1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

DCOM process server error & Google Redirect

Discussion in 'Virus & Other Malware Removal' started by detheage, Feb 3, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    My problems are:

    -Frequent DCOM process server error followed by 60 second system shutdown timer ( I do know how to stop the timer).

    -all Google and Yahoo search results redirect me to random pages.

    -when opening new internet explorer tabs or windows I'm getting additional popups or redirects very frequently, and the system is running really slow.

    I have run fully updated versions of: AVG, Malwarebytes, Spybot:Search and Destroy, and Windows malicious software removal tool, none of them find any problems.

    Ad-aware worked until a couple days ago, now it causes the DCOM process server error and the program crashes if i try to: run it, get auto updates, uninstall it, or attempt to install a fresh copy.

    Please help. =(



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:42:23 AM, on 2/3/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16915)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webcrawler.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [StandardKeyboard] KBDaemonA.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\anti anti\stopzilla.exe.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t (User '?')
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
    O4 - S-1-5-21-2025429265-573735546-682003330-1003 Startup: Kuma_Tray.lnk = C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe (User '?')
    O4 - S-1-5-21-2025429265-573735546-682003330-1003 Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User '?')
    O4 - Startup: Kuma_Tray.lnk = C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231368707796
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
    O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
    O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    --
    End of file - 7308 bytes
     
  2. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    bump.
     
  3. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
  4. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    bump, anyone?
     
  5. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    bump for day 10
     
  6. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Hello and welcome to TSG

    IMPORTANT

    Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
    To make cleaning this machine easier:-
    • Continue to respond to this thread until I give you the All Clean!
    • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
    • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
    • Please follow all instructions in the order posted.
    • If you have any questions or do not understand instructions, please ask before continuing.
    • Please reply to this thread. Do not start a new topic.
    • Topics not replied to within 3 days will be removed from my Subscribed Threads List.

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:
    • Start HijackThis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the Open Uninstall Manager button.
    • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

    Please post this log on your next reply.

    NEXT Download and Run: RSIT

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    GMER Rootkit Scanner
    Download GMER Rootkit Scanner from here.
    • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
    • Save it where you can easily find it, such as your desktop, and post it in reply
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries




    Please reply with:-
    • Uninstall list
    • RSIT logs ( info.txt and log.txt)
    • GMER Log
     
  7. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    I downloaded RSIT from the link you provided but I can't get it to work. After running the program, as soon as I click "continue" on the disclaimer I get this error message and the program closes:
    "Autolt Error Line -1: Error: Variable used without being declared."

    Here are the other logs you requested, and thanks for your time.

    Uninstall list:

    Acrobat.com
    Acrobat.com
    Ad-Aware
    Adobe AIR
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9
    Adobe Shockwave Player 11
    Apple Software Update
    ArcSoft Panorama Maker 3
    Bonjour
    CamStudio
    Critical Update for Windows Media Player 11 (KB959772)
    DXG-506V
    Google Earth
    Graboid Video 1.3
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    hp deskjet 845c series (Remove only)
    HP Memories Disc
    HP Photo and Imaging 2.0 - Scanners
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    iTunes
    Java(TM) 6 Update 5
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mozilla ActiveX Control v1.7.12
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 Parser and SDK
    Nero Suite
    Nikon Message Center
    NVIDIA Drivers
    OpenOffice.org 2.3
    Outspark Launcher
    PictureProject
    PowerDVD
    QuickTime
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Solid State ION Internet Explorer Plugin
    SoundMAX
    Standard PS/2 Multi-Media Keyboard Driver
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB973815)
    Windows Media Format 11 runtime
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    Wireless Camera Setup Utility
    Xfire (remove only)




    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-02-14 14:42:42
    Windows 5.1.2600 Service Pack 3
    Running: gt34vd80.exe; Driver: C:\DOCUME~1\LiNdSaY\LOCALS~1\Temp\fxtdqpod.sys

    ---- Devices - GMER 1.0.15 ----
    Device \Driver\00000861 -> \Driver\atapi \Device\Harddisk0\DR0 8734E50C
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] \systemroot\system32\drivers\UACatwyqgvpcr.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] file system
    Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected]
    Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected]
    Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected]
    Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected]
    Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected]
    Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\[email protected]
    ---- Files - GMER 1.0.15 ----
    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
    ---- EOF - GMER 1.0.15 ----
     
