Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by something.


  • This topic is locked This topic is locked
9 replies to this topic

#1 rds0256

rds0256

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 28 April 2009 - 08:01 AM

Thanks in advance for your help.

I had a serious problem with this computer on 10/31/08, which after taking the computer to a service shop (3 times!) seemed to be almost resolved. I would still have a problem in Outlook where when I tried to enter a phone number in a new contact Outlook would close and restart.

Then earlier this month (around April 13) I started having sever problems. The computer would just freeze and I would have to press the off button to shut it down and re-start. I was also getting strange meesages on Internet explorer, specifically when I was logging into my business account with my Bank. When I enteer the bank site and select log in, a new window opens and asks for a user number and ID, when this is entered a new window opens and I enter my password AND passkey code, a rolling 6 digit number that changes every 60 seconds. Once I do this the following message appears. The instruction at "0x013f9d" referenced memory at "0x00000000". The memory could not be "written". I am also given 2 options, Click on OK to terminate the program, Click on Cancel to debug the program. When this happens, I move the box to the side and get the information I need, then log off. when I select either of the 2 options, the program shuts down immediately.
I have Trend Micro running and Malwarebytes. The 2 text files are below.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Richard Savoy at 7:30:54.40 on Tue 04/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1490 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Savoy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061017
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource5\go\CTCMSGoU.exe" /SCB
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB003" /M "Stylus C88"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

============= SERVICES / DRIVERS ===============

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-11-4 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2008-11-4 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-11-4 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-11-4 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-11-4 335376]
S0 ati2fmxx;ati2fmxx;c:\windows\system32\drivers\ati2fmxx.sys --> c:\windows\system32\drivers\ati2fmxx.sys [?]
S1 dmram;MDRAM Connector;c:\windows\system32\dmram.sys --> c:\windows\system32\dmram.sys [?]
S2 RVSVRMRN;RVSVRMRN;\??\c:\windows\system32\drivers\rvsvrmrn.sys --> c:\windows\system32\drivers\RVSVRMRN.sys [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-10-24 15576]

=============== Created Last 30 ================

2009-04-25 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-04-20 16:44 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-20 15:55 <DIR> --d----- c:\windows\wt
2009-04-20 14:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-20 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-17 04:44 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-17 04:44 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 04:44 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-17 04:44 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-17 04:44 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 04:44 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-17 04:44 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-17 04:44 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 04:44 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-17 04:44 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-17 04:42 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-17 04:42 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 04:42 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-02 07:14 <DIR> --d----- c:\windows\system32\KB905474

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 18:08 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-04-02 18:08 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-04-02 18:08 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 21:17 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-05 21:17 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-05 21:17 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-03 18:12 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-03 04:08 335,376 a------- c:\windows\system32\drivers\TM_CFW.sys
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 06:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 06:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 05:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 05:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-03 14:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 14:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2007-05-08 13:15 88 ---shr-- c:\windows\system32\5F7C179355.sys
2007-05-08 13:15 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-10 09:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121020081211\index.dat

============= FINISH: 7:31:30.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:02:38 AM

Posted 10 May 2009 - 04:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 rds0256

rds0256
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 12 May 2009 - 08:17 AM

Thanks for getting back to me,

Please find the following additional information.

