[SweetTech]

Hello,

If I don't update to Service Pack 3, is there any further action I need to take to insure that the computer is safe as it can be?

Just be aware that I highly recommend you upgrade to SP3, as SP2 is outdated, and is no longer supported by Microsoft.


ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Make sure that the option "Remove found threats" is Unchecked
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin
  scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as
  ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

[Advertisements]

Hi Sweetech

Many thanks for your advice. I think I'd like to to maintain SP2 only on this computer for the time being but I will go ahead with the online scan.

[Beagle Pup]

Hi Sweetech

Many thanks for your advice. I think I'd like to to maintain SP2 only on this computer for the time being but I will go ahead with the online scan.

[SweetTech]

Okay.

[Beagle Pup]

Hi Sweetech

I now post the results of the ESET Scan:-

C:\Documents and Settings\NIGEL\Application Data\Microsoft\FS9\~$avlog2.HTM Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download Asynchronous Strobes Effects (AVSIM).htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download FSCamera (AVSIM).htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download FSUIPC.dll version 3.48 (AVSIM).htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download PopupMessageKiller (AVSIM).htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\EditVoicePack\download .NET Framework 1.1.htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\EditVoicePack\EditVoicePack31\Readme.html Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Flight Simulator 9\Aircraft\B737_800w\boeing737-800_check.htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Flight Simulator 9\Aircraft\B737_800w\boeing737-800_ref.htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\Flight Sim Gen\destfn11\Destination Finder for FS9\Readme.htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\FSX Fs9 Payware\B737_800 (Standard Microsoft)\boeing737-800_check.htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\FSX Fs9 Payware\B737_800 (Standard Microsoft)\boeing737-800_ref.htm Win32/Ramnit.A virus
C:\Documents and Settings\NIGEL\Desktop\FSX Fs9 Payware\Flight 1 Super MD 80\MD80 Tutorial\MD80-tutorial.html Win32/Ramnit.A virus
C:\WINDOWS\system32\winlogon.exe Win32/Bamital.EC trojan
C:\WINDOWS\system32\zz-winlogon.exe.tmp Win32/Bamital.EC trojan
Operating memory Win32/Bamital.EC trojan

I look forward to hearing from you.

[SweetTech]

Hello,

We still have some work to do.

Please do the following:

ComboFix Script

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
C:\Documents and Settings\NIGEL\Application Data\Microsoft\FS9\~$avlog2.HTM
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download Asynchronous Strobes Effects (AVSIM).htm
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download FSCamera (AVSIM).htm
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download FSUIPC.dll version 3.48 (AVSIM).htm
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\Downloads\download PopupMessageKiller (AVSIM).htm
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\EditVoicePack\download .NET Framework 1.1.htm
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Extra\EditVoicePack\EditVoicePack31\Readme.html
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Flight Simulator 9\Aircraft\B737_800w\boeing737-800_check.htm
C:\Documents and Settings\NIGEL\Desktop\Downloads FS9 Pt 2\AS738-v3\Flight Simulator 9\Aircraft\B737_800w\boeing737-800_ref.htm
C:\Documents and Settings\NIGEL\Desktop\Flight Sim Gen\destfn11\Destination Finder for FS9\Readme.htm
C:\Documents and Settings\NIGEL\Desktop\FSX Fs9 Payware\B737_800 (Standard Microsoft)\boeing737-800_check.htm
C:\Documents and Settings\NIGEL\Desktop\FSX Fs9 Payware\B737_800 (Standard Microsoft)\boeing737-800_ref.htm
C:\Documents and Settings\NIGEL\Desktop\FSX Fs9 Payware\Flight 1 Super MD 80\MD80 Tutorial\MD80-tutorial.html
C:\WINDOWS\system32\zz-winlogon.exe.tmp
Folder::
Registry::
Driver::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

• Open Malwarebytes' Anti-Malware
• Select the Update tab
• Click Check for Updates
• After the update have been completed, Select the Scanner tab.
• Select Perform quick scan, then click on Scan
• Leave the default options as it is and click on Start Scan
• When done, you will be prompted. Click OK, then click on Show Results
• Checked (ticked) all items and click on Remove Selected
• After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[Beagle Pup]

Hi again

I'll run Combo Fix again plus MBAM and will come back to you with the results soon.