  8. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Please post a new HJT instead of RSIT, thanks :)
     
  9. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:16:12 PM, on 2/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16915)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webcrawler.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [StandardKeyboard] KBDaemonA.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\anti anti\stopzilla.exe.exe" /runcleanupscript
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t (User '?')
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
    O4 - HKUS\S-1-5-21-2025429265-573735546-682003330-1003\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User '?')
    O4 - S-1-5-21-2025429265-573735546-682003330-1003 Startup: Kuma_Tray.lnk = C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe (User '?')
    O4 - S-1-5-21-2025429265-573735546-682003330-1003 Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User '?')
    O4 - Startup: Kuma_Tray.lnk = C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231368707796
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
    O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
    O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    --
    End of file - 7483 bytes
     
  10. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    You are not running an ANTIVIRUS, is this because of your problem at present?

    P2P PROGRAMS

    IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

    BitTorrent DNA


    References for the risk of these programs can be found in these links:
    http://www.microsoft.com/windows/ie/community/columns/protection.mspx
    http://www.techweb.com/wire/160500554
    http://www.internetworldstats.com/articles/art053.htm

    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

    P2P programs also open up access to the computer on which the program is installed. The computer's settings are more often than not changed in a manner that renders them insecure, and access to the computer is left open even when the program is not in use. Therefore, the system's security is compromised.

    So be aware that it's not just what's downloaded with P2P programs that creates problems, just having the program installed is like leaving all the doors to your house unlocked.

    My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

    If you wish to keep them, please do not use them until your computer is cleaned.


    TDSSKiller

    • Please Download TDSSKiller.zip and save it on your desktop.
    • Next extract (unzip) its contents to your Desktop.
    • Next double-click the TDSSKiller Folder on your desktop.
    • Next right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.<---Important
    • Next Highlight and copy all the text (including the quote marks) in the codebox below.
      Code:
      "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
    • Click Start, click Run... and paste the text above into the Open: line and click OK.
    • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
    • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
    • When finished a log file should be created on your desktop named tdsskiller.txt
    • Copy the contents of the log & post in your next reply.

    Download and run Combofix
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • If you need help to disable your protection programs see here.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]
    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    If you need help, see this link:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please reply with:-
    • TDSSkiller log
    • Combofix log
    • New HJT log
     
  11. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    ****EDIT: please read my next post it contains info you may need.

    First to answer your questions. I normally use AVG antivirus, but my computer has been running so slowly that when I run live virus protection the computer is almost unusable because it slows down so ridiculously slow.

    As far as the p2p programs I dl'ed them just to download a video game a long time ago, and havn't used them since, just never got around to deleting them. Thanks again for your time, this is all very much appreciated. =)

    And here are the logs you requested:

    18:25:33:656 6036 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
    18:25:33:656 6036 ================================================================================
    18:25:33:656 6036 SystemInfo:
    18:25:33:656 6036 OS Version: 5.1.2600 ServicePack: 3.0
    18:25:33:656 6036 Product type: Workstation
    18:25:33:656 6036 ComputerName: GX270
    18:25:33:656 6036 UserName: LiNdSaY
    18:25:33:656 6036 Windows directory: C:\WINDOWS
    18:25:33:656 6036 Processor architecture: Intel x86
    18:25:33:656 6036 Number of processors: 1
    18:25:33:656 6036 Page size: 0x1000
    18:25:33:656 6036 Boot type: Normal boot
    18:25:33:656 6036 ================================================================================
    18:25:33:671 6036 UnloadDriverW: NtUnloadDriver error 2
    18:25:33:671 6036 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    18:25:33:687 6036 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    18:25:33:750 6036 UtilityInit: KLMD drop and load success
    18:25:33:750 6036 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
    18:25:33:750 6036 UtilityInit: KLMD open success
    18:25:33:765 6036 UtilityInit: Initialize success
    18:25:33:765 6036
    18:25:33:765 6036 Scanning Services ...
    18:25:33:765 6036 CreateRegParser: Registry parser init started
    18:25:33:765 6036 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
    18:25:33:765 6036 CreateRegParser: DisableWow64Redirection error
    18:25:33:765 6036 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    18:25:33:765 6036 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
    18:25:33:765 6036 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    18:25:33:765 6036 wfopen_ex: Trying to KLMD file open
    18:25:33:765 6036 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
    18:25:33:765 6036 wfopen_ex: File opened ok (Flags 2)
    18:25:33:765 6036 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3D4910
    18:25:33:765 6036 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    18:25:33:765 6036 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
    18:25:33:765 6036 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    18:25:33:765 6036 wfopen_ex: Trying to KLMD file open
    18:25:33:765 6036 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
    18:25:33:765 6036 wfopen_ex: File opened ok (Flags 2)
    18:25:33:765 6036 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3D49B8
    18:25:33:765 6036 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
    18:25:33:765 6036 CreateRegParser: EnableWow64Redirection error
    18:25:33:765 6036 CreateRegParser: RegParser init completed
    18:25:34:390 6036 GetAdvancedServicesInfo: Raw services enum returned 329 services
    18:25:34:390 6036 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    18:25:34:390 6036 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    18:25:34:390 6036
    18:25:34:390 6036 Scanning Kernel memory ...
    18:25:34:390 6036 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
    18:25:34:390 6036 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 87399A08
    18:25:34:390 6036 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
    18:25:34:390 6036
    18:25:34:390 6036 DetectCureTDL3: DEVICE_OBJECT: 87395C68
    18:25:34:390 6036 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87395C68
    18:25:34:390 6036 KLMD_ReadMem: Trying to ReadMemory 0x87395C68[0x38]
    18:25:34:390 6036 DetectCureTDL3: DRIVER_OBJECT: 87399A08
    18:25:34:390 6036 KLMD_ReadMem: Trying to ReadMemory 0x87399A08[0xA8]
    18:25:34:390 6036 KLMD_ReadMem: Trying to ReadMemory 0xE1016108[0x18]
    18:25:34:390 6036 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (0) addr: F7867BB0
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (1) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (2) addr: F7867BB0
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (3) addr: F7861D1F
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (4) addr: F7861D1F
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (5) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (6) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (7) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (8) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (9) addr: F78622E2
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (10) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (11) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (12) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (13) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (14) addr: F78623BB
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (15) addr: F7865F28
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (16) addr: F78622E2
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (17) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (18) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (19) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (20) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (21) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (22) addr: F7863C82
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (23) addr: F786899E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (24) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (25) addr: 804FA87E
    18:25:34:390 6036 DetectCureTDL3: IrpHandler (26) addr: 804FA87E
    18:25:34:390 6036 TDL3_FileDetect: Processing driver: Disk
    18:25:34:390 6036 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    18:25:34:390 6036 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    18:25:34:453 6036 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    18:25:34:453 6036
