1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

DCOM server process launch error & hijacked searches

Discussion in 'Virus & Other Malware Removal' started by rhd297, Jan 28, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
    Hi! A couple days ago I started to get the DCOM server process launch error, which seems to pop up randomly, never when I've just turned on the computer. I also guess my searches are hijacked, they only go to the appropriate website when I open them in a new tab or window. Here is my HJT logfile, thanks so much in advance! My operating system is Windows XP and I'm on an Inspiron mini.

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 3:57:24 PM, on 1/28/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\McAfee\MSK\MskSrver.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\OA012Mon.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\WSED\WSED.exe
    C:\Program Files\Battery Meter\BTMeter.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\CapsLKNotify\CapsLKNotify.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Documents and Settings\Reilly\My Documents\RCA Detective\RCADetective.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Documents and Settings\Reilly\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Documents and Settings\Reilly\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Reilly\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.live.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USCON/1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/USCON/1
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [OA012Mon] C:\WINDOWS\OA012Mon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [WSED] C:\Program Files\WSED\WSED.exe
    O4 - HKLM\..\Run: [BTMeter] C:\Program Files\Battery Meter\BTMeter.exe
    O4 - HKLM\..\Run: [CapsLKNotify] C:\Program Files\CapsLKNotify\CapsLKNotify.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "c:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Reilly\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - Startup: RCA Detective.lnk = C:\Documents and Settings\Reilly\My Documents\RCA Detective\RCADetective.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
    O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 8978 bytes
     
  2. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
  3. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
  4. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
    Also, after the computer restarting from the DCOM termination, I get a "generic host process for win32 services error".
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
  6. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
    Thanks - so far I have tried that program twice and I get this log:

    02:14:13:125 0368 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
    02:14:13:125 0368 ================================================================================
    02:14:13:125 0368 SystemInfo:

    02:14:13:125 0368 OS Version: 5.1.2600 ServicePack: 3.0
    02:14:13:125 0368 Product type: Workstation
    02:14:13:125 0368 ComputerName: MOLLY
    02:14:13:125 0368 UserName: Reilly
    02:14:13:125 0368 Windows directory: C:\WINDOWS
    02:14:13:125 0368 Processor architecture: Intel x86
    02:14:13:125 0368 Number of processors: 2
    02:14:13:125 0368 Page size: 0x1000
    02:14:13:125 0368 Boot type: Normal boot
    02:14:13:125 0368 ================================================================================
    02:14:13:328 0368 UnloadDriverW: NtUnloadDriver error 2
    02:14:13:328 0368 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    02:14:13:328 0368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    02:14:14:125 0368 UtilityInit: KLMD drop and load success
    02:14:14:125 0368 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
    02:14:14:125 0368 UtilityInit: KLMD open success
    02:14:14:125 0368 UtilityInit: Initialize success
    02:14:14:125 0368
    02:14:14:125 0368 Scanning Services ...
    02:14:14:125 0368 CreateRegParser: Registry parser init started
    02:14:14:125 0368 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
    02:14:14:125 0368 CreateRegParser: DisableWow64Redirection error
    02:14:14:125 0368 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    02:14:14:140 0368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
    02:14:14:140 0368 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    02:14:14:140 0368 wfopen_ex: Trying to KLMD file open
    02:14:14:140 0368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
    02:14:14:140 0368 wfopen_ex: File opened ok (Flags 2)
    02:14:14:140 0368 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264BA0
    02:14:14:140 0368 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    02:14:14:140 0368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
    02:14:14:140 0368 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    02:14:14:140 0368 wfopen_ex: Trying to KLMD file open
    02:14:14:140 0368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
    02:14:14:140 0368 wfopen_ex: File opened ok (Flags 2)
    02:14:14:140 0368 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 264C48
    02:14:14:140 0368 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
    02:14:14:140 0368 CreateRegParser: EnableWow64Redirection error
    02:14:14:140 0368 CreateRegParser: RegParser init completed
    02:14:14:750 0368 GetAdvancedServicesInfo: Raw services enum returned 363 services
    02:14:14:765 0368 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    02:14:14:765 0368 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    02:14:14:765 0368
    02:14:14:765 0368 Scanning Kernel memory ...
    02:14:14:765 0368 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
    02:14:14:765 0368 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 86F59CA0
    02:14:14:765 0368 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
    02:14:14:765 0368
    02:14:14:765 0368 DetectCureTDL3: DEVICE_OBJECT: 86F14C68
    02:14:14:765 0368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F14C68
    02:14:14:781 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F14C68[0x38]
    02:14:14:781 0368 DetectCureTDL3: DRIVER_OBJECT: 86F59CA0
    02:14:14:781 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F59CA0[0xA8]
    02:14:14:781 0368 KLMD_ReadMem: Trying to ReadMemory 0xE10092E8[0x18]
    02:14:14:781 0368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (0) addr: F75C3BB0
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (1) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (2) addr: F75C3BB0
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (3) addr: F75BDD1F
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (4) addr: F75BDD1F
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (5) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (6) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (7) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (8) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (9) addr: F75BE2E2
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (10) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (11) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (12) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (13) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (14) addr: F75BE3BB
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (15) addr: F75C1F28
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (16) addr: F75BE2E2
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (17) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (18) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (19) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (20) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (21) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (22) addr: F75BFC82
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (23) addr: F75C499E
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (24) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (25) addr: 804F4562
    02:14:14:781 0368 DetectCureTDL3: IrpHandler (26) addr: 804F4562
    02:14:14:781 0368 TDL3_FileDetect: Processing driver: Disk
    02:14:14:781 0368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    02:14:14:781 0368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    02:14:14:796 0368 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    02:14:14:796 0368
    02:14:14:796 0368 DetectCureTDL3: DEVICE_OBJECT: 86EA4C68
    02:14:14:796 0368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86EA4C68
    02:14:14:796 0368 KLMD_ReadMem: Trying to ReadMemory 0x86EA4C68[0x38]
    02:14:14:796 0368 DetectCureTDL3: DRIVER_OBJECT: 86F59CA0
    02:14:14:796 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F59CA0[0xA8]
    02:14:14:796 0368 KLMD_ReadMem: Trying to ReadMemory 0xE10092E8[0x18]
    02:14:14:796 0368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (0) addr: F75C3BB0
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (1) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (2) addr: F75C3BB0
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (3) addr: F75BDD1F
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (4) addr: F75BDD1F
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (5) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (6) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (7) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (8) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (9) addr: F75BE2E2
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (10) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (11) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (12) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (13) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (14) addr: F75BE3BB
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (15) addr: F75C1F28
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (16) addr: F75BE2E2
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (17) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (18) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (19) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (20) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (21) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (22) addr: F75BFC82
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (23) addr: F75C499E
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (24) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (25) addr: 804F4562
    02:14:14:796 0368 DetectCureTDL3: IrpHandler (26) addr: 804F4562
    02:14:14:796 0368 TDL3_FileDetect: Processing driver: Disk
    02:14:14:796 0368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    02:14:14:796 0368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    02:14:14:812 0368 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    02:14:14:812 0368
    02:14:14:812 0368 DetectCureTDL3: DEVICE_OBJECT: 86F5E9F0
