Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Computer Crashes during SuperAntiSpyware Scan

Started by woodlandcreature , Apr 28 2009 07:03 PM

  • This topic is locked This topic is locked
21 replies to this topic

#1 woodlandcreature

woodlandcreature

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 28 April 2009 - 07:03 PM

I have been frequently loosing the internet connection on my laptop, so I decided to scan the C drive using SuperAntiSpyware.

Three times I have tried to scan, and all three times my computer has crashed.

First crash error message:
STOP: 0x0000008E (0xC0000005, 0x8707A286, 0xB9E611C4, 0x00000000)

Second crash:
PAGE_FAULT_IN_NONPAGED_AREA:
0x00000050(0x8F11B3F7, 0x00000000, Ox87121286, 0x00000000)

Third crash:
STOP: 0x0000008E (0xC0000005, 0x8707A286, 0xB9E611C4, 0x00000000)


Again, I have only had the crash when running the anti virus scan. I am also still have problems maintaining my internet connection with this computer.


Hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:51 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\WinSPMsv.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Google\Quick Search Box\qsb.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.davidbowie.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 67.69.254.250:80
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EF3101FD-0997-4BA0-9B2F-119C0AF7C506} - c:\windows\system32\gpppxou.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [WinSPM] WinSPMsv.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [ccd6bc71] rundll32.exe "C:\WINDOWS\system32\quwayifr.dll",b
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Yxobigokido] rundll32.exe "C:\WINDOWS\iqaruxecaba.dll",e
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\qsb.exe" /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Jessica Voss\reader_s.exe
O4 - HKCU\..\RunOnce: [DeleteGrabPro] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Orbitdownloader\GrabPro.dll"
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgre...eensActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165091800671
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O20 - AppInit_DLLs: prekpr.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: oyjtfchf - gpppxou.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12071 bytes



Please help if you can!

Thanks,
Jessica

    Advertisements

Register to Remove

#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 03 May 2009 - 05:31 AM

Hi and Welcome,

Please do the following:

(note: - if your computer continues to crash during these scans - try them in safe mode)


STEP #1

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.pif to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.



STEP #2


Download the GMER Rootkit Scanner. Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Please describe how your computer is behaving at the moment, listing any symptoms and problems that you are experiencing.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 woodlandcreature

woodlandcreature

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 03 May 2009 - 04:35 PM

I zipped the ATTACH file and attached it.

Posted below is the DDS info followed by the GMER Log. I did not receive any notices about Rootkit activity during the scan.


I also ran SuperAntiSpyware in Safe Mode.

It quarantined the following:
Trojan.RootKit/Gen
C:\WINDOWS\SYSTEM32\DLLCACHE\NDIS.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS

This resulted in all the network connections disappearing and my wireless card drivers disappearing... So I had to restore the items to regain my connection.

Also, when my computer starts up, I receive the following message:

rundll32.exe - Bad Image
The application or DLL C:\WINDOWS\iqaruxecaba.dll is not a valid Windows image. Please check this against your installation diskette.