    18:25:34:453 6036 DetectCureTDL3: DEVICE_OBJECT: 873C9AB8
    18:25:34:453 6036 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873C9AB8
    18:25:34:453 6036 DetectCureTDL3: DEVICE_OBJECT: 873D0D98
    18:25:34:453 6036 KLMD_GetLowerDeviceObject: Trying to get lower device object for 873D0D98
    18:25:34:453 6036 KLMD_ReadMem: Trying to ReadMemory 0x873D0D98[0x38]
    18:25:34:453 6036 DetectCureTDL3: DRIVER_OBJECT: 86FFFF38
    18:25:34:453 6036 KLMD_ReadMem: Trying to ReadMemory 0x86FFFF38[0xA8]
    18:25:34:453 6036 KLMD_ReadMem: Trying to ReadMemory 0x87391030[0x38]
    18:25:34:453 6036 KLMD_ReadMem: Trying to ReadMemory 0x873D1788[0xA8]
    18:25:34:453 6036 KLMD_ReadMem: Trying to ReadMemory 0xE101DED8[0x1A]
    18:25:34:453 6036 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (0) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (1) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (2) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (3) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (4) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (5) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (6) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (7) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (8) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (9) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (10) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (11) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (12) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (13) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (14) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (15) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (16) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (17) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (18) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (19) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (20) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (21) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (22) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (23) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (24) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (25) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: IrpHandler (26) addr: 8734E50C
    18:25:34:453 6036 DetectCureTDL3: All IRP handlers pointed to one addr: 8734E50C
    18:25:34:453 6036 KLMD_ReadMem: Trying to ReadMemory 0x8734E50C[0x400]
    18:25:34:453 6036 TDL3_IrpHookDetect: CheckParameters: 7, FFDF0308, 457, 99, 3, 88
    18:25:34:453 6036 Driver "atapi" Irp handler infected by TDSS rootkit ... 18:25:34:453 6036 KLMD_WriteMem: Trying to WriteMemory 0x8734E56F[0xD]
    18:25:34:453 6036 cured
    18:25:34:453 6036 KLMD_ReadMem: Trying to ReadMemory 0xF776B864[0x400]
    18:25:34:453 6036 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
    18:25:34:453 6036 TDL3_FileDetect: Processing driver: atapi
    18:25:34:453 6036 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
    18:25:34:453 6036 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
    18:25:34:484 6036 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
    18:25:34:484 6036 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 18:25:34:484 6036 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
    18:25:34:484 6036 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
    18:25:34:578 6036 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
    18:25:34:687 6036 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
    18:25:34:734 6036 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
    18:25:34:750 6036 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
    18:25:34:796 6036 CabinetCallback: File extracted successfully: C:\DOCUME~1\LiNdSaY\LOCALS~1\Temp\bck4B3.tmp
    18:25:34:796 6036 ValidateDriverFile: Stage 1 passed
    18:25:34:796 6036 ValidateDriverFile: Stage 2 passed
    18:25:34:953 6036 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
    18:25:37:109 6036 DigitalSignVerifyByHandle: Cat DS result: 00000000
    18:25:37:109 6036 ValidateDriverFile: Stage 3 passed
    18:25:37:109 6036 CabinetCallback: File validated successfully, restore information prepared
    18:25:37:109 6036 FindDriverFileBackup: Backup copy found in cab-file
    18:25:37:109 6036 TDL3_FileCure: Backup copy found, using it..
    18:25:37:109 6036 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk4B4.tmp
    18:25:37:171 6036 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk4B4.tmp, system32\drivers\atapi.sys)
    18:25:37:171 6036 TDL3_FileCure: KLMD jobs schedule success
    18:25:37:171 6036 will be cured on next reboot
    18:25:37:171 6036 UtilityBootReinit: Reboot required for cure complete..
    18:25:37:171 6036 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
    18:25:37:171 6036 UtilityBootReinit: KLMD drop success
    18:25:37:171 6036 KLMD_ApplyPendList: Pending buffer(7762_2D6A, 608) dropped successfully
    18:25:37:171 6036 UtilityBootReinit: Cure on reboot scheduled successfully
    18:25:37:171 6036
    18:25:37:171 6036 Completed
    18:25:37:171 6036
    18:25:37:171 6036 Results:
    18:25:37:171 6036 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
    18:25:37:171 6036 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    18:25:37:171 6036 File objects infected / cured / cured on reboot: 1 / 0 / 1
    18:25:37:171 6036
    18:25:37:171 6036 UnloadDriverW: NtUnloadDriver error 1
    18:25:37:171 6036 KLMD_Unload: UnloadDriverW(klmd21) error 1
    18:25:37:171 6036 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    18:25:37:171 6036 UtilityDeinit: KLMD(ARK) unloaded successfully