    02:14:14:812 0368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F5E9F0
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F5E9F0[0x38]
    02:14:14:812 0368 DetectCureTDL3: DRIVER_OBJECT: 86F59CA0
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F59CA0[0xA8]
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0xE10092E8[0x18]
    02:14:14:812 0368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (0) addr: F75C3BB0
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (1) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (2) addr: F75C3BB0
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (3) addr: F75BDD1F
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (4) addr: F75BDD1F
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (5) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (6) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (7) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (8) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (9) addr: F75BE2E2
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (10) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (11) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (12) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (13) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (14) addr: F75BE3BB
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (15) addr: F75C1F28
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (16) addr: F75BE2E2
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (17) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (18) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (19) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (20) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (21) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (22) addr: F75BFC82
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (23) addr: F75C499E
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (24) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (25) addr: 804F4562
    02:14:14:812 0368 DetectCureTDL3: IrpHandler (26) addr: 804F4562
    02:14:14:812 0368 TDL3_FileDetect: Processing driver: Disk
    02:14:14:812 0368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    02:14:14:812 0368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    02:14:14:812 0368 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    02:14:14:812 0368
    02:14:14:812 0368 DetectCureTDL3: DEVICE_OBJECT: 86F61AB8
    02:14:14:812 0368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F61AB8
    02:14:14:812 0368 DetectCureTDL3: DEVICE_OBJECT: 86F629E8
    02:14:14:812 0368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F629E8
    02:14:14:812 0368 DetectCureTDL3: DEVICE_OBJECT: 86F5A940
    02:14:14:812 0368 KLMD_GetLowerDeviceObject: Trying to get lower device object for 86F5A940
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F5A940[0x38]
    02:14:14:812 0368 DetectCureTDL3: DRIVER_OBJECT: 86F7B710
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F7B710[0xA8]
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0x86FD4030[0x38]
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0x86F632A8[0xA8]
    02:14:14:812 0368 KLMD_ReadMem: Trying to ReadMemory 0xE18A0938[0x1A]
    02:14:14:812 0368 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (0) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (1) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (2) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (3) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (4) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (5) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (6) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (7) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (8) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (9) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (10) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (11) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (12) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (13) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (14) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (15) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (16) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (17) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (18) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (19) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (20) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (21) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (22) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (23) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (24) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (25) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: IrpHandler (26) addr: 86EA9856
    02:14:14:828 0368 DetectCureTDL3: All IRP handlers pointed to one addr: 86EA9856
    02:14:14:828 0368 KLMD_ReadMem: Trying to ReadMemory 0x86EA9856[0x400]
    02:14:14:828 0368 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
    02:14:14:828 0368 Driver "atapi" Irp handler infected by TDSS rootkit ... 02:14:14:828 0368 KLMD_WriteMem: Trying to WriteMemory 0x86EA98CF[0xD]
    02:14:14:828 0368 cured
    02:14:14:828 0368 KLMD_ReadMem: Trying to ReadMemory 0x86EA9701[0x400]
    02:14:14:828 0368 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
    02:14:14:828 0368 Driver "atapi" StartIo handler infected by TDSS rootkit ... 02:14:14:828 0368 TDL3_StartIoHookCure: Number of patches 1
    02:14:14:828 0368 KLMD_WriteMem: Trying to WriteMemory 0x86EA980A[0x6]
    02:14:14:828 0368 cured
    02:14:14:828 0368 TDL3_FileDetect: Processing driver: atapi
    02:14:14:828 0368 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
    02:14:14:828 0368 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
    02:14:14:828 0368 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
    02:14:14:828 0368 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 02:14:14:843 0368 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
    02:14:14:843 0368 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
    02:14:14:843 0368 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
    02:14:14:953 0368 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
    02:14:14:953 0368 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
    02:14:15:171 0368 CabinetCallback: File extracted successfully: C:\DOCUME~1\Reilly\LOCALS~1\Temp\bckD2.tmp
    02:14:15:171 0368 ValidateDriverFile: Stage 1 passed
    02:14:15:171 0368 ValidateDriverFile: Stage 2 passed
    02:14:15:312 0368 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
    02:14:16:828 0368 DigitalSignVerifyByHandle: Cat DS result: 00000000
    02:14:16:828 0368 ValidateDriverFile: Stage 3 passed
    02:14:16:828 0368 CabinetCallback: File validated successfully, restore information prepared
    02:14:16:828 0368 FindDriverFileBackup: Backup copy found in cab-file
    02:14:16:828 0368 TDL3_FileCure: Backup copy found, using it..
    02:14:16:828 0368 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tskD3.tmp
    02:14:16:890 0368 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskD3.tmp, system32\drivers\atapi.sys)
    02:14:16:890 0368 TDL3_FileCure: KLMD jobs schedule success
    02:14:16:890 0368 will be cured on next reboot
    02:14:16:890 0368 UtilityBootReinit: Reboot required for cure complete..
    02:14:16:953 0368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
    02:14:17:375 0368 UtilityBootReinit: KLMD drop success
    02:14:17:375 0368 KLMD_ApplyPendList: Pending buffer(319A_6832, 608) dropped successfully
    02:14:17:375 0368 UtilityBootReinit: Cure on reboot scheduled successfully
    02:14:17:375 0368
    02:14:17:375 0368 Completed
    02:14:17:375 0368
    02:14:17:390 0368 Results:
    02:14:17:390 0368 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
    02:14:17:390 0368 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    02:14:17:390 0368 File objects infected / cured / cured on reboot: 1 / 0 / 1