I have recently noticed two separate issues of blatant “phising” that have started to happen around the same time, early April. When ever I try to purchase something online, I get a “Verified by Visa” pop up window that looks authentic, but is not. It asks for all of the info from my credit card ALONG with an ATM pin #.
The second issue I just discovered this week, probably because I have not been on the site in some time. I went to Ebay, and when I signed in with my user name and password, a new screen came up that asked for my name, address, SS#, Mother’s maiden name, etc.
This is clearly phising, but I get clean results from Trend Micro, Malwarebytes’, and the only thing Spybot S&D comes up with is 93 entries of Wild Tangent that I verify are from Dell.
Yesterday, I did a repair reinstallation of XP Pro SP2 and have been working all morning on resetting things, I had to uninstall and reinstall Trend Micro, which forced me to uninstall Spybot S&D. I have not yet reinstalled this. I have run a complete scan this morning and nothing has been found. I have been able to update windows, and now have IE 8, but the same phising problems exist. When I go to Ebay to login the following link ccomes up and it is shaded in green in the address bar: <https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=1883&pa1=&i1=&bshowgif=&UsingSSL=0&ru=http%3A%2F%2Fmy.ebay.com%2Fws%2FeBayISAPI.dll%3FMyeBay&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&sessid=&favoritenav=&confirm=&ebxPageType=&existingEmail=&isCheckout=&migrateVisitor=1&fromwl=>

Again, I am at a total loss of how to resolve this problem. As requested, I am providing a new DDS file named DDS-1, and will attach the new attach file named attach-1.

Thanks in advance for any help you can provide.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Richard Savoy at 7:49:58.70 on Tue 05/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1290 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\DOCUME~1\RICHAR~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Savoy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061017
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Creative MediaSource Go] "c:\program files\creative\mediasource5\go\CTCMSGoU.exe" /SCB
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [EPSON Stylus C88 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB003" /M "Stylus C88"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242082591191
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5606/mcfscan.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

============= SERVICES / DRIVERS ===============

R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-5-6 425080]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-5-12 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-5-12 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-7-30 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-5-12 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-7-30 335376]
S0 ati2fmxx;ati2fmxx;c:\windows\system32\drivers\ati2fmxx.sys --> c:\windows\system32\drivers\ati2fmxx.sys [?]
S1 dmram;MDRAM Connector;c:\windows\system32\dmram.sys --> c:\windows\system32\dmram.sys [?]
S2 RVSVRMRN;RVSVRMRN;\??\c:\windows\system32\drivers\rvsvrmrn.sys --> c:\windows\system32\drivers\RVSVRMRN.sys [?]
S3 Wdm1;USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc.sys [2006-10-24 15576]

