Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

windows memory has a virus


  • Please log in to reply
3 replies to this topic

#1 traderboy

traderboy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 09 December 2011 - 02:14 PM

using windows XP
internet explorer 8.0

got a DEP message today (below). Outlook is starting to freeze up, IE pages open up w/o asking and also freezes up.

Can someone help me?

Understanding Data Execution Prevention

Data Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only Windows and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.

Unlike a firewall or antivirus program, DEP does not help prevent harmful programs from being installed on your computer. Instead, it monitors your programs to determine if they use system memory safely. To do this, DEP software works alone or with compatible microprocessors to mark some memory locations as "non-executable". If a program tries to run code—malicious or not—from a protected location, DEP closes the program and notifies you.

DEP can take advantage of software and hardware support. To use DEP, your computer must be running Microsoft Windows XP Service Pack 2 (SP2) or later, or Windows Server 2003 Service Pack 1 or later. DEP software alone helps protect against certain types of malicious code attacks but to take full advantage of the protection that DEP can offer, your processor must support "execution protection". This is a hardware-based technology designed to mark memory locations as non-executable. If your processor does not support hardware-based DEP, it's a good idea to upgrade to a processor that offers execution protection features.

Is it safe to run a program again if DEP has closed it?

Yes, but only if you leave DEP turned on for that program. Windows can continue to detect attempts to execute code from protected memory locations and help prevent attacks. In cases where a program does not run correctly with DEP turned on, you can reduce security risks by getting a DEP-compatible version of the program from the software publisher. For more information about what to do after DEP closes a program, click Related Topics.

How can I tell if DEP is available on my computer?

1. To open System Properties, click Start, click Control Panel, and then double-click System.
2. Click the Advanced tab and, under Performance, click Settings.
3. Click the Data Execution Prevention tab.

Note

By default, DEP is only turned on for essential Windows operating system programs and services. To help protect more programs with DEP, select Turn on DEP for all programs and services except those I select.

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:38 PM

Posted 09 December 2011 - 08:09 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 traderboy

traderboy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 11 December 2011 - 01:30 AM

Hi Broni,

I ran all 4 programs, had some minor issues. On the security scan, I'm missing...... netsh.exe - Entry Point Not Found

The procedure entry point MigrateWinsockConfiguration could not be located in the dynamic link library MSWSOCK.dll.

After Malware ran, a log was not generated. Found 2 infected files as follows:

infected files - trojan.dropper registry value HKEY_LOCAL_machine\software\microsoft\windows\currentversion\sharedDLLs\c:\windows\system32|av_wmfdist9.exe

infected files - trojan.dropper file c:\windows\system32\av_wmfdist9.exe

No logs were found or opened - access was denied

---------------------------
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-12-07 (12-47-06).txt
---------------------------
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-12-07 (12-47-06).txt

Access is denied.

---------------------------
OK
---------------------------

---------------------------
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-12-10 (21-20-02).txt
---------------------------
C:\Documents and Settings\Owner\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2011-12-10 (21-20-02).txt

Access is denied.

Here are the 3 logs:

CHECKUP

Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
SonicStage Mastering Studio Audio Filter Custom Preset
Trend Micro Titanium Internet Security
Trend Micro™ Titanium™ Internet Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Java™ 6 Update 29
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Out of date Java installed!
Adobe Flash Player ( 10.3.181.22) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
``````````End of Log````````````

MINI TOOL BOX

MiniToolBox by Farbar
Ran by Owner (administrator) on 10-12-2011 at 20:43:36
Microsoft Windows XP Professional Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 2
Hosts file not detected in the default directory
========================= IP Configuration: ================================

Intel® PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Connected)
1394 Net Adapter = 1394 Connection (Connected)
Intel® PRO/100 VE Network Connection = Local Area Connection (Media disconnected)
The following helper DLL cannot be loaded: IFMON.DLL.
The following command was not found: int ip dump.


Windows IP Configuration



Host Name . . . . . . . . . . . . : 480037D956F7448

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.nj.comcast.net.



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : hsd1.nj.comcast.net.

Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection

Physical Address. . . . . . . . . : 00-13-02-D4-C8-EA

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 68.87.64.150

68.87.75.198

Lease Obtained. . . . . . . . . . : Saturday, December 10, 2011 5:44:16 PM

Lease Expires . . . . . . . . . . : Sunday, December 11, 2011 5:44:16 PM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection

Physical Address. . . . . . . . . : 00-13-A9-46-8E-73



Pinging google.com [74.125.113.106] with 32 bytes of data:



Reply from 74.125.113.106: bytes=32 time=31ms TTL=49

Reply from 74.125.113.106: bytes=32 time=30ms TTL=49



Ping statistics for 74.125.113.106:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 30ms, Maximum = 31ms, Average = 30ms



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=90ms TTL=44

Reply from 98.137.149.56: bytes=32 time=93ms TTL=44



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 90ms, Maximum = 93ms, Average = 91ms



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 13 02 d4 c8 ea ...... Intel® PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
0x3 ...00 13 a9 46 8e 73 ...... Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 192.168.1.101 192.168.1.101 20
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 25
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 25
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 25
255.255.255.255 255.255.255.255 192.168.1.101 3 1
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 mswsock.dll [File Not found] ()
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 mswsock.dll [File Not found] ()
Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [152864] (Apple Inc.)
Catalog9 01 mswsock.dll [File Not found] ()
Catalog9 02 mswsock.dll [File Not found] ()
Catalog9 03 mswsock.dll [File Not found] ()
Catalog9 04 mswsock.dll [File Not found] ()
Catalog9 05 mswsock.dll [File Not found] ()
Catalog9 06 mswsock.dll [File Not found] ()
Catalog9 07 mswsock.dll [File Not found] ()
Catalog9 08 mswsock.dll [File Not found] ()
Catalog9 09 mswsock.dll [File Not found] ()
Catalog9 10 mswsock.dll [File Not found] ()
Catalog9 11 mswsock.dll [File Not found] ()
Catalog9 12 mswsock.dll [File Not found] ()
Catalog9 13 mswsock.dll [File Not found] ()
Catalog9 14 mswsock.dll [File Not found] ()
Catalog9 15 mswsock.dll [File Not found] ()
Catalog9 16 mswsock.dll [File Not found] ()
Catalog9 17 mswsock.dll [File Not found] ()
Catalog9 18 mswsock.dll [File Not found] ()
Catalog9 19 mswsock.dll [File Not found] ()
Catalog9 20 mswsock.dll [File Not found] ()
Catalog9 21 mswsock.dll [File Not found] ()

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/10/2011 01:27:18 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/09/2011 09:50:48 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/09/2011 09:50:43 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/09/2011 09:50:39 PM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/09/2011 00:41:19 PM) (Source: Application Error) (User: )
Description: Faulting application iexplore.exe, version 8.0.6001.18702, faulting module unknown, version 0.0.0.0, fault address 0xd0192bc0.
Processing media-specific event for [iexplore.exe!ws!]

Error: (12/08/2011 09:17:34 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/08/2011 08:34:24 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/07/2011 01:56:29 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/07/2011 01:55:59 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Error: (12/07/2011 01:55:33 AM) (Source: MsiInstaller) (User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.


System errors:
=============
Error: (12/10/2011 06:46:42 PM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 11:49:18 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 08:35:08 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 03:09:38 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 03:09:38 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 03:09:38 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 03:02:47 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 02:46:41 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 02:31:06 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127