    02:14:17:390 0368
    02:14:17:390 0368 UnloadDriverW: NtUnloadDriver error 1
    02:14:17:390 0368 KLMD_Unload: UnloadDriverW(klmd21) error 1
    02:14:17:390 0368 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    02:14:17:406 0368 UtilityDeinit: KLMD(ARK) unloaded successfully

    When I do the re-boot for the file objects infected, I get a blue screen error ("IRQL not less or equal"), have to restart, and then I get another error where I have to restart to the last known good configuration, otherwise the computer won't start up at all. Once I've done that, the log is the same.
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    it must be anew version that this can't deal with yet

    it looks like something is stopping it writing to the registry so that is why you need to use last good on reboot

    see if this works

    Delete any existing version of ComboFix you have sitting on your desktop
    Please read and follow all these instructions very carefully

    Download ComboFix from Here to your Desktop.

    **Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
    --------------------------------------------------------------------
    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
    • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
    • Remember to re enable the protection again after combofix has finished
    --------------------------------------------------------------------
    2. Close any open browsers and any other programs you might have running
    Double click on combofix.exe & follow the prompts.​
    If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
    Please select yes & let it download the files it needs to do this
    When finished, it will produce a report for you.
    Please post the "C:\ComboFix.txt" for further review


    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

    Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
     
  8. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
    Thanks, here is the combofix log:

    ComboFix 10-01-29.09 - Reilly 01/30/2010 14:58:01.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.499 [GMT -5:00]
    Running from: c:\documents and settings\Reilly\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
    c:\documents and settings\Reilly\Application Data\install.dat
    c:\windows\system32\config\system~1\applic~1\install.dat
    c:\windows\system32\config\systemprofile\Application Data\install.dat

    Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .
    ((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-30 )))))))))))))))))))))))))))))))
    .

