Thread: Unhandled win32 exception...
View Single Post
Old 06-29-2009, 10:47 AM   #3 (permalink)
Pitbull_1973
Registered User
 
Join Date: Mar 2009
Posts: 26
OS: XP


Re: Unhandled win32 exception...
Thanks for taking the case TheBruce1.

Below is posted the text from my ComboFix log. However, there was a small problem. I had to run the scan about 4 times before I could get it to generate a log because it would freeze after ComboFix would reboot the laptop. I finally got it to generate the log, but I did notice that during the first scan there were several files deleted. It also popped up a messaged and instructed me to write down 3 filenames that might be needed later.

Here are the files that I wrote down:

C:\WINDOWS\system32\drivers\MSIVXtuijxvalqbdqolwoppxdqvrbujkvdxbn.sys
C:\WINDOWS\system32\MSIVXgsntymxajudkvscmqfulhbflrcxmgeip.dll
C:\WINDOWS\system32\MSIVXenrliefxrdeaubiyfvpwmykirpieaxmt.dll

there were I think 2 more files that were deleted during the scan, but I do not remember what they were. I just noticed that the above 3 were deleted.

ComboFix 09-06-28.06 - Brad Blanton 06/29/2009 12:25.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1559 [GMT -4:00]
Running from: c:\documents and settings\Brad Blanton\Desktop\Combo-Fix1.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYS
-------\Legacy_SYSDRV
-------\Service_sys
-------\Service_sysdrv


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-29 15:55 . 2009-06-29 16:13 -------- d-s---w- C:\Combo-Fix
2009-06-29 14:09 . 2001-08-17 16:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys
2009-06-29 14:07 . 2001-08-18 02:36 41472 ----a-w- c:\windows\system32\dllcache\qvusd.dll
2009-06-29 14:06 . 2001-08-18 02:36 16384 ----a-w- c:\windows\system32\dllcache\philcam1.dll
2009-06-29 14:05 . 2001-08-17 18:05 28032 ----a-w- c:\windows\system32\dllcache\ovcd.sys
2009-06-29 14:05 . 2001-08-17 18:05 48000 ----a-w- c:\windows\system32\dllcache\ovcam2.sys
2009-06-29 14:05 . 2001-08-17 18:05 25088 ----a-w- c:\windows\system32\dllcache\ovca.sys
2009-06-29 14:05 . 2001-08-17 17:28 54186 ----a-w- c:\windows\system32\dllcache\otcsercb.sys
2009-06-29 14:05 . 2001-08-17 16:12 43689 ----a-w- c:\windows\system32\dllcache\otceth5.sys
2009-06-29 14:05 . 2001-08-17 16:12 27209 ----a-w- c:\windows\system32\dllcache\otc06x5.sys
2009-06-29 14:05 . 2001-08-17 16:20 54528 ----a-w- c:\windows\system32\dllcache\opl3sax.sys
2009-06-29 14:05 . 2001-08-17 16:50 198144 ----a-w- c:\windows\system32\dllcache\nv3.sys
2009-06-29 14:05 . 2001-08-18 02:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll
2009-06-29 14:05 . 2001-08-17 16:49 51552 ----a-w- c:\windows\system32\dllcache\ntgrip.sys
2009-06-29 14:05 . 2001-08-17 17:47 9344 ----a-w- c:\windows\system32\dllcache\ntapm.sys
2009-06-29 14:05 . 2008-04-13 18:54 28672 ----a-w- c:\windows\system32\dllcache\nscirda.sys
2009-06-29 14:05 . 2001-08-17 17:53 7552 ----a-w- c:\windows\system32\dllcache\nsmmc.sys
2009-06-29 14:02 . 2001-08-17 17:49 19968 ----a-w- c:\windows\system32\dllcache\mxnic.sys
2009-06-29 14:01 . 2001-08-18 02:36 47616 ----a-w- c:\windows\system32\dllcache\memgrp.dll
2009-06-29 14:00 . 2001-08-17 16:12 19016 ----a-w- c:\windows\system32\dllcache\ktc111.sys
2009-06-29 13:59 . 2001-08-17 18:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys
2009-06-29 13:58 . 2001-08-18 02:36 9759 ----a-w- c:\windows\system32\dllcache\hsf_inst.dll
2009-06-29 13:57 . 2001-08-17 18:02 8576 ----a-w- c:\windows\system32\dllcache\hidgame.sys
2009-06-29 13:56 . 2001-08-17 17:52 7040 ----a-w- c:\windows\system32\dllcache\exabyte2.sys
2009-06-29 13:55 . 2001-08-17 17:28 241206 ----a-w- c:\windows\system32\dllcache\el656se5.sys
2009-06-29 13:54 . 2001-08-17 16:17 29531 ----a-w- c:\windows\system32\dllcache\dgapci.sys
2009-06-29 13:53 . 2001-08-17 16:13 21530 ----a-w- c:\windows\system32\dllcache\ce2n5.sys
2009-06-29 13:52 . 2001-08-17 18:55 96128 ----a-w- c:\windows\system32\dllcache\ati.dll
2009-06-29 13:51 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-06-25 11:55 . 2009-06-25 11:55 2 ----a-w- c:\windows\010112010146115110.dat
2009-06-24 16:12 . 2009-06-28 07:40 -------- d-----w- c:\program files\zMUD
2009-06-24 16:06 . 2009-06-24 16:06 1 ---h--w- c:\windows\jmmark2.dat
2009-06-24 16:06 . 2009-06-24 16:06 2 ----a-w- c:\windows\0101120101465749.dat
2009-06-24 16:06 . 2009-06-24 16:06 2 ----a-w- c:\windows\0101120101465452.dat
2009-06-24 16:06 . 2009-06-24 16:06 1 ---h--w- c:\windows\bf23567.dat
2009-06-24 16:03 . 2009-06-24 16:04 -------- d-----w- c:\temp\bittorrent
2009-06-24 15:10 . 2009-06-24 16:21 -------- d-----w- c:\temp\zmud
2009-06-24 14:33 . 2009-06-24 15:53 -------- d-----w- C:\Gmud
2009-06-24 14:31 . 2009-06-24 14:32 -------- d-----w- c:\temp\gmud
2009-06-24 14:15 . 2009-06-24 14:15 -------- d-----w- c:\program files\SpywareBlaster
2009-06-24 13:44 . 2009-06-24 13:44 -------- d-----w- c:\documents and settings\NetworkService\Application Data\SACore
2009-06-24 13:41 . 2009-06-24 13:41 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2009-06-04 13:37 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe
2009-06-04 13:37 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-06-04 13:37 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-04 13:37 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-04 13:37 . 2009-02-06 11:08 2189056 ----a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-06-04 13:35 . 2008-12-11 10:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-06-04 13:34 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-04 13:34 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-04 13:30 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 14:48 . 2008-02-18 18:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-28 08:11 . 2006-06-22 23:23 6580 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-28 08:11 . 2006-06-22 23:23 104 --sh--r- c:\windows\system32\846BA418DA.sys
2009-06-28 07:39 . 2007-11-13 16:09 -------- d-----w- c:\documents and settings\Brad Blanton\Application Data\IGN_DLM
2009-06-25 01:00 . 2009-04-01 02:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-06-05 12:55 . 2006-03-24 21:27 -------- d-----w- c:\program files\City of Heroes
2009-06-04 21:12 . 2008-09-04 14:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-04 15:46 . 2008-08-27 15:36 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-06-04 15:46 . 2007-01-09 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-04 15:46 . 2008-08-27 15:36 2060128 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2009-06-04 15:22 . 2007-01-10 01:31 -------- d-----w- c:\program files\Microsoft SQL Server
2009-05-27 16:57 . 2009-05-27 16:57 25214 ----a-r- c:\documents and settings\Brad Blanton\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\UNINST_Uninstall_G_408FFBEED62349E08B232864A94D2864.exe
2009-05-27 16:57 . 2009-05-27 16:57 25214 ----a-r- c:\documents and settings\Brad Blanton\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2009-05-27 16:57 . 2009-05-27 16:57 25214 ----a-r- c:\documents and settings\Brad Blanton\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
2009-05-27 16:57 . 2009-05-27 16:57 25214 ----a-r- c:\documents and settings\Brad Blanton\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2009-05-27 16:57 . 2009-05-27 16:57 25214 ----a-r- c:\documents and settings\Brad Blanton\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
2009-05-27 16:57 . 2009-05-27 16:57 25214 ----a-r- c:\documents and settings\Brad Blanton\Application Data\Microsoft\Installer\{9509674F-3972-11DE-806D-005056806466}\ARPPRODUCTICON.exe
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2005-08-16 10:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2009-04-27 23:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-27 22:42 . 2009-04-27 22:42 152576 ----a-w- c:\documents and settings\Brad Blanton\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-27 22:32 . 2009-03-26 14:47 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-04-27 22:32 . 2009-03-26 14:47 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-06 16:19 . 2006-03-25 15:22 50288 ----a-w- c:\documents and settings\Brad Blanton\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 16:29 . 2005-08-16 10:41 88183 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2007-07-28 22:25 . 2007-07-25 06:38 905 ----a-w- c:\program files\uninstal.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Brad Blanton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-27 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShowLOMControl"="1 (0x1)" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-12-06 839680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-30 761947]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-20 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 106496]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-03-07 5181440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-19 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:sys