    ComboFix 10-02-12.01 - LiNdSaY 02/15/2010 18:38:53.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.745 [GMT -6:00]
    Running from: c:\documents and settings\LiNdSaY\Desktop\ComboFix.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\LocalService\Cookies\qagu.scr
    c:\documents and settings\LocalService\Cookies\ybamolo.dll
    c:\program files\Common Files\mogujugiz.bat
    c:\program files\Common Files\tucelul.inf
    c:\windows\feraseze.reg
    c:\windows\qowicujas.vbs
    c:\windows\system32\2478.dll
    c:\windows\system32\36941142.dll
    c:\windows\system32\9875724.dll
    c:\windows\tyquky.inf
    .
    ((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))
    .
    2010-02-14 20:35 . 2010-02-14 20:35 -------- d-----w- C:\rsit
    2010-02-03 16:02 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-03 16:02 . 2010-02-03 16:02 -------- d-----w- c:\program files\MWB
    2010-02-03 16:02 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-03 15:48 . 2010-02-03 15:48 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- C:\Graboid
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- C:\Video
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
    2010-02-03 13:18 . 2010-02-03 13:18 -------- d-----w- c:\program files\iPod
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-16 00:37 . 2008-11-29 13:08 -------- d-----w- c:\documents and settings\LiNdSaY\Application Data\DNA
    2010-02-16 00:27 . 2007-12-23 19:46 -------- d-----w- c:\documents and settings\LiNdSaY\Application Data\OpenOffice.org2
    2010-02-16 00:27 . 2008-11-29 13:08 -------- d-----w- c:\program files\DNA
    2010-02-16 00:27 . 2004-08-04 10:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-02-13 17:50 . 2008-10-15 01:24 529 ---ha-w- c:\documents and settings\LiNdSaY\hpothb07.dat
    2010-02-11 05:57 . 2008-12-20 21:55 69 ----a-w- c:\documents and settings\LiNdSaY\jagex_runescape_preferences.dat
    2010-02-11 05:42 . 2009-09-02 19:29 69 ----a-w- c:\documents and settings\LiNdSaY\jagex_runescape_preferences2.dat
    2010-02-03 15:52 . 2009-09-29 19:24 -------- d-----w- c:\program files\anti anti
    2010-02-03 13:54 . 2009-04-18 06:48 -------- d-----w- c:\program files\Common Files\Apple
    2010-02-03 13:46 . 2007-12-18 04:45 -------- d-----w- c:\program files\Lavasoft
    2010-02-03 13:43 . 2009-12-29 00:29 54 ----a-w- c:\windows\system32\rp_stats.dat
    2010-02-03 13:43 . 2009-12-29 00:29 39 ----a-w- c:\windows\system32\rp_rules.dat
    2010-02-03 13:19 . 2010-02-03 13:19 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
    2010-02-03 13:18 . 2008-02-03 05:47 -------- d-----w- c:\program files\Google
    2010-02-03 13:18 . 2009-04-18 06:50 -------- d-----w- c:\program files\iTunes
    2010-01-02 19:06 . 2008-10-15 01:24 397 ---ha-w- C:\hpothb07.dat
    2010-01-02 18:51 . 2010-01-02 18:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-01-02 18:51 . 2010-01-02 18:51 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2009-12-28 23:06 . 2009-12-28 23:06 -------- d-----w- c:\program files\Alwil Software
    2009-11-30 23:18 . 2009-11-30 23:18 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2009-11-28 00:50 . 2009-02-11 18:25 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    2009-11-18 12:34 . 2008-01-07 23:32 19776 ----a-w- c:\documents and settings\LiNdSaY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-18 02:19 . 2009-11-18 02:19 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2009-11-18 02:19 . 2009-11-18 02:19 93360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
    2009-11-18 02:19 . 2009-11-18 02:19 554280 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
    2009-11-18 02:19 . 2009-11-18 03:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2009-11-18 02:19 . 2009-11-18 02:19 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
    2009-11-18 02:18 . 2009-11-18 02:18 212480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\VipreBridge.dll
    2009-11-18 02:18 . 2009-11-18 02:18 283944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Vipre.dll
    2009-11-18 02:18 . 2009-11-18 02:18 1223976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
    2009-11-18 02:18 . 2009-11-18 02:18 242984 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
    2009-11-18 02:17 . 2009-11-18 02:17 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
    2009-10-25 20:33 . 2009-10-25 20:33 16096 ----a-w- c:\program files\Common Files\odeliwuga.bin
    2009-10-25 20:33 . 2009-10-25 20:33 11217 ----a-w- c:\program files\Common Files\telumuc.pif
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "StandardKeyboard"="KBDaemonA.exe" [2004-11-26 57344]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 7323648]
    "nwiz"="nwiz.exe" [2006-07-25 1519616]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-01 196608]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\anti anti\stopzilla.exe.exe" [2009-09-10 1312080]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-2-11 118784]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\nexuiz-24\\Nexuiz\\nexuiz.exe"=
    "c:\\Program Files\\Xfire\\xfire.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Documents and Settings\\LiNdSaY\\Application Data\\GarageGames\\IAPlayer\\products\\www_instantaction_com\\6000\\install\\cyclomite.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26276:TCP"= 26276:TCP:*:Disabled:SolidNetworkManager
    "26276:UDP"= 26276:UDP:*:Disabled:SolidNetworkManager
    "1340:TCP"= 1340:TCP:*:Disabled:SolidNetworkManager
    "1340:UDP"= 1340:UDP:*:Disabled:SolidNetworkManager
    "3883:UDP"= 3883:UDP:Windows Media Format SDK (wmplayer.exe)
    "3882:UDP"= 3882:UDP:Windows Media Format SDK (wmplayer.exe)
    "3885:UDP"= 3885:UDP:Windows Media Format SDK (wmplayer.exe)
    R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 1:11 PM 24064]
    R3 KBNTXP;Standard PS/2 Multi-Keyboard Filter Driver for WinXp;c:\windows\system32\drivers\KBNTXP.sys [12/17/2007 9:30 PM 7296]
    R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 1:11 PM 17664]
    S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [10/11/2008 9:55 AM 44256]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 XDva032;XDva032;\??\c:\windows\system32\XDva032.sys --> c:\windows\system32\XDva032.sys [?]
    --- Other Services/Drivers In Memory ---
    *NewlyCreated* - KLMDB
    *Deregistered* - klmdb
    .
    Contents of the 'Scheduled Tasks' folder
    2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.webcrawler.com/
    uInternet Settings,ProxyOverride = *.local
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    .
    - - - - ORPHANS REMOVED - - - -
    HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
    AddRemove-Launcher - c:\program files\Outspark\Launcher\uninstall.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-15 18:43
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Completion time: 2010-02-15 18:45:49
    ComboFix-quarantined-files.txt 2010-02-16 00:45
    Pre-Run: 105,235,103,744 bytes free
    Post-Run: 107,138,363,392 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    - - End Of File - - 5851182732AC2C082C7B85AB84E4E3C3




