Win32.Nimnul.e / Win32.Ramnit.R - Virus infection

Hi everyone,

I have the following problem with a virus which I have tried to resolve myself but without any luck so far, and I would very much appreciate your help as I'd hate to format the drive.

Today Kaspersky Internet Security (firewall + anti-virus software) reported some strange Host Process activity which I tried blocking, and than reported numerous *dll files infected with a Win32.Nimnul.e virus. I read on an online forum that a person had had similar issues and so tried scanning my PC with ESET Online Scanner as that had worked for that person. ESET has done a complete scan of my system drive, memory, hidden objects etc. and found 630 infected files, mostly *dll's, which it cleaned/quarantined according to the report. I then restared my PC and did another scan of the critical zones (memory, start-up objects, windows directory, booting sectors) with KIS and Dr Web. Both found no issues. Then KIS started giving new wanrings of infected files. I noted that many infected files came from User/AppData path and so I went there to delete the Temp folder content and noticed a strange folder called "vpvvltjv" in my AppData folder. Inside that folder was a file "evnlvwsm.exe". I tried deleting it but I couldn't, the message said it was being used by Host Process for Windows Services. I had a strong impression that that was the virus in question that somehow got hold of the generic host process and was causing strange behaviour on my PC. I tried deleting it in Safe Mode and it worked but when I reloaded normally, the folder and file were in AppData again! On another restart, KIS reported evnlvwsm.exe as dangerous and quarantined it. On restart, however, the folder and the file were in the same place again. KIS has reported a number of malwares in the Temp folder, even after I manually emptied the folder (for instance, "vblgxyrvorypiofi.exe").

It looks like I got some bad virus that recreates itself even after deletion, and perhaps regenerates itself in a number of files, and has control over some host processes. It looks like it has control over certain things on my PC. For instance, I can no longer start, uninstall or re-install certain applications (like my Opera browser (whenever I try to do it, it only pops up for a split second and shuts down)), I can't start Virtual Windows XP (error message says there is not enough system resources although there's pleny of it). I also couldn't run aswMBR.exe, I got an error message saying I didn't have access rights to run that process. I tried running it from Safe Mode but than some drivers failed to load and scan couldn't be performed.

I thought that the reason I can't run certain exe's may be that ESET damaged those *dll's while disinfecting them. If not, the only explanation I see is that the virus has control over certain processes and prevents me from executing them.

I attach the following files in support of my post:

- Extras.txt (generated by OTL as instructed);
- OTL.txt (generated by OTL as instructed);
- checkup.txt (generated by Security Check as instructed);
- ESET log.txt (generated by ESET which found 630 instances of infection with Win32/Ramnit.R virus and cured them all successfully);
- KIS report (generated by Kaspersky and showing some files that it has blocked/quarantined).

As I mentioned, I couldn't run aswMBR.exe so no log is attached for that one. I am attaching the logs in a single zip file as I didnt manage to upload separate files.

I would appreciate some help with this virus. If it has already screwed up my dll's (for literally all applications as can be seen from the ESET log) and reformat is unavoidable, I'd appreciate confirmation before I proceed with that measure.

***

By way of update, I wanted to add that KIS seems to have finally managed after a couple restarts to quarantine and delete both vblgxyrvorypiofi.exe and evnlvwsm.exe. After that I was able to use Opera and Virtual Windows XP again. I then also ran a complete scan with Dr Web of all files and it only found three issues which it fixed (the log is huge 46 MB so I'm not copying it here). I don't know if that means the issue has been resolved but the symptoms seem to have gone away. I have also been able to run aswMBR.exe, the log follows below as I didn't manage to reattach an updated ZIP.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-28 21:22:16
-----------------------------
21:22:16.052 OS Version: Windows x64 6.1.7600
21:22:16.052 Number of processors: 6 586 0xA00
21:22:16.054 ComputerName: BEAST UserName: KIS
21:22:40.521 Initialize success
21:28:25.012 AVAST engine defs: 12032801
21:29:26.940 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
21:29:26.940 Disk 0 Vendor: Hitachi_HDS721010CLA332 JP4OA3EA Size: 953869MB BusType: 3
21:29:26.950 Disk 0 MBR read successfully
21:29:26.950 Disk 0 MBR scan
21:29:26.953 Disk 0 Windows 7 default MBR code
21:29:26.955 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:29:26.963 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 307197 MB offset 206848
21:29:26.965 Disk 0 Partition - 00 0F Extended LBA 646569 MB offset 629346375
21:29:26.980 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 646569 MB offset 629346438
21:29:26.998 Disk 0 scanning C:\Windows\system32\drivers
21:29:32.473 Service scanning
21:29:47.503 Modules scanning
21:29:47.506 Disk 0 trace - called modules:
21:29:47.516 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80064952c0]<21:29:47.518 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006d67790]
21:29:47.521 3 CLASSPNP.SYS[fffff8800218143f] -> nt!IofCallDriver -> [0xfffffa800697be40]
21:29:47.523 5 ACPI.sys[fffff8800180b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0xfffffa80069e2680]
21:29:47.526 \Driver\atapi[0xfffffa8005b21060] -> IRP_MJ_CREATE -> 0xfffffa80064952c0
21:29:47.528 Scan finished successfully
21:30:05.568 Disk 0 MBR has been saved successfully to "C:\Users\KIS\Desktop\MBR.dat"
21:30:05.573 The log file has been saved successfully to "C:\Users\KIS\Desktop\aswMBR.txt"