    2010-01-30 01:52 . 2010-01-30 07:14 31752 ----a-w- c:\windows\system32\drivers\klmdb.sys
    2010-01-29 21:48 . 2010-01-28 22:07 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
    2010-01-29 21:48 . 2010-01-28 22:07 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
    2010-01-28 22:08 . 2010-01-28 22:08 -------- d-----w- C:\$AVG
    2010-01-28 22:08 . 2010-01-28 22:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-01-28 22:08 . 2010-01-28 22:08 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-01-28 22:08 . 2010-01-28 22:08 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-01-28 22:08 . 2010-01-28 22:08 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-01-28 22:07 . 2010-01-30 18:47 -------- d-----w- c:\windows\system32\drivers\Avg
    2010-01-28 22:07 . 2010-01-28 22:07 -------- d-----w- c:\program files\AVG
    2010-01-28 22:07 . 2010-01-28 22:07 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-01-28 20:55 . 2010-01-28 20:55 388096 ----a-r- c:\documents and settings\Reilly\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-01-28 20:55 . 2010-01-28 20:55 -------- d-----w- c:\program files\TrendMicro
    2010-01-27 08:04 . 2010-01-27 08:04 -------- d-----w- c:\documents and settings\Reilly\Application Data\Malwarebytes
    2010-01-27 08:04 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-27 08:04 . 2010-01-27 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-01-27 08:04 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-27 08:04 . 2010-01-27 08:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-01-21 07:09 . 2010-01-21 07:09 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
    2010-01-17 23:56 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-01-17 23:56 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-01-17 05:33 . 2010-01-17 05:33 -------- d-----w- c:\windows\Sun
    2010-01-13 20:52 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2010-01-05 01:58 . 2010-01-16 16:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-01-30 19:39 . 2009-12-24 22:57 34000 ----a-w- c:\documents and settings\Reilly\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-01-30 07:14 . 2010-01-30 07:14 96512 ----a-w- c:\windows\system32\drivers\tskD3.tmp
    2010-01-30 01:52 . 2010-01-30 01:52 96512 ----a-w- c:\windows\system32\drivers\tskCE.tmp
    2010-01-27 04:24 . 2008-04-14 00:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-01-21 18:12 . 2009-11-21 10:49 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-01-20 05:11 . 2009-11-21 10:40 -------- d-----w- c:\program files\Microsoft Works
    2010-01-09 08:58 . 2009-11-21 10:50 -------- d-----w- c:\program files\McAfee
    2009-12-30 17:33 . 2009-12-28 22:31 -------- d-----w- c:\documents and settings\Reilly\Application Data\vlc
    2009-12-28 22:31 . 2009-12-28 22:31 -------- d-----w- c:\documents and settings\Reilly\Application Data\dvdcss
    2009-12-28 22:28 . 2009-12-28 22:28 -------- d-----w- c:\program files\VideoLAN
    2009-12-28 19:49 . 2009-11-21 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2009-12-26 01:26 . 2009-12-26 01:26 -------- d-----w- c:\documents and settings\Reilly\Application Data\Windows Search
    2009-12-26 01:21 . 2009-12-26 01:21 -------- d-----w- c:\documents and settings\Reilly\Application Data\Smith Micro
    2009-12-26 01:19 . 2009-12-26 01:19 -------- d-----w- c:\program files\PANTECH
    2009-12-26 01:19 . 2009-12-26 01:19 -------- d-----w- c:\program files\Verizon Wireless
    2009-12-26 01:11 . 2009-11-21 10:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
    2009-12-24 23:03 . 2009-12-24 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
    2009-12-24 23:01 . 2009-12-24 23:01 -------- d-----w- c:\documents and settings\Reilly\Application Data\Creative
    2009-12-22 05:21 . 2008-04-25 20:33 667136 ----a-w- c:\windows\system32\wininet.dll
    2009-12-22 05:20 . 2008-04-25 20:33 81920 ----a-w- c:\windows\system32\ieencode.dll
    2009-11-21 15:51 . 2008-04-25 20:33 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
    2009-11-21 12:05 . 2009-11-21 12:05 77824 -c--a-w- c:\windows\setpwr32.exe
    2009-11-21 10:44 . 2009-12-24 22:57 33416 ----a-w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-11-21 10:42 . 2009-11-21 10:42 75 -csh--r- c:\windows\CT4CET.bin
    2009-11-21 10:34 . 2009-11-21 10:34 411368 -c--a-w- c:\windows\system32\deploytk.dll
    2009-11-21 10:20 . 2008-04-26 01:45 77423 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-11-04 21:54 . 2009-11-21 10:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2009-11-04 21:54 . 2009-11-21 10:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
    2009-11-04 21:54 . 2009-11-21 10:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2009-11-04 21:54 . 2009-11-21 10:51 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2009-11-04 21:53 . 2009-11-21 10:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update"="c:\documents and settings\Reilly\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-12-28 135664]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
    "RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
    "OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-21 149280]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
    "WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
    "BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
    "CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-28 2033432]

    c:\documents and settings\Reilly\Start Menu\Programs\Startup\
    RCA Detective.lnk - c:\documents and settings\Reilly\My Documents\RCA Detective\RCADetective.exe [2010-1-23 942592]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-01-28 22:08 12464 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