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:54:24 PM, on 2/15/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16915)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\KBDaemonA.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webcrawler.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [StandardKeyboard] KBDaemonA.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\anti anti\stopzilla.exe.exe" /runcleanupscript
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - Startup: Kuma_Tray.lnk = C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231368707796
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
    O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
    O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    --
    End of file - 6171 bytes
     
  12. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    Ok, after I made the last post I went onto Myspace. While on that site my Internet Explorer froze and I got the hourglass and the screen would not minimize. I had a feeling a bot was downloading some BS onto my machine so i immediately hit crtl+alt+del. About that time some fake virus scanner window popped up, and sure enough a new unfamiliar task manager process was running, but before I could disable it I got an error message that said the current program (task manager) was infected and task manager closed. I did this over and over but task manager would error and close before I could do anything. So I turned my computer off. I rebooted and no matter what url i put into Internet Explorer, I got the standard "check your internet connection" screen, the internet was not working at all. So i ran combofix again and afterward Internet Explorer works again. I will not be on the net again until i hear back from you.

    Here is the new combofix log. I'm sorry if this fiasco makes your job harder.

    ComboFix 10-02-12.01 - LiNdSaY 02/15/2010 20:55:25.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.742 [GMT -6:00]
    Running from: c:\documents and settings\LiNdSaY\Desktop\ComboFix.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\LiNdSaY\Local Settings\Application Data\nglkog
    c:\documents and settings\LiNdSaY\Local Settings\Application Data\nglkog\fclssftav.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-01-16 to 2010-02-16 )))))))))))))))))))))))))))))))
    .
    2010-02-14 20:35 . 2010-02-14 20:35 -------- d-----w- C:\rsit
    2010-02-03 16:02 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-02-03 16:02 . 2010-02-03 16:02 -------- d-----w- c:\program files\MWB
    2010-02-03 16:02 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-02-03 15:48 . 2010-02-03 15:48 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- C:\Graboid
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- C:\Video
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\CyberLink
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-02-03 13:20 . 2010-02-03 13:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
    2010-02-03 13:18 . 2010-02-03 13:18 -------- d-----w- c:\program files\iPod
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-16 03:00 . 2008-11-29 13:08 -------- d-----w- c:\documents and settings\LiNdSaY\Application Data\DNA
    2010-02-16 02:50 . 2007-12-23 19:46 -------- d-----w- c:\documents and settings\LiNdSaY\Application Data\OpenOffice.org2
    2010-02-16 02:50 . 2008-11-29 13:08 -------- d-----w- c:\program files\DNA
    2010-02-16 01:37 . 2009-09-02 19:29 69 ----a-w- c:\documents and settings\LiNdSaY\jagex_runescape_preferences2.dat
    2010-02-16 01:36 . 2008-12-20 21:55 69 ----a-w- c:\documents and settings\LiNdSaY\jagex_runescape_preferences.dat
    2010-02-16 00:27 . 2004-08-04 10:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
    2010-02-13 17:50 . 2008-10-15 01:24 529 ---ha-w- c:\documents and settings\LiNdSaY\hpothb07.dat
    2010-02-03 15:52 . 2009-09-29 19:24 -------- d-----w- c:\program files\anti anti
    2010-02-03 13:54 . 2009-04-18 06:48 -------- d-----w- c:\program files\Common Files\Apple
    2010-02-03 13:46 . 2007-12-18 04:45 -------- d-----w- c:\program files\Lavasoft
    2010-02-03 13:43 . 2009-12-29 00:29 54 ----a-w- c:\windows\system32\rp_stats.dat
    2010-02-03 13:43 . 2009-12-29 00:29 39 ----a-w- c:\windows\system32\rp_rules.dat
    2010-02-03 13:19 . 2010-02-03 13:19 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
