Thread: Worm problem Help!
View Single Post
Old 06-16-2009, 12:23 PM   #3 (permalink)
andybucks
Registered User
 
Join Date: Jul 2006
Posts: 12
OS: WIN XP - SP2


Re: Worm problem Help!
Yes sorry about the previous posts, 1st one i replied to, to update it then realised that proberly no one would reply. Then 2nd someone replied but closed the tread saying i need to follow the 1st steps, even though i did so and mentioned in my post.

Anyway, aplogies for any confusion.

Both DDS and GMER worked now, and logs are attached....




DDS (Ver_09-03-16.01) - NTFSx86
Run by Andy at 22:11:30.12 on 16/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.44.1033.18.2046.870 [GMT 4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Micro Niche Finder\srvany.exe
C:\Program Files\Micro Niche Finder\bggoogle.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Windows\system32\stacsv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Users\Andy\Program Files\DNA\btdna.exe
C:\Users\Andy\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andy\Desktop\dds\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe"
uRun: [BitTorrent DNA] "c:\users\andy\program files\dna\btdna.exe"
uRun: [AdobeBridge]
uRun: [Google Update] "c:\users\andy\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: sonicwall.com\sslvpn
Trusted Zone: systechgroup.net\ssl
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {27FDE39E-3928-4A03-9B08-94CDD47418E3} = 213.42.20.20 195.229.241.222
TCP: {5FD2BAA1-9CD7-4CDB-B32F-B18FC8F66C79} = 10.16.128.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\andy\appdata\roaming\mozilla\firefox\profiles\f07zv1ww.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\users\andy\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\andy\program files\dna\plugins\npbtdna.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-15 28544]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2008-1-8 21408]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-6-1 331312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-6-15 170640]
R2 Micro Niche Finder Background Download Service;Micro Niche Finder Background Download Service;c:\program files\micro niche finder\srvany.exe [2009-4-19 8192]
R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2008-2-22 204800]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects\uCamMonitor.exe [2008-2-22 125440]
R2 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2008-2-22 745472]
R2 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2008-2-22 397312]
R2 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2008-2-22 1089536]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2008-2-22 17920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-6-15 15504]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2008-1-8 75392]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2008-1-8 43904]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-1-8 9344]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2008-1-8 14720]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2008-2-4 20504]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-11-19 25216]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-1-8 812544]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-1-8 28464]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-11 33752]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-6-1 34352]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-2-22 292128]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-2-22 79136]

=============== Created Last 30 ================

2009-06-15 21:21 <DIR> --d----- c:\program files\SB
2009-06-15 17:15 524,288 a--sh--- C:\ntuser.dat{8b173bd5-59a6-11de-bbdc-000000000000}.TMContainer00000000000000000002.regtrans-ms
2009-06-15 17:15 524,288 a--sh--- C:\ntuser.dat{8b173bd5-59a6-11de-bbdc-000000000000}.TMContainer00000000000000000001.regtrans-ms
2009-06-15 17:15 65,536 a--sh--- C:\ntuser.dat{8b173bd5-59a6-11de-bbdc-000000000000}.TM.blf
2009-06-15 17:15 5,120 a---h--- C:\ntuser.dat.LOG1
2009-06-15 17:15 0 a---h--- C:\ntuser.dat.LOG2
2009-06-15 17:15 262,144 a------- C:\ntuser.dat
2009-06-15 16:50 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-15 16:48 <DIR> --d----- c:\program files\Panda Security
2009-06-15 15:58 <DIR> --d----- c:\program files\Trend Micro
2009-06-15 13:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 13:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 13:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 13:17 <DIR> --d----- c:\users\andy\.housecall6.6
2009-06-08 10:27 163,601 a------- c:\windows\XHeader Bonus Download Uninstaller.exe
2009-06-08 10:23 203,086 a------- c:\windows\XHeader Uninstaller.exe
2009-06-08 10:23 <DIR> --d----- c:\program files\XHeader
2009-06-08 10:23 <DIR> --d----- c:\program files\common files\Thraex Software
2009-06-01 22:13 33,840 a------- c:\windows\system32\drivers\hssdrv.sys
2009-06-01 16:26 <DIR> --d----- c:\program files\OpenVPN
2009-05-31 18:22 0 a------- c:\windows\system32\cd.dat
2009-05-31 16:31 325 ---shr-- C:\autorun.inf
2009-05-25 19:07 <DIR> --d----- C:\Hotspot Shield
2009-05-19 17:19 551,424 a------- c:\windows\system32\rpcss.dll
2009-05-19 17:19 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-05-19 17:19 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-05-19 17:19 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-05-19 17:19 183,296 a------- c:\windows\system32\sdohlp.dll
2009-05-19 17:19 98,304 a------- c:\windows\system32\iasrecst.dll
2009-05-19 17:19 54,784 a------- c:\windows\system32\iasads.dll
2009-05-19 17:19 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-05-19 17:19 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-05-19 17:19 17,408 a------- c:\windows\system32\iashost.exe
2009-05-19 17:18 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-05-19 17:18 72,704 a------- c:\windows\system32\secur32.dll
2009-05-19 17:18 24,064 a------- c:\windows\system32\amxread.dll
2009-05-19 17:18 13,824 a------- c:\windows\system32\apilogen.dll
2009-05-19 17:18 376,832 a------- c:\windows\system32\winhttp.dll
2009-05-19 17:18 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-05-19 17:18 38,912 a------- c:\windows\system32\xolehlp.dll
2009-05-19 17:18 2,033,152 a------- c:\windows\system32\win32k.sys
2009-05-19 17:18 268,288 a------- c:\windows\system32\schannel.dll

==================== Find3M ====================

2009-06-01 16:26 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-01 16:26 51,200 a------- c:\windows\inf\infpub.dat
2009-05-15 11:37 29,480 a------- c:\windows\system32\msxml3a.dll
2009-04-24 10:32 86,016 a------- c:\windows\inf\infstor.dat
2009-03-23 17:42 124,168 a------- c:\windows\system32\WPPFilt.dll
2009-03-19 06:46 90,992 a------- c:\users\andy\appdata\roaming\nvModes.dat
2009-01-13 11:02 56 a---h--- c:\programdata\ezsidmv.dat
2009-01-13 11:02 56 a---h--- c:\progra~2\ezsidmv.dat
2008-09-10 12:23 174 a--sh--- c:\program files\desktop.ini
2008-09-10 12:14 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:12:01.27 ===============
Attached Files
File Type: zip attach.zip (10.2 KB, 2 views)
andybucks is offline