=============== Created Last 30 ================

2009-05-12 06:31 153,104 a------- c:\windows\system32\drivers\tmcomm.sys
2009-05-12 06:31 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-05-12 06:31 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-05-11 21:00 46,456 a----r-- c:\windows\system32\exitwx.exe
2009-05-11 20:32 <DIR> --dsh--- c:\documents and settings\richard savoy\PrivacIE
2009-05-11 20:29 <DIR> --dsh--- c:\documents and settings\richard savoy\IETldCache
2009-05-11 20:28 <DIR> --d----- c:\windows\ie8updates
2009-05-11 20:27 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-11 20:25 <DIR> -cd-h--- c:\windows\ie8
2009-05-11 18:36 79,872 -c------ c:\windows\system32\dllcache\msxml6r.dll
2009-05-11 18:36 1,306,624 -c------ c:\windows\system32\dllcache\msxml6.dll
2009-05-11 18:35 10,752 -------- c:\windows\system32\smtpapi.dll
2009-05-11 18:35 9,728 -------- c:\windows\system32\rwnh.dll
2009-05-11 18:35 19,569 a------- c:\windows\003455_.tmp
2009-05-11 18:08 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-05-11 18:08 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-05-11 18:07 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-05-11 18:07 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-05-11 18:07 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-05-11 18:07 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-05-11 18:07 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-05-11 18:06 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-11 18:06 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-11 17:00 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-05-11 17:00 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-05-11 17:00 156,672 ac------ c:\windows\system32\dllcache\winsp.ime
2009-05-11 17:00 156,672 ac------ c:\windows\system32\dllcache\winpy.ime
2009-05-11 17:00 79,360 ac------ c:\windows\system32\dllcache\winar30.ime
2009-05-11 17:00 72,704 ac------ c:\windows\system32\dllcache\wingb.ime
2009-05-11 17:00 65,536 ac------ c:\windows\system32\dllcache\winime.ime
2009-05-11 16:58 10,129,408 ac------ c:\windows\system32\dllcache\hwxkor.dll
2009-05-11 16:57 19,968 ac------ c:\windows\system32\dllcache\inetsloc.dll
2009-05-11 16:57 169,984 ac------ c:\windows\system32\dllcache\iisui.dll
2009-05-11 16:57 7,680 ac------ c:\windows\system32\dllcache\inetmgr.exe
2009-05-11 16:57 5,632 ac------ c:\windows\system32\dllcache\iisrstap.dll
2009-05-11 16:57 14,336 ac------ c:\windows\system32\dllcache\iisreset.exe
2009-05-11 16:57 6,144 ac------ c:\windows\system32\dllcache\ftpsapi2.dll
2009-05-11 16:57 94,720 ac------ c:\windows\system32\dllcache\certmap.ocx
2009-05-11 16:55 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-05-11 16:55 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-05-11 16:55 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-05-11 16:55 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-05-11 16:55 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-05-11 16:55 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-05-11 16:55 16,384 ac------ c:\windows\system32\dllcache\isignup.exe
2009-05-11 16:53 <DIR> --d----- c:\windows\system32\FxsTmp
2009-05-11 16:44 22,339 a----r-- c:\windows\SETAA.tmp
2009-05-11 16:44 10,559 a----r-- c:\windows\SETAB.tmp
2009-05-11 16:44 13,753 a----r-- c:\windows\SET6E.tmp
2009-05-11 16:44 1,086,058 a----r-- c:\windows\SET5F.tmp
2009-05-11 16:44 1,042,903 a----r-- c:\windows\SET59.tmp
2009-05-11 16:08 <DIR> --d----- c:\windows\NV1148824.TMP
2009-05-11 16:05 22,339 a----r-- c:\windows\SETA8.tmp
2009-05-11 16:05 10,559 a----r-- c:\windows\SETA9.tmp
2009-05-11 16:05 13,753 a----r-- c:\windows\SET6D.tmp
2009-05-11 16:05 1,086,058 a----r-- c:\windows\SET5E.tmp
2009-05-11 16:05 1,042,903 a----r-- c:\windows\SET58.tmp
2009-05-11 15:20 22,339 a----r-- c:\windows\SETA4.tmp
2009-05-11 15:20 10,559 a----r-- c:\windows\SETA5.tmp
2009-05-11 15:20 13,753 a----r-- c:\windows\SET66.tmp
2009-05-11 15:20 1,086,058 a----r-- c:\windows\SET57.tmp
2009-05-11 15:20 1,042,903 a----r-- c:\windows\SET54.tmp
2009-05-11 11:35 22,339 a----r-- c:\windows\SETA1.tmp
2009-05-11 11:35 10,559 a----r-- c:\windows\SETA2.tmp
2009-05-11 11:35 13,753 a----r-- c:\windows\SET65.tmp
2009-05-11 11:35 1,086,058 a----r-- c:\windows\SET56.tmp
2009-05-11 11:35 1,042,903 a----r-- c:\windows\SET53.tmp
2009-05-11 09:32 24,661 ac------ c:\windows\system32\dllcache\spxcoins.dll
2009-05-11 09:32 13,312 ac------ c:\windows\system32\dllcache\irclass.dll
2009-05-11 09:32 24,661 a------- c:\windows\system32\spxcoins.dll
2009-05-11 09:32 13,312 a------- c:\windows\system32\irclass.dll
2009-05-11 09:32 22,339 a----r-- c:\windows\SET9F.tmp
2009-05-11 09:32 10,559 a----r-- c:\windows\SETA0.tmp
2009-05-11 09:32 13,753 a----r-- c:\windows\SET64.tmp
2009-05-11 09:32 1,086,058 a----r-- c:\windows\SET55.tmp
2009-05-11 09:32 1,042,903 a----r-- c:\windows\SET52.tmp
2009-05-11 08:40 10,559 a----r-- c:\windows\SET9C.tmp
2009-05-11 08:40 22,339 a----r-- c:\windows\SET9B.tmp
2009-05-11 08:40 13,753 a----r-- c:\windows\SET5D.tmp
2009-05-11 08:40 1,086,058 a----r-- c:\windows\SET51.tmp
2009-05-11 08:40 1,042,903 a----r-- c:\windows\SET4E.tmp
2009-05-11 06:55 10,559 a----r-- c:\windows\SET9A.tmp
2009-05-11 06:55 22,339 a----r-- c:\windows\SET99.tmp
2009-05-11 06:55 13,753 a----r-- c:\windows\SET5C.tmp
2009-05-11 06:55 1,086,058 a----r-- c:\windows\SET50.tmp
2009-05-11 06:55 1,042,903 a----r-- c:\windows\SET4D.tmp
2009-05-11 06:09 22,339 a----r-- c:\windows\SET96.tmp
2009-05-11 06:09 10,559 a----r-- c:\windows\SET98.tmp
2009-05-11 06:09 13,753 a----r-- c:\windows\SET5B.tmp
2009-05-11 06:09 1,086,058 a----r-- c:\windows\SET4F.tmp
2009-05-11 06:09 1,042,903 a----r-- c:\windows\SET4C.tmp
2009-05-11 04:39 <DIR> --dshr-- C:\cmdcons
2009-05-11 04:39 <DIR> --d----- c:\windows\setupupd
2009-05-10 23:57 <DIR> --d----- c:\windows\dell
2009-05-09 07:02 <DIR> --d----- c:\windows\setup.pss
2009-05-08 17:48 <DIR> --d----- c:\windows\system32\NtmsData
2009-05-07 17:02 <DIR> --d----- C:\Rooter$
2009-05-06 15:27 <DIR> --d----- c:\program files\a-squared Free
2009-05-06 08:46 <DIR> --d----- c:\windows\McAfee.com
2009-04-29 08:30 <DIR> --d----- C:\f307a5dc15df0088c47773d3
2009-04-25 16:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-04-20 16:44 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-20 15:55 <DIR> --d----- c:\windows\wt
2009-04-20 14:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-20 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-17 04:42 2,560 a------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-05-11 16:54 23,428 a------- c:\windows\system32\emptyregdb.dat
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2007-05-08 13:15 88 a--shr-- c:\windows\system32\5F7C179355.sys
2007-05-08 13:15 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-12-10 09:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121020081211\index.dat

