ----a-w- c:\windows\system32\amdpcom32.dll

2010-08-04 08:14 . 2010-08-04 08:14 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-10-29_02.40.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-09-29 20:55 . 2007-06-13 11:26 1033216 c:\windows\explorer.exe

- 2006-09-29 20:55 . 2007-06-13 10:23 1033216 c:\windows\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-07-22 577602]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-09-03 536576]

"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-07-15 16:50 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\utorrent\\utorrent.exe"=

"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"18564:TCP"= 18564:TCP:BitComet 18564 TCP

"18564:UDP"= 18564:UDP:BitComet 18564 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2010 11:13 PM 64288]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2008 8:41 PM 216400]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2008 8:41 PM 243024]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 9:49 AM 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:50 AM 308136]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1352832]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [9/29/2010 7:01 PM 10448]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [3/18/2010 2:01 AM 40912]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [3/18/2010 2:01 AM 10448]

S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-10-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 05:13]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.ca/

uInternet Connection Wizard,ShellNext = iexplore

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\615a0a7p.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?complete=0

FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\Justin\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Veetle\Player\npvlc.dll

FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-10-29 17:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Nero\Nero 7\InCD\InCDsrv.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\windows\System32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

.

**************************************************************************

.

Completion time: 2010-10-29 17:45:23 - machine was rebooted

ComboFix-quarantined-files.txt 2010-10-30 00:45

ComboFix2.txt 2010-10-29 14:25

ComboFix3.txt 2010-10-29 02:43

ComboFix4.txt 2010-10-08 04:25

ComboFix5.txt 2010-10-29 23:55

Pre-Run: 16,674,344,960 bytes free

Post-Run: 16,674,598,912 bytes free

- - End Of File - - 06B9CA8500AA54DCC3D1B028F45FF3C4

You had multiple infections on this computer, so it is difficult to say, but generally speaking, as long as you had the redirect problems.

A reformat of the system drive is the best thing, no need to reformat other drives, however, you should make sure they do not contain other malware.

Can you try now to download a new copy of combofix and run it? I see some evidence of new malware and combofix has been updated in the mean time.

Link to post
Share on other sites

Unfortunately this changes my advice regarding other drives a bit.

I'm afraid I have very bad news.

Win32/Ramnit.A / Win32/Ramnit.B are file infectors with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a sm

Link to post
Share on other sites

Hi Elise,

Unfortunately I think you are spot on with your diagnosis as I have had hundreds if not thousands of files detected as infected by AVG (many html, exe and dll), and many programs on my computer have become unstable or won't open.

When you say "Unfortunately this changes my advice regarding other drives a bit", does that mean I should format ALL of my drives? I have 2 physical hard drives. Here is my current structure:

Hard drive 1: C partition, D partition

Hard drive 2: E

C: is where I have installed my OS and all programs. D and E only contain personal files. Mostly video, music, and photos, but also some other documents such as Word, Excel, txt, etc. However, all of my programs and drivers, etc. are installed on C.

If I reformat C: and reinstall my OS do you think that will be sufficient? Also, I have been getting ready to do this by backing up files that were on C. Is there anything I should do while backing up to DVDR to ensure I am not backing up infected files?

Unfortunately this changes my advice regarding other drives a bit.

I'm afraid I have very bad news.

Win32/Ramnit.A / Win32/Ramnit.B are file infectors with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a sm

Link to post
Share on other sites

If I reformat C: and reinstall my OS do you think that will be sufficient? Also, I have been getting ready to do this by backing up files that were on C. Is there anything I should do while backing up to DVDR to ensure I am not backing up infected files?
This infection has as component an autorun feature. Most likely your other drive will reinfect your C drive after the first restart of Windows.

This infection needs only one overlooked file in order to reinfect everything. For that reason, be extremely careful what you backup and scan everything before putting anything back.

Link to post
Share on other sites

I have a new hard drive which I am going to use to install my OS. Once I install the OS on the new drive, I would like to transfer the files that I know are OK (avi, mp3, jpg, etc that are all scanned) to the new drive on a separate partition. The files are going to be coming from my current E drive which is the drive that only had data before - no OS or program files. The E drive did have some infected HTML files, but I quarantined those and won't be transferring them.

Is it going to be safe to transfer the clean files or do you think the autorun component will infect the clean drive even if I don't transfer any infected files?

This infection has as component an autorun feature. Most likely your other drive will reinfect your C drive after the first restart of Windows.

This infection needs only one overlooked file in order to reinfect everything. For that reason, be extremely careful what you backup and scan everything before putting anything back.

Link to post
Share on other sites

Hi Elise,

I downloaded the program and it looks like it is just for disabling auto run from USB keys or CD/DVD drives. Because I have a lot of data, I would prefer to back up directly from my old hard drive to my new one, and not via USB/DVD. Unless I am misunderstanding, I don't think this program disables any autorun components located on a hard disk.

Assuming I am very careful not to transfer any infected files, will I be safe to transfer data directly from the old hard drive to the new one? In other words, aside from the direct transfer of an infected file is there another way that my new drive could become infected?

Thanks again.

I recommend to use panda usb vaccine in order to be protected form the autorun components. This is a free tool that prevents autorun malware to do its job. This one works also on NTFS volumes.
Link to post
Share on other sites

Hi, this tool ought to work also for NTFS drives, that is why I recommended it. :D

By creating that folder, it overwrites autorun malware and it prevents it from being able to create an autorun.inf folder on other drives and thus spreading itself.

If autorun is disabled and the files are clean, you should be okay.

Link to post
Share on other sites

Hi, I think Panda will just work for an NTFS drive if it is connected via USB - it didn't create anything on my hard drives because they are all SATA. I found another program called Flash Disinfector though, and it created autorun.inf folders for me on the hard disks. I also found a registry key to disable autorun on my system.

Thanks again for your help! After I reinstall my OS, would you be willing to take a look to see if I am clean? If so, what log(s) would be best to post?

Hi, this tool ought to work also for NTFS drives, that is why I recommended it. :D

By creating that folder, it overwrites autorun malware and it prevents it from being able to create an autorun.inf folder on other drives and thus spreading itself.

If autorun is disabled and the files are clean, you should be okay.

Link to post
Share on other sites

  • 3 weeks later...

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.