Please download Malwarebytes Anti-Malware from Malwarebytes.org http://www.malwarebytes.org/mbam-download-exe.php


(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Copy and paste the entire report in your next reply.
If Malwarebytes fails to download please use the following link:

http://malwarebytes.org/mbam-download-exe-random.php



=============================================


Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

When saving ComboFix rename it to PCHelpForum.exe to prevent it from being blocked by malware.


Refer to this image:

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click PCHelpForum.exe to run it.
  
  You will see the following image:
  
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:





As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.





Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.





http://www.malwarebytes.org/mbam-download-exe.php

Hi, thanks for the quick reply. I had to be away from my PC for a few days. I have now run both searches as described above. The logs follow.

- - Malwarebytes:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.30.06

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
KIS :: BEAST [administrator]

Protection: Enabled

30/03/2012 18:52:08
mbam-log-2012-03-30 (18-52-08).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 518354
Time elapsed: 34 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56B38F40-4E70-11d4-A076-0080AD86BA2F} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{56B38F40-4E70-11d4-A076-0080AD86BA2F} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\TypeLib\{56B38F41-4E70-11D4-A076-0080AD86BA2F} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\Interface\{56B38F42-4E70-11D4-A076-0080AD86BA2F} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\WebCGMHlprObj.WebCGMHlprObj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\WebCGMHlprObj.WebCGMHlprObj (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{56B38F40-4E70-11D4-A076-0080AD86BA2F} (Trojan.BHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{56B38F40-4E70-11D4-A076-0080AD86BA2F} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\SysWOW64\cgmopenbho.dll (Trojan.BHO) -> Quarantined and deleted successfully.

(end)

***

- - ComboFix:

ComboFix 12-03-30.06 - KIS 03/04/2012 23:53:20.1.6 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1251.7.1033.18.6142.4781 [GMT 1:00]
Running from: c:\users\KIS\Desktop\PCHelpForum.exe
AV: Kaspersky Internet Security *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\KIS\AppData\Local\fwqdwvxl.log
c:\users\KIS\AppData\Local\gnuqssfi.log
c:\users\KIS\AppData\Local\hnkgqdic.log
c:\users\KIS\AppData\Local\kglxyoog.log
c:\users\KIS\AppData\Local\rpoeqlgy.log
c:\users\KIS\AppData\Local\tifbdknc.log
c:\users\KIS\AppData\Local\xwxqitka.log
c:\users\KIS\AppData\Roaming\chrtmp
c:\windows\system32\drivers\etc\_hosts
c:\windows\SysWow64\tmp924.tmp
c:\windows\SysWow64\tmp954.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))
.
.
2012-04-03 22:57 . 2012-04-03 22:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-30 17:49 . 2012-03-30 17:49 -------- d-----w- c:\users\KIS\AppData\Roaming\Malwarebytes
2012-03-30 17:49 . 2012-03-30 17:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-30 17:49 . 2012-03-30 17:49 -------- d-----w- c:\programdata\Malwarebytes
2012-03-30 17:49 . 2011-12-10 14:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-30 09:02 . 2012-03-30 09:02 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-03-28 20:56 . 2008-10-15 05:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2012-03-28 20:56 . 2008-10-15 05:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2012-03-28 20:56 . 2008-10-15 05:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2012-03-28 20:56 . 2008-10-15 05:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2012-03-28 20:55 . 2008-10-15 05:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-03-28 20:55 . 2008-10-15 05:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2012-03-28 14:40 . 2012-03-28 14:52 -------- d-----w- c:\users\KIS\DoctorWeb
2012-03-28 13:27 . 2012-03-28 13:27 -------- d-----w- c:\program files (x86)\ESET
2012-03-20 22:32 . 2012-03-20 22:43 -------- d-----w- c:\users\KIS\AppData\Roaming\ICQ
2012-03-20 22:31 . 2012-03-28 13:54 -------- d-----w- c:\program files (x86)\ICQ7.7
2012-03-04 23:01 . 2012-03-04 23:01 -------- d-----w- c:\windows\Sun
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-03 22:48 . 2012-02-06 00:23 29 ----a-w- c:\windows\SysWow64\TempWmicBatchFile.bat
2012-03-30 09:02 . 2011-09-13 01:32 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-29 17:22 . 2012-02-29 17:15 1024 ----a-w- c:\programdata\1pdfenc.dll
2012-02-21 13:56 . 2012-01-28 19:07 303616 ----a-w- c:\windows\system32\drivers\atksgt.sys
2012-02-21 13:56 . 2012-01-28 19:07 35328 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2012-01-28 21:21 . 2012-01-28 21:21 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-18 15:56 . 2012-02-08 22:46 19936 ------w- c:\windows\system32\pwdrvio.sys
2012-01-18 15:56 . 2012-02-08 22:46 13280 ------w- c:\windows\system32\pwdspio.sys
2012-01-18 15:56 . 2012-02-08 22:46 1013320 ----a-w- c:\windows\system32\pwNative.exe
2010-05-18 08:00 . 2012-02-05 17:04 1094656 ----a-w- c:\program files\iBoxPlayer_en_oem_v2.8.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2009-07-07 241789]
"NUSB3MON"="c:\program files (x86)\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]
"trustGTX14"="c:\program files (x86)\Trust\GXT14 Mouse\POINTERGHOST.exe" [2009-05-11 4832256]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 202296]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-06-03 446635]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-12-05 343168]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\users\KIS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
cron.exe - Shortcut.lnk - c:\program files (x86)\winzip\platform\windows\cron.exe [2011-2-15 216635]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Wireless Utility.lnk - c:\program files (x86)\Edimax\Common\RaUI.exe [2011-12-17 1576960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DCScheduler;DCScheduler;c:\program files (x86)\FarStone\TotalRecovery Pro\Client\cbp\DCSchdlerSRVC.exe [2009-11-26 104976]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 253600]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-09-12 180224]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
R3 FARMNTIO;FARMNTIO;c:\windows\system32\drivers\farmntio.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 OA002Afx;Provides a software interface to control audio effects of OA002 camera.;c:\windows\system32\Drivers\OA002Afx.sys [x]
R3 OA002Ufd;Creative Camera OA002 Upper Filter Driver;c:\windows\system32\DRIVERS\OA002Ufd.sys [x]
R3 OA002Vid;Creative Camera OA002 Function Driver;c:\windows\system32\DRIVERS\OA002Vid.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
R3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [x]
R3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [x]
R3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Personal 2012\RpcAgentSrv.exe [2008-11-06 93848]
R4 FBAgent;File Backup Agent;c:\program files (x86)\FarStone\TotalRecovery Pro\Client\Efb\FBPAgent.exe [x]
R4 Tran_Process_Proc;DCNTranProc;c:\program files (x86)\FarStone\TotalRecovery Pro\Client\DCNTranProc.exe [x]
S0 dcsnap;dcsnap; [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-12-05 361984]
S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2011-06-24 55424]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-12-28 96896]
S2 CronService;Cron Service for Prey;c:\program files (x86)\winzip\platform\windows\cronsvc.exe [2011-02-15 19968]
S2 KmGameMouseServiceV1;Game Mouse Communication And Update Service V1;c:\program files (x86)\Trust\GXT14 Mouse\GameMouseServiceApp.exe [2009-05-11 354304]
S2 RalinkRegistryWriter64;Ralink Registry Writer 64;c:\program files (x86)\Edimax\Common\RaRegistry64.exe [2009-07-14 211232]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 KMWDFILTERV1;HIDUASServiceDesc;c:\windows\system32\DRIVERS\RPGMOUSEV1.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 09:02]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {{77F665FD-3F60-4B0A-AE14-EC124B7A7FCE} - c:\program files (x86)\ICQ7.7\ICQ.exe
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1249482556-1692519075-274133584-1000\Software\SecuROM\License information*]
"datasecu"=hex:a5,bf,8b,b3,1c,fc,b4,45,ff,56,52,c7,f1,46,72,dc,9b,54,3f,96,31,
06,37,7a,05,c0,b3,8d,ea,c4,c1,42,a6,df,1f,76,e7,f0,be,cd,ee,96,56,02,c5,86,\
"rkeysecu"=hex:bb,d9,a1,10,dc,e2,7f,cc,e6,46,0e,33,b9,f3,d1,ca
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10d.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10d.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10d.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\DAODx.exe
c:\program files (x86)\ASUS\TurboV EVO\TurboVHELP.exe
c:\windows\system32\crypserv.exe
c:\program files (x86)\FarStone\TotalRecovery Pro\Client\cbp\DCSchdler.exe
c:\program files (x86)\Edimax\Common\RaRegistry.exe
c:\program files (x86)\DAEMON Tools Pro\DTShellHlp.exe
c:\program files (x86)\Trust\GXT14 Mouse\StartAutorun.exe
c:\program files (x86)\Trust\GXT14 Mouse\RapooV1Process.exe
.
**************************************************************************
.
Completion time: 2012-04-04 00:41:01 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-03 23:41
.
Pre-Run: 248,851,197,952 bytes free
Post-Run: 247,937,458,176 bytes free
.
- - End Of File - - 134E7417D2AD19A5E5AB61D33D0D6C8A