Error: (12/10/2011 02:16:26 AM) (Source: Service Control Manager) (User: )
Description: The Network Location Awareness (NLA) service terminated with the following error:
%%127


Microsoft Office Sessions:
=========================
Error: (12/10/2011 01:27:18 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/09/2011 09:50:48 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/09/2011 09:50:43 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/09/2011 09:50:39 PM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/09/2011 00:41:19 PM) (Source: Application Error)(User: )
Description: iexplore.exe8.0.6001.18702unknown0.0.0.0d0192bc0

Error: (12/08/2011 09:17:34 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/08/2011 08:34:24 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/07/2011 01:56:29 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/07/2011 01:55:59 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)

Error: (12/07/2011 01:55:33 AM) (Source: MsiInstaller)(User: SYSTEM)SYSTEM
Description: Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.(NULL)(NULL)(NULL)


=========================== Installed Programs ============================

Acrobat.com (Version: 2.1.0)
Acrobat.com (Version: 2.1.0.0)
Adobe AIR (Version: 2.0.2.12610)
Adobe Flash Player 10 ActiveX (Version: 10.1.53.64)
Adobe Flash Player 10 Plugin (Version: 10.3.181.22)
Adobe Reader 9.3.4 (Version: 9.3.4)
Apple Application Support (Version: 1.5.0)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.2.120)
Ask Toolbar (Version: 1.13.1.0)
Bonjour (Version: 2.0.4.0)
Cisco Network Magic (Version: 5.5.09195.0)
CleanUp!
DeductionPro 2008 (Version: 16.04)
DSD Direct (Version: 1.0.02)
DSD Playback Plug-in 1.0
DVgate Plus
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221 (Version: 20040219.000000)
Image Converter 2 Plus (Version: 2.2.06)
ImageStation (Version: 1.0.0)
Intel® Graphics Media Accelerator Driver (Version: 6.14.10.4543)
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD for VAIO (Version: 5.0-B11.795)
ISScript (Version: 3.00.185)
iTunes (Version: 10.2.1.1)
J2SE Runtime Environment 5.0 Update 10 (Version: 1.5.0.100)
J2SE Runtime Environment 5.0 Update 11 (Version: 1.5.0.110)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 2 (Version: 1.6.0.20)
Java™ 6 Update 29 (Version: 6.0.290)
Java™ 6 Update 3 (Version: 1.6.0.30)
Java™ SE Runtime Environment 6 Update 1 (Version: 1.6.0.10)
LAN Setting Utility
Macromedia Flash Player 8 (Version: 8.0.24.0)
Macromedia Flash Player 8 Plugin (Version: 8.0.24.0)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
mCore (Version: 5.40.0000)
mDriver (Version: 5.40.0000)
Memory Stick Formatter
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Data Access Components KB870669
Microsoft Digital Image Library 9 - Blocker (Version: 9.00.0000)
Microsoft Digital Image Starter Edition 2006 (Version: 11.0.0422)
Microsoft Digital Image Starter Edition 2006 Editor (Version: 11.0.0422)
Microsoft Digital Image Starter Edition 2006 Library (Version: 11.0.0422)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium (Version: 9.00.2720)
Microsoft Office 2003 Primary Interop Assemblies (Version: 11.0.6553.0)
Microsoft Office Standard Edition 2003 (Version: 11.0.6361.0)
Microsoft SQL Server Desktop Engine (VAIO_VEDB) (Version: 8.00.761)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual Studio 2005 Tools for Office Runtime (Version: 8.0.60940.0)
Microsoft Works (Version: 08.05.0818)
mMHouse (Version: 5.40.0000)
mPfMgr (Version: 5.40.0000)
mProSafe (Version: 9.00.0000)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP2 Parser and SDK (Version: 4.20.9818.0)
mWlsSafe (Version: 9.00.0000)
mXML (Version: 5.40.0000)
Network Magic (Version: 5.5.9195.0)
NVIDIA Drivers
Office 2003 Trial Assistant (Version: 1.0.0)
OpenMG AAC Add-on Module 1.0.00 (Version: 1.0.00.04270)
OpenMG Metadata Extractor for Windows Media Player (Version: 1.0.02.03110)
OpenMG Secure Module 4.6.01 (Version: 4.6.01.10041)
Pdf995 (installed by TaxCut)
PdfEdit995
Punch! Professional Home Design
Pure Networks Platform (Version: 11.2.09195.1)
QuickBooks (Version: 19.0.4010.705)
QuickBooks Pro 2009 (Version: 19.0.4010.705)
QuickTime (Version: 7.69.80.9)
Revo Uninstaller Pro 2.5.5 (Version: 2.5.5)
Search Enhancement by AOL Search
Setting Utility Series
SigmaTel Audio (Version: 5.10.4811.0)
Sonic Encoders (Version: 1.00)
SonicStage 4.2 (Version: 4.2)
SonicStage Mastering Studio 2.2
SonicStage Mastering Studio Audio Filter Custom Preset
SonicStage Mastering Studio Plugins
Sony Certificate PCH
Sony Download Taxi 1.5.0.0
Sony MP4 Shared Library (Version: 2.0)
Sony USB Mouse
Sony Utilities DLL
Sony Video Shared Library (Version: 2.0.01)
Spybot - Search & Destroy (Version: 1.6.2)
SUPERAntiSpyware (Version: 5.0.1136)
SupportSoft Assisted Service (Version: 15)
Symantec KB-DocID:2003093015493306 (Version: 1.0.0.1)
TaxACT 2007 Business 1065 Edition
TaxACT 2008
TaxACT 2008 Business 1065 Edition
TaxACT 2008 New Jersey
TaxACT 2009
TaxACT 2009 Business 1065 Edition
TaxACT 2009 New Jersey
