Worm problem Help!

[andybucks]

Hello

I seem to have an infection i can't get rid of. It will not let any of my normal spybot or malware run. So I have come to this forum for help.

I have completed all the steps within the first steps section, however the following problems were expierenced.

1) DDS just opens a text file full of rubbish (as attached)
2) GMR crashes when scanning.

Before I came here i managed to get a Panda scan to complete and found W32/TDSS.BF.worm & ACAD/Bursted.B (log available).

Please help i don't know what to do!!!

[tetonbob]

Hello -

Is this the same machine you've posted about here

[SOLVED] Got something nasty! Help!!!!

and here

Help W32/TDSS.BF.worm!!!

Rename dds to a .com extension, or use the copy from this link

http://www.techsupportforum.com/atta...-steps-dds.zip

Regarding GMER...

Let's try this version of gmer.


Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If need be, run also untick Devices. If still no joy, run the scan in Safe mode. If still no joy...let me know.

[andybucks]

Yes sorry about the previous posts, 1st one i replied to, to update it then realised that proberly no one would reply. Then 2nd someone replied but closed the tread saying i need to follow the 1st steps, even though i did so and mentioned in my post.

Anyway, aplogies for any confusion.

Both DDS and GMER worked now, and logs are attached....




DDS (Ver_09-03-16.01) - NTFSx86
Run by Andy at 22:11:30.12 on 16/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.44.1033.18.2046.870 [GMT 4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Micro Niche Finder\srvany.exe
C:\Program Files\Micro Niche Finder\bggoogle.exe
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Sony\Network Utility\NSUService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Windows\system32\stacsv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Sony\VAIO Update 4\VAIOUpdt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sony\Network Utility\LANUtil.exe
C:\Users\Andy\Program Files\DNA\btdna.exe
C:\Users\Andy\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andy\Desktop\dds\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.co.uk/
uSearch Bar = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe"
uRun: [BitTorrent DNA] "c:\users\andy\program files\dna\btdna.exe"
uRun: [AdobeBridge]
uRun: [Google Update] "c:\users\andy\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: sonicwall.com\sslvpn
Trusted Zone: systechgroup.net\ssl
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {27FDE39E-3928-4A03-9B08-94CDD47418E3} = 213.42.20.20 195.229.241.222
TCP: {5FD2BAA1-9CD7-4CDB-B32F-B18FC8F66C79} = 10.16.128.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: VESWinlogon - VESWinlogon.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\users\andy\appdata\roaming\mozilla\firefox\profiles\f07zv1ww.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\users\andy\appdata\local\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\andy\program files\dna\plugins\npbtdna.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-15 28544]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\system32\drivers\shpf.sys [2008-1-8 21408]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\adobe\photoshop elements 6.0\PhotoshopElementsFileAgent.exe [2007-9-11 124832]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-6-1 331312]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-6-15 170640]
R2 Micro Niche Finder Background Download Service;Micro Niche Finder Background Download Service;c:\program files\micro niche finder\srvany.exe [2009-4-19 8192]
R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2008-2-22 204800]
R2 uCamMonitor;CamMonitor;c:\program files\arcsoft\magic-i visual effects\uCamMonitor.exe [2008-2-22 125440]
R2 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2008-2-22 745472]
R2 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2008-2-22 397312]
R2 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2008-2-22 1089536]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\drivers\ArcSoftKsUFilter.sys [2008-2-22 17920]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-6-15 15504]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2008-1-8 75392]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2008-1-8 43904]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2008-1-8 9344]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2008-1-8 14720]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2008-2-4 20504]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2008-11-19 25216]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-1-8 812544]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-1-8 28464]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-11 33752]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-6-1 34352]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2008-2-22 292128]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2008-2-22 79136]

=============== Created Last 30 ================

2009-06-15 21:21 <DIR> --d----- c:\program files\SB
2009-06-15 17:15 524,288 a--sh--- C:\ntuser.dat{8b173bd5-59a6-11de-bbdc-000000000000}.TMContainer00000000000000000002.regtrans-ms
2009-06-15 17:15 524,288 a--sh--- C:\ntuser.dat{8b173bd5-59a6-11de-bbdc-000000000000}.TMContainer00000000000000000001.regtrans-ms
2009-06-15 17:15 65,536 a--sh--- C:\ntuser.dat{8b173bd5-59a6-11de-bbdc-000000000000}.TM.blf
2009-06-15 17:15 5,120 a---h--- C:\ntuser.dat.LOG1
2009-06-15 17:15 0 a---h--- C:\ntuser.dat.LOG2
2009-06-15 17:15 262,144 a------- C:\ntuser.dat
2009-06-15 16:50 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-15 16:48 <DIR> --d----- c:\program files\Panda Security
2009-06-15 15:58 <DIR> --d----- c:\program files\Trend Micro
2009-06-15 13:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-06-15 13:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 13:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 13:17 <DIR> --d----- c:\users\andy\.housecall6.6
2009-06-08 10:27 163,601 a------- c:\windows\XHeader Bonus Download Uninstaller.exe
2009-06-08 10:23 203,086 a------- c:\windows\XHeader Uninstaller.exe
2009-06-08 10:23 <DIR> --d----- c:\program files\XHeader
2009-06-08 10:23 <DIR> --d----- c:\program files\common files\Thraex Software
2009-06-01 22:13 33,840 a------- c:\windows\system32\drivers\hssdrv.sys
2009-06-01 16:26 <DIR> --d----- c:\program files\OpenVPN
2009-05-31 18:22 0 a------- c:\windows\system32\cd.dat
2009-05-31 16:31 325 ---shr-- C:\autorun.inf
2009-05-25 19:07 <DIR> --d----- C:\Hotspot Shield
2009-05-19 17:19 551,424 a------- c:\windows\system32\rpcss.dll
2009-05-19 17:19 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-05-19 17:19 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-05-19 17:19 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-05-19 17:19 183,296 a------- c:\windows\system32\sdohlp.dll
2009-05-19 17:19 98,304 a------- c:\windows\system32\iasrecst.dll
2009-05-19 17:19 54,784 a------- c:\windows\system32\iasads.dll
2009-05-19 17:19 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-05-19 17:19 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-05-19 17:19 17,408 a------- c:\windows\system32\iashost.exe
2009-05-19 17:18 1,255,936 a------- c:\windows\system32\lsasrv.dll
2009-05-19 17:18 72,704 a------- c:\windows\system32\secur32.dll
2009-05-19 17:18 24,064 a------- c:\windows\system32\amxread.dll
2009-05-19 17:18 13,824 a------- c:\windows\system32\apilogen.dll
2009-05-19 17:18 376,832 a------- c:\windows\system32\winhttp.dll
2009-05-19 17:18 562,176 a------- c:\windows\system32\msdtcprx.dll
2009-05-19 17:18 38,912 a------- c:\windows\system32\xolehlp.dll
2009-05-19 17:18 2,033,152 a------- c:\windows\system32\win32k.sys
2009-05-19 17:18 268,288 a------- c:\windows\system32\schannel.dll

==================== Find3M ====================

2009-06-01 16:26 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-01 16:26 51,200 a------- c:\windows\inf\infpub.dat
2009-05-15 11:37 29,480 a------- c:\windows\system32\msxml3a.dll
2009-04-24 10:32 86,016 a------- c:\windows\inf\infstor.dat
2009-03-23 17:42 124,168 a------- c:\windows\system32\WPPFilt.dll
2009-03-19 06:46 90,992 a------- c:\users\andy\appdata\roaming\nvModes.dat
2009-01-13 11:02 56 a---h--- c:\programdata\ezsidmv.dat
2009-01-13 11:02 56 a---h--- c:\progra~2\ezsidmv.dat
2008-09-10 12:23 174 a--sh--- c:\program files\desktop.ini
2008-09-10 12:14 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 16:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 16:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 13:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 13:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:12:01.27 ===============

[tetonbob]

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

One thing will be different. Rename ComboFix as you save it. Name it comfxx.exe as you're saving it, then run it according to the instructions.

Please include the C:\ComboFix.txt in your next reply for further review.

[andybucks]

Ok combo fix completed and deleted a few things.

Log attached....

ComboFix 09-06-16.02 - Andy 17/06/2009 8:28.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.44.1033.18.2046.971 [GMT 4:00]
Running from: c:\users\Andy\Desktop\comfxx.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Andy\AppData\Roaming\EurekaLog
c:\users\Andy\AppData\Roaming\EurekaLog\EurekaLog.ini
C:\Autorun.inf
c:\users\Andy\AppData\Local\Temp\install_flash_player.exe
c:\windows\system32\drivers\gxvxcwsbcydviphienliqxboptqetyntsepku.sys
c:\windows\system32\gxvxccount
c:\windows\system32\gxvxcnjfcurigtufdpgckpnkcphikmjbevbru.dll
c:\windows\system32\gxvxcoemsxrcwuqtnfqvdoruwnrxmkqycpavr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-17 04:37 . 2009-06-17 04:38 -------- d-----w- c:\users\Andy\AppData\Local\temp
2009-06-15 17:21 . 2009-06-15 17:21 -------- d-----w- c:\program files\SB
2009-06-15 13:15 . 2009-06-15 13:15 262144 ----a-w- C:\ntuser.dat
2009-06-15 12:50 . 2008-06-19 13:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-15 12:48 . 2009-06-15 12:48 -------- d-----w- c:\program files\Panda Security
2009-06-15 11:58 . 2009-06-15 11:58 -------- d-----w- c:\program files\Trend Micro
2009-06-15 09:32 . 2008-10-22 12:10 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 09:32 . 2008-10-22 12:10 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 09:32 . 2009-06-15 09:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-15 09:17 . 2009-06-15 09:19 -------- d-----w- c:\users\Andy\.housecall6.6
2009-06-08 06:27 . 2009-06-08 06:27 163601 ----a-w- c:\windows\XHeader Bonus Download Uninstaller.exe
2009-06-08 06:23 . 2009-06-08 12:49 -------- d-----w- c:\users\Andy\AppData\Local\xheader-data
2009-06-08 06:23 . 2009-06-08 06:23 203086 ----a-w- c:\windows\XHeader Uninstaller.exe
2009-06-08 06:23 . 2009-06-08 06:23 -------- d-----w- c:\program files\XHeader
2009-06-08 06:23 . 2009-06-08 06:23 -------- d-----w- c:\program files\Common Files\Thraex Software
2009-06-01 18:13 . 2009-06-01 18:13 33840 ----a-w- c:\windows\system32\drivers\hssdrv.sys
2009-06-01 12:26 . 2009-06-01 12:26 -------- d-----w- c:\program files\OpenVPN
2009-05-31 14:22 . 2009-05-31 14:22 0 ----a-w- c:\windows\system32\cd.dat
2009-05-25 15:07 . 2009-05-25 15:07 -------- d-----w- C:\Hotspot Shield
2009-05-19 13:18 . 2009-02-13 08:49 1255936 ----a-w- c:\windows\system32\lsasrv.dll
2009-05-19 13:18 . 2009-03-17 03:38 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-05-19 13:18 . 2009-03-17 03:38 24064 ----a-w- c:\windows\system32\amxread.dll
2009-05-19 13:18 . 2009-02-13 08:49 72704 ----a-w- c:\windows\system32\secur32.dll
2009-05-19 13:18 . 2008-12-06 04:42 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-05-19 13:18 . 2008-06-06 03:27 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-05-19 13:18 . 2008-06-06 03:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-05-19 13:18 . 2009-02-09 03:10 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-05-19 13:18 . 2008-11-27 04:43 268288 ----a-w- c:\windows\system32\schannel.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 04:26 . 2008-01-07 23:00 12 ----a-w- c:\windows\bthservsdp.dat
2009-06-17 04:26 . 2008-08-25 16:46 -------- d-----w- c:\users\Andy\AppData\Roaming\DNA
2009-06-16 13:51 . 2008-08-25 16:46 -------- d-----w- c:\users\Andy\AppData\Roaming\BitTorrent
2009-06-16 08:21 . 2009-01-30 09:46 -------- d-----w- c:\program files\Micro Niche Finder
2009-06-15 17:21 . 2008-07-03 07:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-15 17:13 . 2008-07-03 07:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-15 13:31 . 2008-07-02 16:27 187328 ----a-w- c:\users\Andy\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-15 13:15 . 2008-01-07 23:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-15 13:08 . 2009-05-15 07:38 53319 ----a-w- c:\programdata\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe
2009-06-14 06:24 . 2009-03-02 08:51 -------- d-----w- c:\users\Andy\AppData\Roaming\Serif
2009-06-14 06:08 . 2009-03-02 15:34 -------- d-----w- c:\program files\Serif
2009-06-09 10:01 . 2009-03-29 13:04 -------- d-----w- c:\users\Andy\AppData\Roaming\HAPedit
2009-06-04 07:29 . 2008-07-04 06:56 -------- d-----w- c:\programdata\Roxio
2009-06-03 16:55 . 2008-07-28 02:14 -------- d-----w- c:\program files\Hotspot Shield
2009-06-03 16:53 . 2009-01-13 06:58 -------- d-----w- c:\users\Andy\AppData\Roaming\Skype
2009-06-03 16:19 . 2009-01-13 07:02 -------- d-----w- c:\users\Andy\AppData\Roaming\skypePM
2009-05-31 05:12 . 2008-02-22 09:17 -------- d-----w- c:\programdata\Microsoft Help
2009-05-31 04:37 . 2008-12-08 05:13 -------- d-----w- c:\users\Andy\AppData\Roaming\My Games
2009-05-19 11:05 . 2008-02-22 09:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-15 07:52 . 2009-05-15 07:46 -------- d-----w- c:\users\Andy\AppData\Roaming\CyberLink
2009-05-15 07:40 . 2009-05-15 07:40 -------- d-----w- c:\program files\Common Files\CyberLink
2009-05-15 07:37 . 2009-05-15 07:38 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-05-15 04:39 . 2008-10-08 15:56 -------- d-----w- c:\program files\PokerStars
2009-05-06 07:48 . 2009-05-06 07:48 26694 ----a-r- c:\users\Andy\AppData\Roaming\Microsoft\Installer\{194BFA8B-8ABF-43F4-A4B5-A38F6B21C3C2}\_42307eb7.exe
2009-05-06 07:48 . 2009-05-06 07:48 26694 ----a-r- c:\users\Andy\AppData\Roaming\Microsoft\Installer\{194BFA8B-8ABF-43F4-A4B5-A38F6B21C3C2}\_366b66c4.exe
2009-05-06 07:47 . 2008-11-20 10:33 -------- d-----w- c:\program files\Google
2009-04-24 06:32 . 2009-04-09 09:49 -------- d-----w- c:\program files\Etisalat 3.5G Router
2009-04-07 07:18 . 2008-07-02 16:27 1356 ----a-w- c:\users\Andy\AppData\Local\d3d9caps.dat
2009-03-23 13:42 . 2009-03-23 13:42 124168 ----a-w- c:\windows\system32\WPPFilt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2008-11-29 12:33 204248 ----a-w- c:\program files\Hotspot Shield\HssIE\HssIE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-06-06 07:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-06-06 07:16 2955264 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"NSUFloatingUI"="c:\program files\Sony\Network Utility\LANUtil.exe" [2007-12-12 253952]
"BitTorrent DNA"="c:\users\Andy\Program Files\DNA\btdna.exe" [2008-12-20 342848]
"Google Update"="c:\users\Andy\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2008-10-22 399504]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-10-30 748072]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 07:03 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 04:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2FAF1869-0E79-47F0-9D6B-CC818E8A5917}"= Disabled:UDP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{A41470D1-2E04-4C1B-AA85-5789A3FCD6F2}"= Disabled:TCP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{DBBE6670-36F6-4B50-A107-54F728680C69}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CA0F7CB1-E4EB-403F-BA0E-3B77CCAAC454}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{55DE0570-C2AA-4B28-9556-5619CF4C2E2F}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{6F598686-098D-433A-BECF-44A08414CD87}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{93FB9604-DCB4-4758-BB17-AE30FA340DFB}c:\\program files\\dap\\dap.exe"= UDP:c:\program files\dap\dap.exe:Download Accelerator Plus (DAP)
"UDP Query User{93706FBD-6D6D-44CF-9363-F9EE31D25C31}c:\\program files\\dap\\dap.exe"= TCP:c:\program files\dap\dap.exe:Download Accelerator Plus (DAP)
"{A3C8153E-F1CE-41B0-B00B-91007E26E4BA}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B84A7B83-C596-49AB-B54C-E58C4F11A30E}"= UDP:c:\program files\Sony\VAIO Media Integrated Server\VMISrv.exe:[VAIO Media] Integrated Server
"{6F11D133-759A-4F4B-A98F-7E00E465123B}"= TCP:c:\program files\Sony\VAIO Media Integrated Server\VMISrv.exe:[VAIO Media] Integrated Server
"{5A204EB9-D790-4903-8173-330D850C0271}"= UDP:c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe:[VAIO Media] HTTP Server
"{79FFC862-59D8-447C-B3DD-8E14F9A76167}"= TCP:c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe:[VAIO Media] HTTP Server
"{FC841F74-8612-400B-A1A5-12A42AFC365B}"= UDP:c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe:[VAIO Media] Content Collection
"{E1A5E4F1-B069-4B58-9F04-FF102996D8C6}"= TCP:c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe:[VAIO Media] Content Collection
"{5531D741-7FA6-4032-BDD5-EC717A8DBF8C}"= UDP:c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe:[VAIO Media] UPnP Server
"{6C38B1A8-4CF6-4696-B40C-4A2FE4917FE3}"= TCP:c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe:[VAIO Media] UPnP Server
"{ACD4948A-1C9B-472C-9946-12BB5A320283}"= UDP:c:\program files\Sony\VAIO Media Integrated Server\Platform\VmServerSettings.exe:[VAIO Media] SNAC Server
"{BBE47970-E836-4281-9F43-93DD1E608E45}"= TCP:c:\program files\Sony\VAIO Media Integrated Server\Platform\VmServerSettings.exe:[VAIO Media] SNAC Server
"TCP Query User{8BF2D0FD-7C11-4B36-A5FB-81D9CF23342A}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{D02D7CAA-92D5-488A-9816-A7D49D897728}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{FA388117-414B-41B3-9799-B87AB9E01C4E}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{4791622C-2FCC-4C74-BE27-EDC0B8ED14AC}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{7A1FF285-C8EB-419E-B80B-36245F3D7456}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"UDP Query User{43E7AAF7-BC42-4BE9-81D0-00B92D3F8AE3}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:µTorrent
"TCP Query User{419B887B-1714-4115-8D27-CD7C8A7A0105}c:\\users\\andy\\program files\\dna\\btdna.exe"= UDP:c:\users\andy\program files\dna\btdna.exe:btdna.exe
"UDP Query User{73565457-7578-47E4-8C48-B043EBBFFF9E}c:\\users\\andy\\program files\\dna\\btdna.exe"= TCP:c:\users\andy\program files\dna\btdna.exe:btdna.exe
"TCP Query User{BBC289DB-56EB-4486-8839-4812F3E17605}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{3B14DBBF-7ADD-4427-B329-AFF3EC5C00AE}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"TCP Query User{0871E9C7-348B-4941-9CD1-6519AA4D6C19}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{7E36FD87-DF17-4A2F-892E-14F1E5C7ACA5}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{39B6962A-8ECB-416C-88C4-B70D7E96DC25}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{70F7DEF6-07BE-45FB-8416-AA6FCBBE97D8}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"{62B63088-5D27-4BA6-9017-EA9968B4E742}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{08D6B501-D417-4659-8889-4C719F32D5F2}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{C40E8A51-B0D6-4CCC-A03B-26C902A1FE38}c:\\program files\\ghostsurf 2005\\proxy.exe"= UDP:c:\program files\ghostsurf 2005\proxy.exe:GhostSurf proxy
"UDP Query User{D0B38973-5A48-45D8-88BF-D38D9CA7631A}c:\\program files\\ghostsurf 2005\\proxy.exe"= TCP:c:\program files\ghostsurf 2005\proxy.exe:GhostSurf proxy
"{12AA7FCB-F8B1-4EAF-A501-1BC046FF3E75}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{71093ECC-C6FC-47D2-88E1-0875C206AF7D}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{47ECCF69-84A1-4386-AD79-A5BEEC5412E7}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{C4507CD1-9246-47D9-9703-E9DC3FA781E0}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{AA031398-B5AA-4F4A-BDA2-AA29D154E0C3}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A31222CC-0FD5-4AB3-B26D-056A23E9C900}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{8676DA40-AECC-40C3-B4C1-A9EA65942362}c:\\users\\andy\\program files\\dna\\btdna.exe"= UDP:c:\users\andy\program files\dna\btdna.exe:btdna.exe
"UDP Query User{8AF50B7B-3CCA-4980-BEF7-ACFFE8B9B6AF}c:\\users\\andy\\program files\\dna\\btdna.exe"= TCP:c:\users\andy\program files\dna\btdna.exe:btdna.exe
"{BABF0FF8-B4B0-4BFC-BEE5-722715ECDEA0}"= UDP:c:\users\Andy\AppData\Local\Temp\hpdiu2\HPDIU\HPDIUNetwork.exe:HP Networked Printer Installer
"{1CCB7E98-51B9-47F4-BF8C-684D323D22A0}"= TCP:c:\users\Andy\AppData\Local\Temp\hpdiu2\HPDIU\HPDIUNetwork.exe:HP Networked Printer Installer
"{F79F4262-8EC9-4252-8564-81B43D7725EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{72D14792-31A3-4C55-A25D-C4799016654B}"= Disabled:UDp:\\sysabudhabi\Public\SOFTWARE\Drivers\HP C7100 Series Vista\AIO_CDA_Full_Net (E)\setup\hpznui01.exe:hpznui01.exe
"{A3625C6E-57F8-4DA4-91C7-E9DCB0924222}"= Disabled:TCp:\\sysabudhabi\Public\SOFTWARE\Drivers\HP C7100 Series Vista\AIO_CDA_Full_Net (E)\setup\hpznui01.exe:hpznui01.exe
"TCP Query User{206F5425-353B-4405-8628-017050906D4F}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{9D03E802-2E84-437D-A476-6A213D9004C5}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"{7E0FD9A9-6966-40D0-A41B-BEE652C9232C}"= UDP:5353:Adobe CSI CS4
"{0C4AEE7A-2CA7-4E35-A123-B8B87236500F}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{373C5721-A108-4DE8-9756-C21A49E649A0}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"TCP Query User{AB4DD3D1-8BB3-44D8-8775-BF30EE4C8BCF}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{EEAAC290-F25D-48A5-99F1-F9072A4E09EC}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{C8CA989F-1EC0-4498-B9B6-EC01EDB9342F}"= UDP:5353:Adobe CSI CS4
"{489559A5-F911-463F-9727-EB6D4F4CBE77}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{19517C65-B9EE-4717-90F6-D26DCB79971E}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"TCP Query User{D3EC52B3-5587-497A-929A-4BC2DEE025B4}c:\\program files\\micro niche finder\\microniche.exe"= UDP:c:\program files\micro niche finder\microniche.exe: Micro Niche Finder
"UDP Query User{E8B61233-7E86-4968-B49F-1C0EA59EDE68}c:\\program files\\micro niche finder\\microniche.exe"= TCP:c:\program files\micro niche finder\microniche.exe: Micro Niche Finder
"TCP Query User{5FE54305-80E2-4B12-80C1-D6FE3172D5D0}c:\\program files\\sopcast\\adv\\sopadver.exe"= UDP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"UDP Query User{09C56F8D-30D5-41E9-9C6A-14C2E1C00A1F}c:\\program files\\sopcast\\adv\\sopadver.exe"= TCP:c:\program files\sopcast\adv\sopadver.exe:SopCast Adver
"TCP Query User{B9E288A4-8B7C-46B6-96D3-EFCE78CEF018}c:\\program files\\sopcast\\sopcast.exe"= UDP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"UDP Query User{43A368FC-7493-40B3-B0C1-D407AA4EFE5D}c:\\program files\\sopcast\\sopcast.exe"= TCP:c:\program files\sopcast\sopcast.exe:SopCast Main Application
"TCP Query User{2B9C88C9-0C05-4751-99FE-E06D10B97FDE}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B87C723F-6129-4AB4-A655-7EF1BEF68B18}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{CBC36D5E-F821-41EA-97FD-0D215E3909B7}c:\\program files\\serif\\webplus\\x2\\program\\webplus.exe"= UDP:c:\program files\serif\webplus\x2\program\webplus.exe:Serif WebPlus X2
"UDP Query User{B7ED369F-D79D-4789-B7AD-5BE6189B38ED}c:\\program files\\serif\\webplus\\x2\\program\\webplus.exe"= TCP:c:\program files\serif\webplus\x2\program\webplus.exe:Serif WebPlus X2
"TCP Query User{54A569FA-056D-4094-B43A-02ED332132A4}c:\\program files\\serif\\webplus\\x2\\program\\webplus.exe"= UDP:c:\program files\serif\webplus\x2\program\webplus.exe:Serif WebPlus X2
"UDP Query User{7A2C4B55-339C-492D-9938-FCC9A673E70E}c:\\program files\\serif\\webplus\\x2\\program\\webplus.exe"= TCP:c:\program files\serif\webplus\x2\program\webplus.exe:Serif WebPlus X2
"TCP Query User{C96F99F2-2042-49EE-B882-0F13DA7991B3}c:\\users\\andy\\desktop\\hapedit\\hapedit.exe"= UDP:c:\users\andy\desktop\hapedit\hapedit.exe:hapedit.exe
"UDP Query User{1F2C338D-2F8C-4E1E-88C8-C950B9504CC8}c:\\users\\andy\\desktop\\hapedit\\hapedit.exe"= TCP:c:\users\andy\desktop\hapedit\hapedit.exe:hapedit.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [15/06/2009 16:50 28544]
R0 shpf;Sony HDD Protection Filter Driver;c:\windows\System32\drivers\shpf.sys [08/01/2008 01:37 21408]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [11/09/2007 00:45 124832]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [01/06/2009 22:13 331312]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [15/06/2009 13:32 170640]
R2 Micro Niche Finder Background Download Service;Micro Niche Finder Background Download Service;c:\program files\Micro Niche Finder\srvany.exe [19/04/2009 11:20 8192]
R2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [22/02/2008 13:47 204800]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe [22/02/2008 13:38 125440]
R2 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [22/02/2008 13:29 745472]
R2 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [22/02/2008 13:29 397312]
R2 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [22/02/2008 13:29 1089536]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\System32\drivers\ArcSoftKsUFilter.sys [22/02/2008 13:38 17920]
R3 MBAMProtector;MBAMProtector;c:\windows\System32\drivers\mbam.sys [15/06/2009 13:32 15504]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [08/01/2008 01:37 75392]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [08/01/2008 01:37 43904]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [08/01/2008 01:37 9344]
R3 SPI;Sony Programmable I/O Control Device;c:\windows\System32\drivers\SonyPI.sys [08/01/2008 01:37 14720]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\System32\drivers\SSLDrv.sys [04/02/2008 16:46 20504]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\System32\drivers\tap0901.sys [19/11/2008 22:22 25216]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [08/01/2008 01:37 812544]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [08/01/2008 03:26 28464]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [11/11/2008 17:29 33752]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [01/06/2009 22:58 34352]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [22/02/2008 13:42 292128]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [22/02/2008 13:42 79136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2639940613-146822564-1301777117-1003.job
- c:\users\Andy\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-28 12:29]

2009-06-17 c:\windows\Tasks\User_Feed_Synchronization-{24543016-E3FC-4C9B-9769-75369AA17F83}.job
- c:\windows\system32\msfeedssync.exe [2009-05-18 11:31]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = %3clocal%3e:80
uInternet Settings,ProxyOverride = <local>
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: sonicwall.com\sslvpn
Trusted Zone: systechgroup.net\ssl
TCP: {5FD2BAA1-9CD7-4CDB-B32F-B18FC8F66C79} = 10.16.128.1
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\users\Andy\AppData\Roaming\Mozilla\Firefox\Profiles\f07zv1ww.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\users\Andy\AppData\Local\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\Andy\Program Files\DNA\plugins\npbtdna.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 08:38
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2639940613-146822564-1301777117-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8F44A93C-4632-6C8F-5711-0C66DC8FBFA9}*]
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(624)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2009-06-17 8:40
ComboFix-quarantined-files.txt 2009-06-17 04:39

Pre-Run: 123,816,755,200 bytes free
Post-Run: 124,133,556,224 bytes free

301 --- E O F --- 2009-05-19 13:20

[tetonbob]

Hi -

That looks better. No need to attach or zip the logs going forward, thanks.


As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

3. Uninstall the following via Add or Remove Programs in Control Panel:

• p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( BitTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------


Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Java(TM) 6 Update 7

This is outdated, and a security risk by having it installed still. Unfortunately, Java does not uninstall older versions when you update, nor tell you that you should. Java(TM) 6 Update 12 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

---------------------------------------------------------------------------------------------

You should now be able to run Malwarebytes' Antimalware.

Please update it's definitions, and run a new Quick Scan.

• Launch Malwarebytes' Antimalware
• On the updates tab, click on Check for Updates
• If an update is found, it will begin. Once the update is complete..
• Click on the Scanner tab. Select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

[andybucks]

Ok done, Malwarebytes working, updated and results of quick scan below.

Am i clean now?? I want to purchase a anti virus / software firewall package. Any recommendations? I've used Norton in the past but found it to really slow my system down.


Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 6.0.6001 Service Pack 1

17/06/2009 10:36:43
mbam-log-2009-06-17 (10-36-43).txt

Scan type: Quick Scan
Objects scanned: 81417
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[andybucks]

sorry meant to say also p2p uninstalled (boo) and old skool version of java uninstalled and version 13 installed.

Thanks for your help on this by the way its greatly appreciated.

[andybucks]

sorry meant to say also p2p uninstalled (boo) and old skool version of java uninstalled and version 13 installed.

Thanks for your help on this by the way its greatly appreciated.

[tetonbob]

There are several vendors with such packages. ESET, Kaspersky, Avira are three of the best. Each have trial versions, so you can test them out without committing monies for usually 30 days.

You can view some comparisons here

www.av-comparatives.org

Installing an AntiVirus was next on the list, since there appears to be none on this machine. if you need time to decide, install this Free antivirus now.


Install this FREE AntiVirus program, update it, and run a full system scan. This is in addition to the quick scan suggested upon installation.

Avira AntiVir Personal

There is an installation guide here

When the scan is complete, click on the Report button. A log file will open. Please post that in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

---------------------------------------------------------------------------------------------


Whatever you decide, install, updates definitions, and run a full system scan.

Once you've done that, post a new set of logs from DDS, please.

[tetonbob]

Still with me, andybucks?

I generally unsubscribe from threads after 7 days of inactivity. If I don't receive a reply from you within 24 hours of this post, this topic will be closed.

[tetonbob]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help