============= FINISH: 7:50:29.89 ===============

Attached Files


Edited by Orange Blossom, 13 May 2009 - 10:01 PM.
Deactivate link. ~ OB


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:38 PM

Posted 12 May 2009 - 05:58 PM

Hello, rds0256 :thumbup2:
None of your issues appear malware related. However, I'd like to get a final check to be sure.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • GMER's Log
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 rds0256

rds0256
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 13 May 2009 - 08:58 AM

Billy,

Thanks for your help. I know that in your message you said that it does not appear to be malware related, but something in Internet Explorer wants my credit card info, including ATM number real bad!

Attached are the ESET and Gmer logs.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-13 07:24:44
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8862EC60 ZwCreateKey
SSDT 8862E160 ZwCreateProcess
SSDT 8862E420 ZwCreateProcessEx
SSDT 8862FAC0 ZwCreateThread
SSDT 8862F1E0 ZwDeleteKey
SSDT 8862F4A0 ZwDeleteValueKey
SSDT 8862FC60 ZwLoadDriver
SSDT 8862E6E0 ZwOpenProcess
SSDT 8862EF20 ZwSetValueKey
SSDT 8862E9A0 ZwTerminateProcess
SSDT 8862F920 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C68 80504504 2 Bytes [60, EC] {PUSHA ; IN AL, DX }
.text ntkrnlpa.exe!ZwCallbackReturn + 2CC0 8050455C 2 Bytes [E0, F1] {LOOPNZ 0xfffffffffffffff3}
.text ntkrnlpa.exe!ZwCallbackReturn + 2CC8 80504564 2 Bytes [A0, F4]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FA0 8050483C 2 Bytes [20, EF] {AND BH, CH}
.text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504864 4 Bytes JMP ABF4D0CB