[SweetTech]

Okay.

[Beagle Pup]

Hi Sweetech

Combo Fix and MBAM reports are now posted below:-

ComboFix 10-11-30.08 - NIGEL 01/12/2010 12:33:50.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.2047.1471 [GMT 0:00]
Running from: c:\documents and settings\NIGEL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\NIGEL\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

c:\windows\system32\winlogon.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-11-01 to 2010-12-01 )))))))))))))))))))))))))))))))
.

2010-11-29 20:15 . 2010-11-29 20:15 -------- d-----w- c:\program files\ESET
2010-11-27 14:25 . 2010-11-27 14:25 -------- d-----w- c:\program files\Common Files\xing shared
2010-11-23 18:05 . 2010-11-23 18:05 -------- d-----w- C:\Kontiki
2010-11-21 17:13 . 2006-02-28 12:00 502272 ----a-w- c:\windows\system32\zz-winlogon.exe.tmp
2010-11-21 17:11 . 2010-11-21 17:11 -------- d-----w- c:\program files\McAfeeMOBK
2010-11-21 17:11 . 2010-04-13 20:10 54776 ----a-w- c:\windows\system32\drivers\MOBK.sys
2010-11-21 17:11 . 2010-11-21 17:11 -------- d-----w- c:\program files\McAfee Online Backup
2010-11-21 17:10 . 2010-10-13 22:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-11-21 17:10 . 2010-10-13 22:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-11-21 17:10 . 2010-10-13 22:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-11-21 17:10 . 2010-10-13 22:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-11-21 17:10 . 2010-10-13 22:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-11-21 17:10 . 2010-10-13 22:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-11-21 17:10 . 2010-10-13 22:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-11-21 17:10 . 2010-10-13 22:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-11-21 17:10 . 2010-11-21 17:10 -------- d-----w- c:\program files\McAfee.com
2010-11-21 16:59 . 2010-10-13 22:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2010-11-06 11:37 . 2010-11-06 11:37 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2010-11-01 18:07 . 2010-11-01 18:07 -------- d-----w- C:\_OTL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-01 12:57 . 2006-02-28 12:00 1033216 ----a-w- c:\windows\explorer.exe
2010-11-10 16:39 . 2008-05-28 15:30 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-03 21:06 . 2010-10-19 16:16 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-10-13 22:28 . 2010-10-13 22:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 22:28 . 2010-10-13 22:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
[-] 2006-02-28 . 57BF20A3977F07049EBBB9FB87D40BA5 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2010-12-01 . 9DDBBD5A8E18A8AEC828C5E2BC506BC3 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\3c0bacd63e67d049a438275fd7b87f25\explorer.exe
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2006-02-28 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3B419EE1-1FA8-47B9-9AEC-6B60AC2E3FCA}"= "c:\program files\Torrents-Search-Engine\tbTor1.dll" [2010-02-21 2349080]

[HKEY_CLASSES_ROOT\clsid\{3b419ee1-1fa8-47b9-9aec-6b60ac2e3fca}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 20:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-05 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"Google Update"="c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-01-30 91432]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 81920]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 62760]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"HostManager"="c:\program files\Common Files\AOL\1211986260\ee\AOLSoftware.exe" [2006-09-26 50736]
"Profiler"="c:\program files\Saitek\Software\Profiler.exe" [2004-01-28 159744]
"SaiSmart"="c:\program files\Saitek\Software\SaiSmart.exe" [2004-01-28 98304]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-09-19 333120]
"RTHDCPL"="RTHDCPL.EXE" [2008-10-09 17021440]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"eBayToolbar"="c:\program files\eBay\eBay Toolbar2\eBayTBDaemon.exe" [2009-03-19 632048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-27 274608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2008-5-28 156784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantBurn]
2007-06-04 17:24 599600 ----a-w- c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 11:06 62760 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2006-08-17 12:45 249856 ----a-w- c:\program files\lg_fwupdate\fwupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
2007-08-09 12:17 2503976 ----a-w- c:\program files\CyberLink\Power2Go\Power2GoExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 13:23 81920 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Common Files\\AOL\\1211986260\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Zattoo\\zattood.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [30/04/2008 15:00 16048]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [21/11/2010 17:10 84072]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [21/11/2010 17:11 54776]
R2 CLBUDF;CyberLink InstantBurn UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [30/04/2008 15:00 162096]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [21/11/2010 17:11 88176]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [21/11/2010 17:10 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [21/11/2010 17:10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [21/11/2010 16:59 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 20:11 229688]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [22/05/2008 13:38 38656]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [21/11/2010 17:10 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [21/11/2010 17:10 88544]
R3 SaiH0464;SaiH0464;c:\windows\system32\drivers\SaiH0464.sys [28/05/2008 15:27 55808]
S2 gupdate1c98c6ec92d4c10;Google Update Service (gupdate1c98c6ec92d4c10);c:\program files\Google\Update\GoogleUpdate.exe [11/02/2009 17:32 133104]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [21/11/2010 17:10 55840]
S3 Just Flight Limited License Service;Just Flight Limited License Service;c:\program files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe [20/06/2009 20:28 69632]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [21/11/2010 17:10 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [21/11/2010 17:10 84264]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:32]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 17:32]