    2010-02-03 13:18 . 2008-02-03 05:47 -------- d-----w- c:\program files\Google
    2010-02-03 13:18 . 2009-04-18 06:50 -------- d-----w- c:\program files\iTunes
    2010-01-02 19:06 . 2008-10-15 01:24 397 ---ha-w- C:\hpothb07.dat
    2010-01-02 18:51 . 2010-01-02 18:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-01-02 18:51 . 2010-01-02 18:51 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2009-12-28 23:06 . 2009-12-28 23:06 -------- d-----w- c:\program files\Alwil Software
    2009-11-30 23:18 . 2009-11-30 23:18 4526 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2009-11-28 00:50 . 2009-02-11 18:25 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    2009-11-18 12:34 . 2008-01-07 23:32 19776 ----a-w- c:\documents and settings\LiNdSaY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-10-25 20:33 . 2009-10-25 20:33 16096 ----a-w- c:\program files\Common Files\odeliwuga.bin
    2009-10-25 20:33 . 2009-10-25 20:33 11217 ----a-w- c:\program files\Common Files\telumuc.pif
    .
    ((((((((((((((((((((((((((((( [email protected]_00.43.11 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-05-20 00:03 . 2010-02-11 05:41 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
    + 2009-05-20 00:03 . 2010-02-16 01:36 49152 c:\windows\.jagex_cache_32\runescape\jagmisc.dll
    + 2009-05-20 00:03 . 2010-02-16 01:36 94208 c:\windows\.jagex_cache_32\runescape\jaggl.dll
    - 2009-05-20 00:03 . 2010-02-11 05:41 94208 c:\windows\.jagex_cache_32\runescape\jaggl.dll
    + 2010-02-08 17:20 . 2010-02-16 01:36 818176 c:\windows\.jagex_cache_32\runescape\sw3d.dll
    - 2010-02-08 17:20 . 2010-02-11 05:41 818176 c:\windows\.jagex_cache_32\runescape\sw3d.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "StandardKeyboard"="KBDaemonA.exe" [2004-11-26 57344]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-25 7323648]
    "nwiz"="nwiz.exe" [2006-07-25 1519616]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-25 86016]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-01 196608]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\anti anti\stopzilla.exe.exe" [2009-09-10 1312080]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-2-11 118784]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @="Service"
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\nexuiz-24\\Nexuiz\\nexuiz.exe"=
    "c:\\Program Files\\Xfire\\xfire.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Documents and Settings\\LiNdSaY\\Application Data\\GarageGames\\IAPlayer\\products\\www_instantaction_com\\6000\\install\\cyclomite.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26276:TCP"= 26276:TCP:*:Disabled:SolidNetworkManager
    "26276:UDP"= 26276:UDP:*:Disabled:SolidNetworkManager
    "1340:TCP"= 1340:TCP:*:Disabled:SolidNetworkManager
    "1340:UDP"= 1340:UDP:*:Disabled:SolidNetworkManager
    "3883:UDP"= 3883:UDP:Windows Media Format SDK (wmplayer.exe)
    "3882:UDP"= 3882:UDP:Windows Media Format SDK (wmplayer.exe)
    "3885:UDP"= 3885:UDP:Windows Media Format SDK (wmplayer.exe)
    R2 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 1:11 PM 24064]
    R3 KBNTXP;Standard PS/2 Multi-Keyboard Filter Driver for WinXp;c:\windows\system32\drivers\KBNTXP.sys [12/17/2007 9:30 PM 7296]
    R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 1:11 PM 17664]
    S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [10/11/2008 9:55 AM 44256]
    S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
    S3 XDva032;XDva032;\??\c:\windows\system32\XDva032.sys --> c:\windows\system32\XDva032.sys [?]
    --- Other Services/Drivers In Memory ---
    *Deregistered* - klmd21
    .
    Contents of the 'Scheduled Tasks' folder
    2010-02-13 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.webcrawler.com/
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    .
    - - - - ORPHANS REMOVED - - - -
    HKCU-Run-etxngrqp - c:\documents and settings\LiNdSaY\Local Settings\Application Data\nglkog\fclssftav.exe
    HKLM-Run-etxngrqp - c:\documents and settings\LiNdSaY\Local Settings\Application Data\nglkog\fclssftav.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-15 21:02
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Completion time: 2010-02-15 21:05:41
    ComboFix-quarantined-files.txt 2010-02-16 03:05
    ComboFix2.txt 2010-02-16 00:45
    Pre-Run: 107,100,991,488 bytes free
    Post-Run: 107,117,510,656 bytes free
    - - End Of File - - 8FF3CC75863BC497B9FA8FFEB3A767EC
     