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/26/2009 10:47 AM 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [3/31/2009 10:21 PM 210216]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 4:53 PM 55664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 7:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder

2009-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-994032240-2872590641-1858184122-1005.job
- c:\documents and settings\Brad Blanton\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-27 16:54]

2009-06-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2009-03-24 16:23]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3CBE5399-8D3D-481c-95B2-E7BA1A57BC1D} - c:\windows\system32\iehelper.dll
HKLM-Run-sysfbtray - c:\windows\freddy46.exe
HKU-Default-Run-system tool - c:\windows\sysguard.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.rr.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = about:blank
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: {38CA2F01-7AEA-4720-A637-E4ED18FE7129} = 213.174.139.72,192.168.0.1
TCP: {890FBE31-7DC7-4593-82C5-E10F4AA4125C} = 213.174.139.72,192.168.0.1
TCP: {D788F37A-7EDD-44A1-BA00-FDE6D4DC7BF5} = 213.174.139.72,192.168.0.1
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - hxxp://www.cabarrusncrod.org/controls/LTOCX14N.cab
DPF: {9841D1AE-9C0B-11D3-9452-00105A098C21} - hxxp://www.cabarrusncrod.org/controls/prntpro2.CAB
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://24.172.119.98/activex/AMC.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 12:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3912)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
.
Completion time: 2009-06-29 12:37
ComboFix-quarantined-files.txt 2009-06-29 16:37
ComboFix2.txt 2009-03-26 14:29

Pre-Run: 3,626,102,784 bytes free
Post-Run: 3,602,210,816 bytes free

222 --- E O F --- 2009-06-11 11:12
Last edited by Pitbull_1973; 06-29-2009 at 10:48 AM.
Pitbull_1973 is offline