2010-11-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2689334666-3409229528-900351719-1005Core.job
- c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-20 16:48]

2010-12-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2689334666-3409229528-900351719-1005UA.job
- c:\documents and settings\NIGEL\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-20 16:48]

2009-03-21 c:\windows\Tasks\ParetoLogic Update.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2007-09-19 00:55]

2010-12-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-12-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-12-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2689334666-3409229528-900351719-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-09-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-11-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2689334666-3409229528-900351719-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]

2010-12-01 c:\windows\Tasks\User_Feed_Synchronization-{D9B3A1E6-7A73-4E80-8E3F-13AC2AFCDC3B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.bbc.co.uk
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-01 12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Portrait Displays\DisplayTune\HPW\CNN81202C7]
@DACL=(02 0000)
"Analog Caps"="(prot(monitor)type(LCD)model(W2007)cmds(01 02 03 07 0C 4E F3 E3)vcp(02 04 05 06 08 0B 0C 0E 10 12 14(01 05 08 0B) 16 18 1A 1E 1F 20 30 3E 52 60(01 03) 62 6C 6E 70 8D AC AE B2 B6 C0 C6 C8 C9 CA CC(01 02 03 04 05 06 0A 13) D6(01 04 05) DC(00 02 03 04 05) DF FF)mswhql(1)mccs_ver(2.1)asset_eep(32)mpu_ver(1.02))"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1108)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3796)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\program files\Common Files\AOL\ACS\WLHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\System32\vssvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
c:\program files\common files\aol\1211986260\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-01 13:07:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-01 13:07
ComboFix2.txt 2010-11-27 15:02
ComboFix3.txt 2010-11-20 16:33

Pre-Run: 260,949,032,960 bytes free
Post-Run: 260,939,235,328 bytes free

- - End Of File - - 5F9653F9A21352A6DFEC2EC137AD821A

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5225

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

01/12/2010 13:58:37
mbam-log-2010-12-01 (13-58-37).txt

Scan type: Quick scan
Objects scanned: 206816
Time elapsed: 28 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\ROSALIND\local settings\Temp\PMShared (Trojan.Goldun) -> Quarantined and deleted successfully.
c:\documents and settings\ROSALIND\local settings\temporary internet files\Content.IE5\POVIYK3Q\authorization[1].css (Trojan.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\ROSALIND\local settings\temporary internet files\Content.IE5\VK91S6XI\authorization[1].css (Trojan.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\ROSALIND\local settings\temporary internet files\Content.IE5\ZBKT5VXN\authorization[2].css (Trojan.Zbot) -> Quarantined and deleted successfully.

[SweetTech]

Hello,

ComboFix Script

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
• They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
SRPeek::
c:\windows\system32\winlogon.exe
c:\windows\explorer.exe
File::
c:\windows\system32\zz-winlogon.exe.tmp
FCopy::
c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe | c:\windows\explorer.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you.
• Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[Beagle Pup]

Hi Sweetech

Although I had no problems with running Combo Fix Script, it hung on reboot so I had to reboot the machine myself and then it failed to produce a log although I tried to search for this. I ran Combo Fix Script again but it still failed to reboot automatically.