---------------------------------------------------------

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jessica Voss at 11:50:01.48 on Sun 05/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.355 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\WinSPMsv.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Google\Quick Search Box\qsb.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jessica Voss\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Bar =
uStart Page = hxxp://www.davidbowie.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061127
uInternet Settings,ProxyServer = 67.69.254.250:80
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: : {ef3101fd-0997-4ba0-9b2f-119c0af7c506} - c:\windows\system32\gpppxou.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [reader_s] c:\documents and settings\jessica voss\reader_s.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [WinSPM] WinSPMsv.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Yxobigokido] rundll32.exe "c:\windows\iqaruxecaba.dll",e
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\qsb.exe" /autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
StartupFolder: c:\docume~1\jessic~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1165091800671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: oyjtfchf - gpppxou.dll
AppInit_DLLs: prekpr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccbBsSl
LSA: Notification Packages = scecli hexscl4D.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jessic~1\applic~1\mozilla\firefox\profiles\7v58s7c6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: XUL Cache: {6479A3B6-D36A-40D9-BEE6-20D1C19B9A1F} - c:\documents and settings\jessica voss\local settings\application data\{6479A3B6-D36A-40D9-BEE6-20D1C19B9A1F}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-4-30 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-4-30 36368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2009-4-30 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~2\TmPfw.exe [2009-4-30 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-4-30 648456]
S2 ihxeifcg;Terminal Device Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S3 f_kp;f_kp;c:\windows\system32\drivers\f_kp.sys [2007-2-13 4598]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-04-30 19:33 <DIR> --d----- c:\windows\system32\log
2009-04-30 18:52 142,864 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-30 18:52 52,752 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-30 18:52 52,624 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-30 18:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-04-30 18:10 656,648 a------- c:\windows\system32\UfWSC.cpl
2009-04-30 18:10 1,195,448 a------- c:\windows\system32\drivers\vsapint.sys
2009-04-30 18:10 333,328 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-04-30 18:10 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-04-30 18:10 65,936 a------- c:\windows\system32\drivers\tmtdi.sys
2009-04-30 18:10 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-04-29 18:45 <DIR> --dsh--- c:\windows\system32\lowsec
2009-04-17 21:52 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-04-15 18:21 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 18:21 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 18:21 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 18:21 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 18:21 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 18:21 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 18:21 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 18:21 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 18:21 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 18:21 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 18:19 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 18:19 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 18:19 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-08 17:41 0 a------- c:\windows\Vqazo.bin
2009-04-08 17:41 408 a------- c:\windows\Ileruyuqiyu.dat
2009-04-06 23:15 8,461,312 -------- c:\windows\system32\dllcache\shell32.dll

==================== Find3M ====================

2009-04-17 21:52 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-10 17:22 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-04-01 00:38 184,876 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 01:55 32,820 a--sh--- c:\windows\system32\lSsBbccf.ini2
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 14:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 11:50:53.50 ===============





---------------------------------------------------------------------------------------------------------------------------------------------------------------

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-03 17:21:51
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8604BC60 ZwCreateKey
SSDT 8604B1A0 ZwCreateProcess
SSDT 8604B460 ZwCreateProcessEx
SSDT 8604CAC0 ZwCreateThread
SSDT 8604C1E0 ZwDeleteKey
SSDT 8604C4A0 ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xF73BCA92]
SSDT sptd.sys ZwEnumerateValueKey [0xF73BCE20]
SSDT 8604CC60 ZwLoadDriver
SSDT sptd.sys ZwOpenKey [0xF73B7090]
SSDT 8604B6E0 ZwOpenProcess
SSDT sptd.sys ZwQueryKey [0xF73BCEF8]
SSDT sptd.sys ZwQueryValueKey [0xF73BCD78]
SSDT 8604BF20 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEDE8BF20]
SSDT 8604C920 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F670E8AC 5 Bytes JMP 86F8D1C8
? System32\Drivers\akarw1ko.SYS The system cannot find the path specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73B7AB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73B7BFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73B7B7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73B8728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73B85FE] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73CAC5A] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 871601E8

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 86F7A1E8
Device \Driver\usbuhci \Device\USBPDO-1 86F7A1E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 871D01E8
Device \Driver\dmio \Device\DmControl\DmConfig 871D01E8
Device \Driver\dmio \Device\DmControl\DmPnP 871D01E8
Device \Driver\dmio \Device\DmControl\DmInfo 871D01E8
Device \Driver\usbuhci \Device\USBPDO-2 86F7A1E8
Device \Driver\usbuhci \Device\USBPDO-3 86F7A1E8
Device \Driver\usbehci \Device\USBPDO-4 86F4D1E8

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 871621E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{60429638-DBC3-44F0-910B-336A2179D5D3} 86E77980
Device \Driver\Ftdisk \Device\HarddiskVolume2 871621E8
Device \Driver\Cdrom \Device\CdRom0 86EDF1E8
Device \Driver\Cdrom \Device\CdRom1 86EDF1E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 871621E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 871621E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86E77980
Device \Driver\NetBT \Device\NetbiosSmb 86E77980
Device \Driver\PCI_NTPNP5406 \Device\0000005b sptd.sys