***

Do you spot any issues here?

I'm afraid I have very bad news.


Your system is seriously infected.


Win32/Ramnit.A Win32/Ramnit.B is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.


Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
Understanding virus names


VirusTotal Threat aliases for W32/Ramnit<-Win32.Ramnit!IK,W32.Ramnit!inf,Win32.Rmnet

VirScan Threat aliases for W32/Ramnit<-Win32/Zbot,PWS.Panda.387,PE_RAMNIT,Trojan/Generic.arhm

McAfee Threat aliases for W32/Ramnit - link 1<-Trojan.Generic.KD,Win32/Zbot,W32/Cosmu

McAfee Threat aliases for W32/Ramnit - link 2<-SHeur3.AQRA,W32/Patched-I,Win32.Nimnul,W32/Pedalac


With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.


Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.


In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.


Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.


Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat[/url and reinstall the OS. Please read:


[url=http://www.dslreports.com/faq/10063]When should I re-format? How should I reinstall?


Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
Backdoors and What They Mean to You


This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Thank you for a comprehensive reply. I think I contracted this virus through a website while watching a streaming flash video. As I mentioned in my first post, it did look like the virus started infecting all *dll's and some *exe's on my computer straight away as KIS went crazy reporting those files. Even though I managed to pinpoint those files with an AV software and "fix" them, some no longer worked correctly afterwards and I had to re-install applications.

I will reformat the drive and re-install the system to be sure. I was wondering, however, why KIS didn't spot the virus and let it slip, especially if it has been around for some time and is so serious. It has always identified threats from websites before. Also, when a backdoor is open with this virus, what kind of control could a hacker get? Could they, for instance, keylog my passwords and get access to files? I could actually see how I lost control over some applications after the infection but it seems to have restored to normal since I managed to get rid of a couple of suspect *exe"s.

I also have two partitions on my PC, and one of the them is used to store permanent files (photos, Word files, distributives, drivers, etc.). The system and applications are installed on a separate partition. Could the virus mess with the files on another partition in some way? None of them were reported as infected but I was just wondering as I think to reformat the main system partition and leave the other one with all files as is.

Why KIS didn't spot the virus .. possibly they did not have a sample of the virus at that time


Also, when a backdoor is open with this virus, what kind of control could a hacker get?..... IT steals sensitive information such as saved FTP credentials,passwords and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker such as keylogin.

Files on another partition .... yes,they could get infected as well.Its best to remove them.


It is recommended to change ALL your passwords as a precaution.