TaxACT 2010 Business 1065 Edition
TaxACT 2010 New Jersey - 1065 Edition
TaxCut New Jersey 2007 (Version: 1.07.3701)
TaxCut New Jersey 2008 (Version: 1.08.2901)
TaxCut Premium + State + Efile 2008 (Version: 08.07.7101)
TaxCut Premium + State 2007 (Version: 07.04.0000)
TaxCut Premium 2006
Trend Micro Titanium Internet Security (Version: 3.1.1109)
Trend Micro™ Titanium™ Internet Security (Version: 3.00)
TuneUp Utilities (Version: 9.0.6010.7)
TuneUp Utilities Language Pack (en-US) (Version: 9.0.6010.7)
Update Rollup 2 for Windows XP Media Center Edition 2005
VAIO Backup Utility (Version: 1.00.09306)
VAIO Breeze Wallpaper (Version: 1.0.01.13200)
VAIO Camera Utility
VAIO Central (Version: 1.1.02.032706)
VAIO Entertainment Platform (Version: 1.3.32.06120)
VAIO Event Service (Version: 2.3.00.05310)
VAIO Hardware Diagnostics
VAIO Light Flo Wallpaper
VAIO Media 5.0 (Version: 5.0.20)
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 5.0
VAIO Media Redistribution 5.0 (Version: 5.0.20)
VAIO Media Registration Tool 5.0 (Version: 5.0.00)
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Cozy Screen SD Wide Contents
VAIO Power Management
VAIO Registration (Version: 17.1.1)
VAIO Security Center (Version: 2.02.0320)
VAIO Support Central (Version: 1.1.0.060412)
VAIO Update 2
VAIO Wireless LAN Setup Utility
VAIOSurveySA (Version: 4.02)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebEx Support Manager for Internet Explorer (Version: 6.5.4917)
WebFldrs XP (Version: 9.50.7523)
Windows Driver Package - Intel Corporation (ialm) Display (03/23/2006 6.14.10.4543) (Version: 03/23/2006 6.14.10.4543)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.5.0530.0)
Windows Internet Explorer 7 (Version: 20061107.210142)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB886612 for more information]
Windows Media Player 11
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.70)
Windows Rights Management Client with Service Pack 2 (Version: 5.2.70)
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3 (Version: 20080414.031525)
Wireless Switch Setting Utility

========================= Memory info: ===================================

Percentage of memory in use: 75%
Total physical RAM: 1014.11 MB
Available physical RAM: 243.55 MB
Total Pagefile: 2441.09 MB
Available Pagefile: 1454.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1972.27 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:104.79 GB) (Free:80.75 GB) NTFS
4 Drive g: (USB20FD) (Removable) (Total:7.53 GB) (Free:5.89 GB) FAT32

========================= Users: ========================================

User accounts for \\480037D956F7448

Administrator ASPNET Guest
HelpAssistant Owner SUPPORT_388945a0


**** End of log ****

GMER LOG

Rootkit scan 2011-12-11 00:39:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e FUJITSU_MHV2120BH_PL rev.00000029
Running: d65suthq.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\awryifoc.sys


---- System - GMER 1.0.15 ----

SSDT 84F82780 ZwCreateKey
SSDT 86CF5500 ZwCreateMutant
SSDT 84F81580 ZwCreateProcess
SSDT 84F81880 ZwCreateProcessEx
SSDT 86CF58C0 ZwCreateSymbolicLinkObject
SSDT 86CF5020 ZwCreateThread
SSDT 84F82D80 ZwDeleteKey
SSDT 84F83680 ZwDeleteValueKey
SSDT 86CF5AA0 ZwDuplicateObject
SSDT 86CF5200 ZwLoadDriver
SSDT 84F81B80 ZwOpenProcess
SSDT 84F83C60 ZwOpenSection
SSDT 84F81E80 ZwOpenThread
SSDT 84F83080 ZwRenameKey
SSDT 84F83380 ZwRestoreKey
SSDT 86CF56E0 ZwSetSystemInformation
SSDT 84F82A80 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA2A2640]
SSDT 84F82480 ZwTerminateThread
SSDT 84F83E40 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text i8042prt.sys F771F000 9 Bytes [90, 90, 90, 90, 8B, FF, 55, ...] {NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP; MOV EBP, ESP}
.text i8042prt.sys F771F00A 12 Bytes [56, 8B, 75, 08, 57, 33, FF, ...]
.text i8042prt.sys F771F017 29 Bytes [87, 38, 33, DB, 38, 5D, 14, ...]
.text i8042prt.sys F771F036 13 Bytes [38, 5D, 0C, 0F, 85, BC, 10, ...]
.text i8042prt.sys F771F044 16 Bytes [00, A1, 00, 19, 72, F7, FF, ...] {ADD [ECX-0x88de700], AH; PUSH DWORD [EAX+0x4]; CALL [0xf772146c]; PUSH EBX}
.text ...
? C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1212] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\WINDOWS\System32\svchost.exe[1212] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00FF000A
.text C:\WINDOWS\System32\svchost.exe[1212] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00FD000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) F641A000-F6433000 (102400 bytes)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB38010$\2236544337 0 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178 0 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\bckfg.tmp 851 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\keywords 195 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\L 0 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\L\kigndqek 52480 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\lsflt7.ver 9000 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\U 0 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB38010$\3657453178\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:38 PM

Posted 11 December 2011 - 11:19 AM

You'll need more advanced help.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users