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\usbuhci \Device\USBFDO-0 86F7A1E8
Device \Driver\usbuhci \Device\USBFDO-1 86F7A1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86CBD980
Device \Driver\usbuhci \Device\USBFDO-2 86F7A1E8
Device 86CBD980
Device \Driver\usbuhci \Device\USBFDO-3 86F7A1E8
Device \Driver\usbehci \Device\USBFDO-4 86F4D1E8
Device \Driver\Ftdisk \Device\FtControl 871621E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A33246F8-2B8B-41A4-B568-26253DDB2AE7} 86E77980
Device \Driver\akarw1ko \Device\Scsi\akarw1ko1 86ED3980
Device \Driver\akarw1ko \Device\Scsi\akarw1ko1Port2Path0Target0Lun0 86ED3980
Device 85826980
Device B6AB1297

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 86C5E980
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1334798927
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1594267426
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEC 0x0F 0x79 0x33 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x38 0x28 0x4C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0x32 0xAD 0xEB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEC 0x0F 0x79 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x38 0x28 0x4C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0x32 0xAD 0xEB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEC 0x0F 0x79 0x33 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBC 0x38 0x28 0x4C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0x32 0xAD 0xEB ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- EOF - GMER 1.0.15 ----





Thanks for the help,

Jessica

Attached Files


#4 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 03 May 2009 - 05:41 PM

Hi,

Your machine is very heavily infected.
It is possible you are infected with VIRUT - a polymorphic file infector.
In which case a total wipe and reformat is the only recommended course of action.

First I would like you to upload a couple of files for analysis:

Please do this:

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • c:\documents and settings\jessica voss\reader_s.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Follow the same procedure for the following files:

c:\windows\system32\dllcache\ndis.sys
C:\WINDOWS\system32\userinit.exe
c:\windows\system32\sdra64.exe

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 woodlandcreature

woodlandcreature

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 03 May 2009 - 09:35 PM

For c:\windows\system32\sdra64.exe and c:\documents and settings\jessica voss\reader_s.exe
I received the messages: ERROR: Failed to find flength file! and ERROR: Can't find upload file!



For c:\windows\system32\dllcache\ndis.sys:

VirSCAN.org Scanned Report :
Scanned time : 2009/04/30 21:06:51 (CDT)
Scanner results: All Scanners reported not find malware!
File Name : ndis.sys
File Size : 182656 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : 1df7f42665c94b825322fae71721130d
SHA1 : b8e7cce36011313b3b908c7ebfa598057847d340
Online report : http://virscan.org/r...6e5ea05be4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090501070155 2009-05-01 1.95 -
AhnLab V3 2009.04.30.02 2009.04.30 2009-04-30 0.64 -
AntiVir 7.9.0.160 7.1.3.139 2009-04-30 2.08 -
Antiy 2.0.18 20090430.2323543 2009-04-30 0.12 -
Arcavir 2009 200904301024 2009-04-30 0.11 -
Authentium 5.1.1 200904301958 2009-04-30 1.44 -
AVAST! 3.0.1 090430-0 2009-04-30 0.01 -
AVG 7.5.52.442 270.12.11/2089 2009-04-30 2.06 -
BitDefender 7.81008.2860111 7.25111 2009-05-01 2.69 -
CA (VET) 9.0.0.143 31.6.6483 2009-04-30 7.01 -
ClamAV 0.95 9307 2009-04-30 0.04 -
Comodo 3.8 1141 2009-04-29 1.26 -
CP Secure 1.1.0.715 2009.04.30 2009-04-30 9.93 -
Dr.Web 4.44.0.9170 2009.04.30 2009-04-30 4.54 -
F-Prot 4.4.4.56 20090430 2009-04-30 1.40 -
F-Secure 5.51.6100 2009.04.30.07 2009-04-30 5.27 -
Fortinet 2.81-3.117 10.338 2009-04-30 0.41 -
GData 19.4950/19.315 20090501 2009-05-01 3.78 -
ViRobot 20090429 2009.04.29 2009-04-29 0.41 -
Ikarus T3.1.01.49 2009.04.30.72654 2009-04-30 2.78 -
JiangMin 11.0.706 2009.04.30 2009-04-30 3.60 -
Kaspersky 5.5.10 2009.04.30 2009-04-30 0.05 -
KingSoft 2009.2.5.15 2009.4.30.21 2009-04-30 1.68 -
McAfee 5.3.00 5601 2009-04-30 2.85 -
Microsoft 1.4602 2009.05.01 2009-05-01 10.14 -
mks_vir 2.01 2009.04.30 2009-04-30 2.82 -
Norman 6.00.06 6.00.00 2009-04-28 10.01 -
Panda 9.05.01 2009.04.30 2009-04-30 2.38 -
Trend Micro 8.700-1004 6.104.01 2009-04-30 0.03 -
Quick Heal 10.00 2009.04.30 2009-04-30 2.23 -
Rising 20.0 21.27.31.00 2009-04-30 0.82 -
Sophos 2.86.0 4.41 2009-05-01 2.20 -
Sunbelt 5114 5114 2009-04-29 1.64 -
Symantec 1.3.0.24 20090430.018 2009-04-30 0.20 -
nProtect 20090430.01 3509144 2009-04-30 12.80 -
The Hacker 6.3.4.1 v00317 2009-04-30 3.56 -
VBA32 3.12.10.4 20090430.1445 2009-04-30 1.81 -
VirusBuster 4.5.11.10 10.105.11/1314916 2009-04-30 1.68 -







For C:\WINDOWS\system32\userinit.exe:


VirSCAN.org Scanned Report :
Scanned time : 2009/05/02 02:32:58 (CDT)
Scanner results: All Scanners reported not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://virscan.org/r...0b8f93c5bf.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090501070155 2009-05-01 9.27 -
AhnLab V3 2009.05.01.01 2009.05.01 2009-05-01 9.99 -
AntiVir 7.9.0.160 7.1.3.139 2009-04-30 2.05 -
Antiy 2.0.18 20090502.2329310 2009-05-02 0.12 -
Arcavir 2009 200905011108 2009-05-01 0.03 -
Authentium 5.1.1 200905011947 2009-05-01 1.11 -
AVAST! 3.0.1 090501-0 2009-05-01 0.01 -
AVG 7.5.52.442 270.12.11/2089 2009-04-30 2.06 -
BitDefender 7.81008.2901378 7.25140 2009-05-02 2.71 -
CA (VET) 9.0.0.143 31.6.6486 2009-05-02 16.07 -
ClamAV 0.95 9312 2009-05-02 0.01 -
Comodo 3.8 1146 2009-05-01 8.12 -
CP Secure 1.1.0.715 2009.05.02 2009-05-02 8.83 -
Dr.Web 4.44.0.9170 2009.05.02 2009-05-02 4.51 -
F-Prot 4.4.4.56 20090501 2009-05-01 1.17 -
F-Secure 5.51.6100 2009.05.01.02 2009-05-01 0.09 -
Fortinet 2.81-3.117 10.343 2009-05-01 2.04 -
GData 19.4960/19.316 20090502 2009-05-02 19.60 -
ViRobot 20090501 2009.05.01 2009-05-01 1.91 -
Ikarus T3.1.01.49 2009.05.02.72659 2009-05-02 2.80 -
JiangMin 11.0.706 2009.05.02 2009-05-02 9.70 -
Kaspersky 5.5.10 2009.05.02 2009-05-02 0.08 -
KingSoft 2009.2.5.15 2009.5.1.21 2009-05-01 9.38 -
McAfee 5.3.00 5602 2009-05-01 2.99 -
Microsoft 1.4602 2009.04.30 2009-04-30 22.15 -
mks_vir 2.01 2009.05.01 2009-05-01 2.82 -
Norman 6.00.06 6.00.00 2009-04-28 10.01 -
Panda 9.05.01 2009.05.01 2009-05-01 22.64 -
Trend Micro 8.700-1004 6.104.23 2009-05-01 0.03 -
Quick Heal 10.00 2009.04.30 2009-04-30 7.66 -
Rising 20.0 21.27.41.00 2009-05-01 0.88 -
Sophos 2.86.0 4.41 2009-05-02 2.20 -
Sunbelt 5117 5117 2009-05-01 4.49 -
Symantec 1.3.0.24 20090501.017 2009-05-01 0.20 -
nProtect 20090501.01 3562396 2009-05-01 40.13 -
The Hacker 6.3.4.1 v00317 2009-05-01 6.40 -
VBA32 3.12.10.4 20090501.1407 2009-05-01 2.00 -
VirusBuster 4.5.11.10 10.105.12/1315122 2009-05-01 1.71 -

Edited by woodlandcreature, 03 May 2009 - 09:38 PM.

#6 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 04 May 2009 - 02:50 AM

OK

Unfortunately it was one of the files that couldn't be uploaded that I was most concerned about,

Please do the following instead.

Run an on-line scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 woodlandcreature

woodlandcreature

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 04 May 2009 - 07:32 PM

KASPERSKY ONLINE SCANNER 7.0 REPORT Monday, May 4, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Tuesday, May 05, 2009 00:54:13 Records in database: 2132073 Scan settings Scan using the following database extended Scan archives yes Scan mail databases yes Scan area My Computer C:\ D:\ E:\ Scan statistics Files scanned 85777 Threat name 0 Infected objects 0 Suspicious objects 0 Duration of the scan 01:55:00 No malware has been detected. The scan area is clean. The selected area was scanned.

#8 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 04 May 2009 - 07:35 PM

Please do the following:

Download ComboFix from one of these locations:
Link 1
Link 2
Link 3

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#9 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 04 May 2009 - 07:39 PM

NOTE: Please do one more upload of a suspicious file before running ComboFix

I would like you to upload a file to be scanned
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • C:\WINDOWS\iqaruxecaba.dll
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#10 woodlandcreature

woodlandcreature

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 04 May 2009 - 08:25 PM

Still receiving the following message after startup: "rundll32.exe - Bad Image
The application or DLL C:\WINDOWS\iqaruxecaba.dll is not a valid Windows image. Please check this against your installation diskette."

I haven't had any problems accessing webpages tonight.

Scan result for C:\WINDOWS\iqaruxecaba.dll:

VirSCAN.org Scanned Report :
Scanned time : 2009/05/04 21:12:49 (CDT)
Scanner results: 3% Scanner(1/38) found malware!
File Name : iqaruxecaba.dll
File Size : 159744 byte
File Type : data
MD5 : 101d836cff4c2a66385938962bee0858
SHA1 : 0f8c432aca6b2a4b77370ab865a5f8cea1297aca
Online report : http://virscan.org/r...9495cc4192.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090504213754 2009-05-04 2.17 -
AhnLab V3 2009.05.05.00 2009.05.05 2009-05-05 1.80 -
AntiVir 7.9.0.160 7.1.3.150 2009-05-04 2.03 TR/Drop.Softomat.AN
Antiy 2.0.18 20090503.2333071 2009-05-03 0.02 -
Arcavir 2009 200905041616 2009-05-04 0.02 -
Authentium 5.1.1 200905041818 2009-05-04 1.14 -
AVAST! 3.0.1 090504-1 2009-05-04 0.01 -
AVG 7.5.52.442 270.12.11/2089 2009-04-30 2.02 -
BitDefender 7.81008.2901806 7.25202 2009-05-05 2.70 -
CA (VET) 9.0.0.143 31.6.6488 2009-05-05 21.25 -
ClamAV 0.95 9325 2009-05-04 0.01 -
Comodo 3.8 1149 2009-05-03 1.58 -
CP Secure 1.1.0.715 2009.05.05 2009-05-05 8.89 -
Dr.Web 4.44.0.9170 2009.05.04 2009-05-04 4.49 -
F-Prot 4.4.4.56 20090504 2009-05-04 1.13 -
F-Secure 5.51.6100 2009.05.04.11 2009-05-04 0.04 -
Fortinet 2.81-3.117 10.351 2009-05-04 1.34 -
GData 19.5035/19.320 20090505 2009-05-05 9.33 -
ViRobot 20090504 2009.05.04 2009-05-04 0.95 -
Ikarus T3.1.01.49 2009.05.04.72670 2009-05-04 2.80 -
JiangMin 11.0.706 2009.05.04 2009-05-04 6.81 -
Kaspersky 5.5.10 2009.05.05 2009-05-05 0.02 -
KingSoft 2009.2.5.15 2009.5.4.21 2009-05-04 0.41 -
McAfee 5.3.00 5605 2009-05-04 2.81 -
Microsoft 1.4602 2009.05.05 2009-05-05 27.77 -
mks_vir 2.01 2009.05.04 2009-05-04 2.71 -
Norman 6.01.05 6.01.00 2009-05-04 4.00 -
Panda 9.05.01 2009.05.04 2009-05-04 1.60 -
Trend Micro 8.700-1004 6.106.17 2009-05-04 0.02 -
Quick Heal 10.00 2009.05.04 2009-05-04 2.70 -
Rising 20.0 21.28.04.00 2009-05-04 2.57 -
Sophos 2.86.0 4.41 2009-05-05 2.23 -
Sunbelt 5120 5120 2009-05-04 2.87 -
Symantec 1.3.0.24 20090504.005 2009-05-04 0.05 -
nProtect 20090504.01 3571553 2009-05-04 22.68 -
The Hacker 6.3.4.1 v00318 2009-05-04 1.96 -
VBA32 3.12.10.4 20090504.1321 2009-05-04 2.02 -
VirusBuster 4.5.11.10 10.105.15/1315556 2009-05-04 1.61 -

    Advertisements

Register to Remove

#11 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 04 May 2009 - 08:27 PM

Hi, Thank-you, Please now follow the instructions for ComboFix

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#12 woodlandcreature

woodlandcreature

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 04 May 2009 - 08:59 PM

ComboFix 09-05-03.6 - Jessica Voss 05/04/2009 21:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.629 [GMT -5:00]
Running from: c:\documents and settings\Jessica Voss\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\hexscl4D.dll
c:\windows\IE4 Error Log.txt
c:\windows\mainms.vpi
c:\windows\megavid.cdt
c:\windows\muotr.so
c:\windows\system32\gpppxou.dll
c:\windows\system32\hljwugsf.bin
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lSsBbccf.ini
c:\windows\system32\lSsBbccf.ini2
c:\windows\system32\rfiyawuq.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IHXEIFCG
-------\Legacy_MSSECURITY1.209.4
-------\Service_ihxeifcg


((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-03 19:35 . 2008-04-13 19:20 182656 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-05-03 19:35 . 2008-04-13 19:20 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-01 00:33 . 2009-05-01 00:33 -------- d-----w c:\windows\system32\log
2009-04-30 23:52 . 2009-04-02 21:00 52624 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-30 23:52 . 2009-04-02 21:00 52752 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-30 23:52 . 2009-04-02 21:00 142864 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-30 23:51 . 2009-04-30 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-30 23:10 . 2008-08-16 07:53 1195448 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-30 23:10 . 2009-04-30 23:10 333328 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-30 23:10 . 2008-08-16 08:00 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-30 23:10 . 2009-04-30 23:10 65936 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-30 23:10 . 2008-08-16 08:00 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-15 23:21 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:21 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:21 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:21 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:21 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:21 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:21 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:21 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:21 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:21 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:19 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:19 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 22:41 . 2009-04-28 22:13 0 ----a-w c:\windows\Vqazo.bin
2009-04-08 22:41 . 2009-04-08 22:41 -------- d-----w c:\documents and settings\Jessica Voss\Local Settings\Application Data\{6479A3B6-D36A-40D9-BEE6-20D1C19B9A1F}
2009-04-08 22:41 . 2009-04-16 02:49 408 ----a-w c:\windows\Ileruyuqiyu.dat
2009-04-07 04:15 . 2008-06-17 19:02 8461312 ------w c:\windows\system32\dllcache\shell32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 23:52 . 2006-11-27 14:25 -------- d-----w c:\program files\Trend Micro
2009-04-29 23:45 . 2008-06-21 21:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 23:45 . 2008-06-21 21:43 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-18 23:27 . 2006-12-03 21:38 -------- d-----w c:\program files\HP
2009-04-13 02:30 . 2006-11-27 14:11 -------- d-----w c:\program files\Java
2009-04-10 22:22 . 2006-12-02 20:31 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-10 22:07 . 2006-12-02 20:31 88 --sh--r c:\windows\system32\E84A79C427.sys
2009-04-05 17:38 . 2008-08-14 21:56 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-05 06:03 . 2006-11-27 14:27 -------- d-----w c:\program files\Google
2009-04-01 05:38 . 2009-04-04 03:33 184876 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-04-01 05:17 . 2006-11-27 14:41 72944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 03:02 . 2009-04-01 03:02 -------- d-----w c:\program files\MSBuild
2009-04-01 03:02 . 2009-04-01 03:02 -------- d-----w c:\program files\Reference Assemblies
2009-03-09 10:19 . 2008-12-15 03:03 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-11 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 23:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 23:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 23:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-01-05 23:34 . 2006-12-02 20:20 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-05 23:34 . 2006-12-02 20:20 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-05 23:34 . 2007-12-17 02:06 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-05 23:34 . 2007-12-17 02:06 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-05 23:34 . 2006-12-02 20:20 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-11-24 20058152]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-01 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-09-13 1384448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-02 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-04 1032192]
"Yxobigokido"="c:\windows\iqaruxecaba.dll" [2008-04-14 159744]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-04-05 68592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-23 1398024]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"WinSPM"="WinSPMsv.exe" - c:\windows\system32\WinSPMsv.exe [2004-01-15 40960]

c:\documents and settings\Jessica Voss\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-27 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-01 00:01 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 f_kp;f_kp;c:\windows\system32\drivers\f_kp.sys [2005-01-26 4598]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-01 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 52624]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-04-30 333328]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2009-04-11 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-30 648456]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8aac2740-c855-11db-a8c1-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{EF3101FD-0997-4BA0-9B2F-119C0AF7C506} - c:\windows\system32\gpppxou.dll
HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.davidbowie.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061127
uInternet Settings,ProxyServer = 67.69.254.250:80
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
FF - ProfilePath - c:\documents and settings\Jessica Voss\Application Data\Mozilla\Firefox\Profiles\7v58s7c6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-04 21:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1544)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(4912)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-05 21:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 02:49

Pre-Run: 27,114,954,752 bytes free
Post-Run: 27,132,518,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

249 --- E O F --- 2009-04-16 04:45

#13 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 05 May 2009 - 06:41 AM

Hi,

please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Computer_Crashes_during_SuperAntiSpyware_Scan_t102566.html&view=findpost&p=555760#entry555760

Collect::
c:\windows\Ileruyuqiyu.dat
c:\windows\iqaruxecaba.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yxobigokido"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#14 woodlandcreature

woodlandcreature

    New Member

  • Authentic Member
  • Pip
  • 15 posts

Posted 05 May 2009 - 05:19 PM

Here are the contents of the log from the last scan:

ComboFix 09-05-03.6 - Jessica Voss 05/05/2009 17:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.472 [GMT -5:00]
Running from: c:\documents and settings\Jessica Voss\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jessica Voss\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

file zipped: c:\windows\Ileruyuqiyu.dat
file zipped: c:\windows\iqaruxecaba.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ileruyuqiyu.dat
c:\windows\iqaruxecaba.dll