    R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [11/21/2009 5:36 AM 14248]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/28/2010 5:08 PM 333192]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/28/2010 5:08 PM 360584]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [1/28/2010 5:07 PM 906520]
    R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/28/2010 5:07 PM 285392]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [11/21/2009 5:41 AM 143840]
    R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [11/21/2009 7:05 AM 134144]
    R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [11/21/2009 7:05 AM 133632]
    R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [11/21/2009 7:05 AM 272256]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/21/2009 7:04 AM 162816]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/21/2009 7:04 AM 1684736]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [12/25/2009 8:19 PM 29824]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [12/25/2009 8:19 PM 41344]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [12/25/2009 8:19 PM 39936]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [12/25/2009 8:19 PM 59776]

    NETSVCS REQUIRES REPAIRS - current entries shown

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

    .
    Contents of the 'Scheduled Tasks' folder

    2010-01-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2236597633-3488974130-177866954-1006Core.job
    - c:\documents and settings\Reilly\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-28 19:45]

    2010-01-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2236597633-3488974130-177866954-1006UA.job
    - c:\documents and settings\Reilly\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-12-28 19:45]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.dell.com
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-Easy Dock - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-01-30 15:07
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(920)
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(3080)
    c:\program files\Windows Desktop Search\deskbar.dll
    c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
    c:\program files\Windows Desktop Search\dbres.dll
    c:\program files\Windows Desktop Search\wordwheel.dll
    c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
    c:\program files\Windows Desktop Search\msnlExtRes.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\progra~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\Common Files\mcafee\mna\mcnasvc.exe
    c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
    c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
    c:\program files\McAfee\MPF\MPFSrv.exe
    c:\program files\McAfee\MSK\MskSrver.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Dell Support Center\bin\sprtsvc.exe
    c:\windows\system32\wdfmgr.exe
    c:\windows\system32\SearchIndexer.exe
    c:\progra~1\mcafee.com\agent\mcagent.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
    c:\progra~1\mcafee.com\agent\McUpdate.exe
    .
    **************************************************************************
    .
    Completion time: 2010-01-30 15:12:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-01-30 20:12

    Pre-Run: 138,291,523,584 bytes free
    Post-Run: 138,781,552,640 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - C9ACAD444C3F38EB44E4EC7DFB76A954
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    how is it now#

    I am looking at what needs fixing on teh missing keys combofix has identifierd

    go to start/run & type regedit press enter

    then navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

    right click the netsvc key & select export

    save the reg file & then right click that file, select open with notepad or edit & copy teh contents & paste them back here please
     
  10. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
    My google searches are perfect now, thanks! And no DCOM error so far.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
    "CoInitializeSecurityParam"=dword:00000001
    "AuthenticationCapabilities"=dword:00003020
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    can you now export the whole HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost key please

    that will be large so export it as a reg file & then zip it to upload here

    also download the attached services.zip to desktop

    unzip it & double click the services.bat inside to run it. it will create a log. post taht back here

    once we compare the 2, we can hopefully rebuild the key
     

    Attached Files:

  12. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
    Services log:

    AppMgmt
    AudioSrv
    BITS
    Browser
    CryptSvc
    Dhcp
    dmserver
    ERSvc
    EventSystem
    FastUserSwitchingCompatibility
    helpsvc
    HidServ
    hkmsvc
    LanmanServer
    lanmanworkstation
    Messenger
    napagent
    Netman
    Nla
    NtmsSvc
    RasAuto
    RasMan
    RemoteAccess
    Schedule
    seclogon
    SENS
    SharedAccess
    ShellHWDetection
    srservice
    TapiSrv
    Themes
    TrkWks
    w32time
    winmgmt
    WmdmPmSN
    wscsvc
    wuauserv
    WZCSVC
    xmlprov
     

    Attached Files:

  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    I am getting teh 2 logs compared

    I can't see any differences so assume it is a false detection by combofix BUT I am asking someone else to double check for me as I might well have missed something

    please check if you can use windows updates and if you have any other problems
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    it looks like mcafee might have interfered with combofix running

    can you run combofix again please so we can double check what it is finding
     
  15. rhd297

    rhd297 Thread Starter

    Joined:
    Jan 28, 2010
    Messages:
    21
    Windows update worked fine, about to run combofix
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/898381

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice