Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/ Worm/Blaster


  • Please log in to reply
3 replies to this topic

#1 Aeongrl

Aeongrl

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:06:55 AM

Posted 23 July 2011 - 05:03 PM

Hello This is Aeongrl again.
I ran a DDS report and GMER to get info on rootkits. I really have no clue what all this means, I simply followed instructions form my bleeping computer.

Background info: When I logged onto my computer that runs windows xp I received a malicious malware warning. I am unable to open any program such as firefox, explorer or even run cmd. The warning states I have a W32/Blaster.worm.
Help, here is the DDS txt and ark.txt What should I do next?

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Run by slaton at 14:09:40 on 2011-07-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.792 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\slaton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Update] "c:\documents and settings\slaton\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10o_Plugin.exe -update plugin
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Hkefidogosixax] rundll32.exe "c:\windows\izodahemofivu.dll",Startup
StartupFolder: c:\docume~1\slaton\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229831646718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{635D7DC1-C747-4483-BF7B-CCDD5015EA05} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{8B6E48A8-3580-4CCA-87BE-92DA4D7CF215} : DhcpNameServer = 193.147.150.14 193.147.150.15
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\slaton\application data\mozilla\firefox\profiles\cleposmg.default\
FF - prefs.js: browser.search.selectedEngine - Premier Cru
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\slaton\local settings\application data\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {8FE62565-7C0D-4280-9057-50731EE25AE2} - c:\documents and settings\janelle\local settings\application data\{8FE62565-7C0D-4280-9057-50731EE25AE2}
FF - Ext: XULRunner: {4D421569-E595-4C71-A696-05EC749D79FC} - c:\documents and settings\slaton\local settings\application data\{4D421569-E595-4C71-A696-05EC749D79FC}
.
============= SERVICES / DRIVERS ===============
.
S3 BENQFVNETusb(AR)®;BENQ FVNETusb(AR)® Service for BENQ AWL300R/AWL400R Wireless LAN USB Adapter;c:\windows\system32\drivers\vnetusbr.sys [2007-6-25 99200]
S3 USBFVNETR;BENQ AWL300R/AWL400R Wireless LAN USB Adapter;c:\windows\system32\drivers\vnetusbr.sys [2007-6-25 99200]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
.
=============== Created Last 30 ================
.
2011-07-23 20:14:26 -------- d-----w- c:\documents and settings\slaton\local settings\application data\{4D421569-E595-4C71-A696-05EC749D79FC}
2011-07-08 02:20:39 884224 ----a-w- c:\documents and settings\all users\application data\defender.exe
.
==================== Find3M ====================
.
2011-07-23 19:56:24 0 ----a-w- c:\windows\Mnidej.bin
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 14:47:19 81920 ------w- c:\windows\system32\ieencode.dll
2011-04-25 14:47:19 667136 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 14:47:19 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-04-25 12:56:44 369664 ------w- c:\windows\system32\html.iec
.
============= FINISH: 14:10:49.39 ===============



ark txt
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-23 14:36:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Hitachi_HTS424030M9AT00 rev.MAAOA71A
Running: gmer.exe; Driver: C:\DOCUME~1\slaton\LOCALS~1\Temp\ugtdypoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Edited by Blade Zephon, 23 July 2011 - 05:19 PM.
Moved to log forum. ~BZ

Aeongrl

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:55 AM

Posted 31 July 2011 - 03:32 PM

hi Aeongrl,

Your post is a few days old. If you still need help simply reply back and we will see what we can do.

How Can I Reduce My Risk to Malware?


#3 Aeongrl

Aeongrl
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:California
  • Local time:06:55 AM

Posted 18 August 2011 - 01:29 AM

I ran the free Malwarebytes Anti Malware and I think it removed the worm/blaster.
Any other suggestions so I don't end up having this thing infect my external hard drive?
Thank you,
Aeongrl
Aeongrl

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:55 AM

Posted 18 August 2011 - 04:01 PM

I dont see a resident antivirus in the log. Do you have one installed?

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users