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02412DFD
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02412DBA
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02412D7E
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02412D63
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02412BEF
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02412CE1
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02412C27
.text C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe[472] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02412C5F
.text C:\WINDOWS\Explorer.EXE[528] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01522DFD
.text C:\WINDOWS\Explorer.EXE[528] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01522DBA
.text C:\WINDOWS\Explorer.EXE[528] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01522D7E
.text C:\WINDOWS\Explorer.EXE[528] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01522D63
.text C:\WINDOWS\Explorer.EXE[528] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01522BEF
.text C:\WINDOWS\Explorer.EXE[528] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01522CE1
.text C:\WINDOWS\Explorer.EXE[528] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01522C27
.text C:\WINDOWS\Explorer.EXE[528] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01522C5F
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01152DFD
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01152DBA
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01152D7E
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01152D63
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01152BEF
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01152CE1
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01152C27
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe[788] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01152C5F
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00DD2DFD
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00DD2DBA
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00DD2D7E
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DD2D63
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DD2BEF
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DD2CE1
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DD2C27
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe[792] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DD2C5F
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00EA2DFD
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00EA2DBA
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00EA2D7E
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA2D63
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA2BEF
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA2CE1
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EA2C27
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[852] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EA2C5F
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02B62DFD
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02B62DBA
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02B62D7E
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02B62D63
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02B62BEF
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02B62CE1
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02B62C27
.text C:\Program Files\Brother\ControlCenter2\brctrcen.exe[1104] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02B62C5F
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01282DFD
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01282DBA
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01282D7E
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01282D63
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01282BEF
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01282CE1
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01282C27
.text C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe[1268] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01282C5F
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C72DFD
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C72DBA
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C72D7E
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C72D63
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C72BEF
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C72CE1
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C72C27
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1572] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C72C5F
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00CF2DFD
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00CF2DBA
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00CF2D7E
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CF2D63
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CF2BEF
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CF2CE1
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CF2C27
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe[1776] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CF2C5F
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 03BD2DFD
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 03BD2DBA
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 03BD2D7E
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03BD2D63
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] WS2_32.dll!send 71AB4C27 5 Bytes JMP 03BD2BEF
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03BD2CE1
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] WS2_32.dll!recv 71AB676F 5 Bytes JMP 03BD2C27
.text C:\Program Files\Trend Micro\BM\TMBMSRV.exe[2108] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03BD2C5F
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00CF2DFD
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00CF2DBA
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00CF2D7E
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CF2D63
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CF2BEF
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CF2CE1
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CF2C27
.text C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe[2204] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CF2C5F
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 016B2DFD
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 016B2DBA
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 016B2D7E
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 016B2D63
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] WS2_32.dll!send 71AB4C27 5 Bytes JMP 016B2BEF
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 016B2CE1
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] WS2_32.dll!recv 71AB676F 5 Bytes JMP 016B2C27
.text C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe[2580] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 016B2C5F
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00F72D63
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00F72BEF
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00F72CE1
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00F72C27
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00F72C5F
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00F72DFD
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00F72DBA
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] ADVAPI32.dll!CryptEncrypt 77DEE360 3 Bytes JMP 00F72D7E
.text C:\Program Files\Trend Micro\Internet Security\TmPfw.exe[2704] ADVAPI32.dll!CryptEncrypt + 4 77DEE364 3 Bytes [89, CC, CC] {MOV ESP, ECX; INT 3 }
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 021A2D63
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] WS2_32.dll!send 71AB4C27 5 Bytes JMP 021A2BEF
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 021A2CE1
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] WS2_32.dll!recv 71AB676F 5 Bytes JMP 021A2C27
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 021A2C5F
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 021A2DFD
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 021A2DBA
.text C:\Program Files\Trend Micro\Internet Security\TmProxy.exe[2808] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 021A2D7E
.text C:\WINDOWS\System32\alg.exe[3128] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00CD2DFD
.text C:\WINDOWS\System32\alg.exe[3128] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00CD2DBA
.text C:\WINDOWS\System32\alg.exe[3128] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00CD2D7E
.text C:\WINDOWS\System32\alg.exe[3128] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00CD2D63
.text C:\WINDOWS\System32\alg.exe[3128] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00CD2BEF
.text C:\WINDOWS\System32\alg.exe[3128] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00CD2CE1
.text C:\WINDOWS\System32\alg.exe[3128] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00CD2C27
.text C:\WINDOWS\System32\alg.exe[3128] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00CD2C5F