On each reboot, the following messages came up:-

1.A message saying "A change has been detected in your IE Search Page, the new page is wwww.microsoft.com/isapi.dll? prd=ie&ar=ieeurd. If this is OK, click Enter. If No, we'll restore your page to www.google.com." I didn't agree the change since I thought this might be a spoof redirection again.

2. An invitation to insert the Windows CD to restore original files since one or more files are unstable. As previously, I'm not sure whether to do this although I have the Windows CD.

3. A message regarding Hosts and did I want a change to c:\windows\system32\drivers\etc\hosts. I wasn't sure what to do about this so I didn't agree it.

I look forward to hearing from you.

[SweetTech]

Hello,

1. Yes, you can allow this change. When ComboFix is run it resets a number of settings back to default, so that in the event malware has changed them, they will be back to the way they should be.

2. If you see this message again, please insert your disc.


Let me fill you in on what is going on right now.

The results from the ESET Online Scanner showed me some things that have me worried.

Some of the files that were detected were being detected as: Win32/Ramnit.A virus

This is usually what I tell my users when they have Ramnit:

--------
I'm afraid I have very bad news.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

• Understanding virus names
• Threat aliases for Win32/Ramnit.A

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

-----

From your ESET Online Scanner the Ramnit infection did not look too bad, and I hoped that maybe we could have contained the damage.

Looking back over your latest ComboFix log, I'm not too sure if those files were removed or not.

On top of the Ramnit infection you also have an infection called Bamital, and this infection has infected your C:\WINDOWS\system32\winlogon.exe file. I have been trying to find a suitable replacement for this file, but we don't seem to be having all that much look with finding a replacement with ComboFix.

I also think there is a possibility that your c:\windows\explorer.exe is a patched file.

------

I am going to be completely honest with you. I have never tackled a users machine that has had Ramnit on it. The users that have been infected with this have always gone with performing a reformat and reinstall. I think they were infected worse then you currently are, but they still had the infection. I know that if this was my computer, I'd go ahead with a reformat and reinstall, but that's just me.

I'll await your next reply, and we can see where we stand then.

[Beagle Pup]

Hi Sweetech

Thank you for all your advice on this.


I take your point about reformatting the Hard Drive. Do you think that the problems in this computer would go some way to be solved with this computer if:-

1. SP3 was installed as you originally advised.

2. If I used Google Chrome rather than IE8. I am thinking here that if IE8 is patched and therefore compromised, Google Chrome would not be affected.

If you feel that these actions would not really cure this computer, I am wondering whether to use it exclusively as a gaming machine rather than run the risk of doing any transactions/emails on it. I would use my laptop then for 'transactions'. If I need though to transfer anything by usb stick from the laptop to the infected computer, do you think there would be any risk of infection to the laptop from the infected computer even though I would not 'transfer' any file from this computer to the laptop through the usb stick?

[SweetTech]

I take your point about reformatting the Hard Drive. Do you think that the problems in this computer would go some way to be solved with this computer if:-
1. SP3 was installed as you originally advised.

2. If I used Google Chrome rather than IE8. I am thinking here that if IE8 is patched and therefore compromised, Google Chrome would not be affected.

If you feel that these actions would not really cure this computer, I am wondering whether to use it exclusively as a gaming machine rather than run the risk of doing any transactions/emails on it. I would use my laptop then for 'transactions'. If I need though to transfer anything by usb stick from the laptop to the infected computer, do you think there would be any risk of infection to the laptop from the infected computer even though I would not 'transfer' any file from this computer to the laptop through the usb stick?

1. No I don't think installing SP3 will solve the issues you are experiencing.

2. Nope, this won't work.

I'd personally stay away from transferring files, but that's just me.

You could run this tool on a clean computer while having your flash drive install.

Running Flash Disinfector
Download Flash_Disinfector.exe by sUBs from HERE and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

[Beagle Pup]

Hi again Sweetech

I'm going to take your advice and do a complete reformat!! Could you please let me have some instructions on how to do this.

Many thanks

[SweetTech]

Yes, I can. You can take a look at an excellent guide created by my colleague Essexboy.

Link: http://www.geekstogo...all-of-windows/