.
((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-03 19:35 . 2008-04-13 19:20 182656 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-05-03 19:35 . 2008-04-13 19:20 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-01 00:33 . 2009-05-01 00:33 -------- d-----w c:\windows\system32\log
2009-04-30 23:52 . 2009-04-02 21:00 52624 ----a-w c:\windows\system32\drivers\tmevtmgr.sys
2009-04-30 23:52 . 2009-04-02 21:00 52752 ----a-w c:\windows\system32\drivers\tmactmon.sys
2009-04-30 23:52 . 2009-04-02 21:00 142864 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-30 23:51 . 2009-04-30 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-04-30 23:10 . 2008-08-16 07:53 1195448 ----a-w c:\windows\system32\drivers\vsapint.sys
2009-04-30 23:10 . 2009-04-30 23:10 333328 ----a-w c:\windows\system32\drivers\TM_CFW.sys
2009-04-30 23:10 . 2008-08-16 08:00 205328 ----a-w c:\windows\system32\drivers\tmxpflt.sys
2009-04-30 23:10 . 2009-04-30 23:10 65936 ----a-w c:\windows\system32\drivers\tmtdi.sys
2009-04-30 23:10 . 2008-08-16 08:00 36368 ----a-w c:\windows\system32\drivers\tmpreflt.sys
2009-04-15 23:21 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:21 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:21 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:21 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:21 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:21 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:21 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 23:21 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 23:21 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:21 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:19 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 23:19 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 22:41 . 2009-04-28 22:13 0 ----a-w c:\windows\Vqazo.bin
2009-04-08 22:41 . 2009-04-08 22:41 -------- d-----w c:\documents and settings\Jessica Voss\Local Settings\Application Data\{6479A3B6-D36A-40D9-BEE6-20D1C19B9A1F}
2009-04-07 04:15 . 2008-06-17 19:02 8461312 ------w c:\windows\system32\dllcache\shell32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 23:52 . 2006-11-27 14:25 -------- d-----w c:\program files\Trend Micro
2009-04-29 23:45 . 2008-06-21 21:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 23:45 . 2008-06-21 21:43 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-18 23:27 . 2006-12-03 21:38 -------- d-----w c:\program files\HP
2009-04-13 02:30 . 2006-11-27 14:11 -------- d-----w c:\program files\Java
2009-04-10 22:22 . 2006-12-02 20:31 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-10 22:07 . 2006-12-02 20:31 88 --sh--r c:\windows\system32\E84A79C427.sys
2009-04-05 17:38 . 2008-08-14 21:56 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-05 06:03 . 2006-11-27 14:27 -------- d-----w c:\program files\Google
2009-04-01 05:38 . 2009-04-04 03:33 184876 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-04-01 05:17 . 2006-11-27 14:41 72944 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 03:02 . 2009-04-01 03:02 -------- d-----w c:\program files\MSBuild
2009-04-01 03:02 . 2009-04-01 03:02 -------- d-----w c:\program files\Reference Assemblies
2009-03-09 10:19 . 2008-12-15 03:03 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-11 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-11 23:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-11 23:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-11 23:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 23:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 23:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 23:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-11 23:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-11 23:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 23:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-01-05 23:34 . 2006-12-02 20:20 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-05 23:34 . 2006-12-02 20:20 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-05 23:34 . 2007-12-17 02:06 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-05 23:34 . 2007-12-17 02:06 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-05 23:34 . 2006-12-02 20:20 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2004-08-04 11:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 !MD5: COULD NOT OPEN FILE ! c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-05-05_02.45.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-05 22:22 . 2009-05-05 22:22 16384 c:\windows\Temp\Perflib_Perfdata_f94.dat
+ 2009-05-05 22:22 . 2009-05-05 22:22 16384 c:\windows\Temp\Perflib_Perfdata_274.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-11-24 20058152]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-01 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-09-13 1384448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-02 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2006-08-04 1032192]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-04-05 68592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-09-23 1398024]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-25 282624]
"WinSPM"="WinSPMsv.exe" - c:\windows\system32\WinSPMsv.exe [2004-01-15 40960]

c:\documents and settings\Jessica Voss\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-27 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-01 00:01 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 f_kp;f_kp;c:\windows\system32\drivers\f_kp.sys [2005-01-26 4598]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-01 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-04-02 52624]
S2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2008-08-16 36368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2009-04-30 333328]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2009-04-11 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-04-30 648456]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8aac2740-c855-11db-a8c1-00038a000015}]
\Shell\AutoRun\command - F:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.davidbowie.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061127
uInternet Settings,ProxyServer = 67.69.254.250:80
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
FF - ProfilePath - c:\documents and settings\Jessica Voss\Application Data\Mozilla\Firefox\Profiles\7v58s7c6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1544)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-05-05 17:42
ComboFix-quarantined-files.txt 2009-05-05 22:41
ComboFix2.txt 2009-05-05 02:49

Pre-Run: 27,094,036,480 bytes free
Post-Run: 27,104,215,040 bytes free

213 --- E O F --- 2009-04-16 04:45
Upload was successful





-Jessica

#15 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 05 May 2009 - 05:52 PM

Hi,

Please do the following


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·