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI \Device\00000046 8919D5A0
Device \Driver\ACPI \Device\00000060 8919D5A0

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI \Device\00000049 8919D5A0
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device 8919D5A0
Device \Driver\ACPI \Device\00000069 8919D5A0
Device \Driver\ACPI \Device\0000004f 8919D5A0

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI \Device\0000005d 8919D5A0

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \Driver\ACPI \Device\0000006a 8919D5A0
Device \Driver\ACPI \Device\0000005e 8919D5A0
Device \Driver\ACPI \Device\0000006b 8919D5A0
Device \Driver\ACPI \Device\0000005f 8919D5A0
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B24ADD20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Threads - GMER 1.0.15 ----

Thread System [4:1008] 89205B50
Thread System [4:1012] 891D4BA0
Thread System [4:1016] 89222DC0
Thread System [4:1020] 891E40E0
Thread System [4:2828] 89205B50
Thread System [4:3744] 891D4BA0
Thread System [4:3420] 89222DC0
Thread System [4:3424] 891E40E0
Thread System [4:3132] 89205B50
Thread System [4:3500] 891D4BA0
Thread System [4:3496] 89222DC0
Thread System [4:3140] 891E40E0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet Pro K550 Series@ChangeID 230094

---- EOF - GMER 1.0.15 ----

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4070 (20090513)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=01dde58a630d354e9dcd81ee6e862f2b
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-13 01:36:45
# local_time=2009-05-13 08:36:45 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=410922
# found=0
# scan_time=3575

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:38 PM

Posted 13 May 2009 - 09:58 PM

The issue with phishing is that it's generally not caused by things on your computer. Phishing is simply illegitimate websites which try to mimic valid ones.

The only time such a problem is malware related is when you manually type in the legitimate site, but are then redirected to a different page.

Please download and run this file. It will flash briefly and dump a log.

http://www.gmer.net/mbr/mbr.exe

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 rds0256

rds0256
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 14 May 2009 - 06:17 AM

Billy,

I did a "run" instead of a "save" on the mbr.exe. Trend Micro has quarantined the file and I cannot get it out. I beleive I ran the program, but I cannot find the log. As to the "phishing" I referenced, my terminology may be incorrect, but I am typing in ebay.com, and, I can enter anything I want in the log in and I am then redirected to a site that looks legit, but is not.

I am being redirected that is exactly as the following post

http://www.bleepingcomputer.com/forums/lof...hp/t214849.html

Please review this, and let me know how I can retrieve the mbr log.

Thank you in advance for your help

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:38 PM

Posted 14 May 2009 - 03:44 PM

The tool must be saved, not run. It saves the log into the same folder it is saved to.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 rds0256

rds0256
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:38 AM

Posted 19 May 2009 - 06:16 AM

Billy,

Thank you for trying to help. I decided to do a reinstallation from the Dell software loaded on my computer, then reloading my backed up data files. Virus is gone, it's like a new computer.

Please close this topic.

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:11:38 PM

Posted 19 May 2009 - 03:18 PM

Hello, rds0256 :thumbup2:
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users