As soon as the computer showed a problem I had to start in safe mode to run MBAM. I updated first. I did run MBAM first before all the other scanners.
First MBAM scan,
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4363
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
7/28/2010 11:44:27 AM
mbam-log-2010-07-28 (11-44-27).txt
Scan type: Full scan (C:\|)
Objects scanned: 348486
Time elapsed: 51 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijvitmvy (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ijvitmvy (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\MikeKafka\Local Settings\Application Data\qrkxjyrgr\vmlllwytssd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\MikeKafka\Local Settings\Temp\0.0017157700178270785.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
This did adjust my proxy settings which I had to correct to get back on the internet.
GMER One scan,
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-07-29 14:57:49
Windows 5.1.2600 Service Pack 3
Running: 6p1us4dz.exe; Driver: C:\DOCUME~1\MIKEKA~1\LOCALS~1\Temp\uxtiiuog.sys
---- System - GMER 1.0.15 ----
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D70B5]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70B5] ZwEnumerateKey [0x804D70B5]
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70BA]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70BA] ZwEnumerateValueKey [0x804D70BA]
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
---- Threads - GMER 1.0.15 ----
Thread System [4:3456] B93F089C
Thread System [4:684] B93F089C
Thread System [4:2868] B93F089C
Thread System [4:3056] B93F089C
Thread System [4:3516] B93F089C
Thread System [4:3520] B93F089C
Thread System [4:3524] B93F089C
Thread System [4:3664] B93F089C
Thread System [4:3540] B93F089C
Thread System [4:3548] B93F089C
Thread System [4:3552] B93F089C
Thread System [4:3572] B93DA17A
---- EOF - GMER 1.0.15 ----
GMER Two scan,
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-30 07:18:58
Windows 5.1.2600 Service Pack 3
Running: 6p1us4dz.exe; Driver: C:\DOCUME~1\MIKEKA~1\LOCALS~1\Temp\uxtiiuog.sys
---- System - GMER 1.0.15 ----
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x804D70B5]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70B5] ZwEnumerateKey [0x804D70B5]
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x804D70BA]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70BA] ZwEnumerateValueKey [0x804D70BA]
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70C9]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70C9] ZwOpenKey [0x804D70C9]
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x804D70C4]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70C4] ZwQueryKey [0x804D70C4]
SSDT \WINDOWS\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x804D70BF]
SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D70BF] ZwQueryValueKey [0x804D70BF]
INT 0x03 \WINDOWS\system32\ntoskrnl.exe[unknown section] 804D70D3
INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA78316D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA782FC2
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
---- Threads - GMER 1.0.15 ----
Thread System [4:3456] B93F089C
Thread System [4:684] B93F089C
Thread System [4:2868] B93F089C
Thread System [4:3056] B93F089C
Thread System [4:3516] B93F089C
Thread System [4:3520] B93F089C
Thread System [4:3524] B93F089C
Thread System [4:3664] B93F089C
Thread System [4:3540] B93F089C
Thread System [4:3548] B93F089C
Thread System [4:3552] B93F089C
Thread System [4:3572] B93DA17A
---- EOF - GMER 1.0.15 ----
DDS scan,
DDS (Ver_10-03-17.01) - NTFSx86
Run by mikekafka at 8:09:43.59 on Fri 07/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.452 [GMT -5:00]
AV: Trend Micro Client/Server Security Agent Antivirus *On-access scanning enabled* (Updated) {1CA58887-907A-48FF-9D41-A84F2917BF08}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\hasplms.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\SolidWorks (3)\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmProxy.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\PDF Complete\pdfsaver.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\hpnra.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\MikeKafka\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1003\TmIEPlg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [OE] "c:\program files\trend micro\client server security agent\tmas_oe\TMAS_OEMon.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\mikeka~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks2007\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 4.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123157963078
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147958819945
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/pages/services/subscription/downloads/sldimdownload.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://symantec.webex.com/client/T26L10NSP49EP23/support/ieatgpc.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1003\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 nwprovau
============= SERVICES / DRIVERS ===============
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MSSQL$SIGMANEST;SQL Server (SIGMANEST);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 Remote Solver for COSMOSFloWorks 2007;Remote Solver for COSMOSFloWorks 2007;c:\program files\solidworks (3)\cosmosfloworks\floworks\bincfw\StandAloneSlv.exe [2007-7-23 675840]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-1-15 50704]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2010-1-15 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2010-1-15 36368]
R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB19 [?]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-1-15 339984]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\TmPfw.exe [2010-1-15 497008]
R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2010-1-15 689416]
=============== Created Last 30 ================
2010-07-14 06:52:19 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
==================== Find3M ====================
2010-05-05 13:30:57 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2008-08-20 15:02:11 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat
============= FINISH: 8:10:38.73 ===============
Attach.txt is attached.
PP please let me know what you think. I am running a second MBAM now and I will post that new scan when completed.
Thanks
Scott