  13. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Hi,
    So are the P2P being removed or not? It is not mandatory in TSG but I need to know one way or another for my fix.

    Please give me an update on how the computer is behaving. Are you still getting the DCOM errors and the redirects? Also do you choose to use Webcrawler as a home page?

    AVG is a resource hog, but without an updated antivirus on board there is no point in me continuing. Try Avira or Avast? I use Avira myself!

    Please download a free anti-virus software from one these excellent vendors NOW:[/b]
    1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
    Please note the following if you decide on Antivir Personal Edition
    2) avast! 4.8 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.

    Once the above is done please post back with a reply to my questions and a NEW HJT log.
     
  14. detheage

    detheage Thread Starter

    Joined:
    Feb 3, 2010
    Messages:
    11
    Okay, I deleted the p2p program. I also have Avast antiivirus now, and yes Webcrawler is intentionally my homepage. I am not getting the Google redirects or the DCOM crashes. Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:56:13 PM, on 2/17/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16915)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\KBDaemonA.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\Alwil Software\Avast5\avastUI.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webcrawler.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [StandardKeyboard] KBDaemonA.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\anti anti\stopzilla.exe.exe" /runcleanupscript
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [AdobeUpdater6] "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe"
    O4 - Startup: Kuma_Tray.lnk = C:\Program Files\Kuma Games\kgsystray\Kuma_tray.exe
    O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231368707796
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab
    O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.playwhat.com/solidPlugin/solidstateion.cab
    O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (file missing)
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NkPtpEnumP2 - Nikon Corporation - C:\Program Files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    --
    End of file - 6567 bytes
     
  15. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Any problems at all?

    Download and Run OTM.exe

    Download OTM.exe by Old Timer and save it to your Desktop.
    • Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
    • Copy the lines in the codebox below.
    Code:
    :Files
    c:\program files\anti anti
    c:\program files\Common Files\odeliwuga.bin
    c:\program files\Common Files\telumuc.pif
    
    :Commands
    
    [EmptyTemp]
    [Reboot]
    
    
    • Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.
    • Close OTM.exe

    Please reply with:-
    • OTM log
    • New HJT log
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - DCOM process server
  1. Wysocki
    Replies:
    19
    Views:
    2,309
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/900006

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice