1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

DCOM server process launcher error

Discussion in 'Virus & Other Malware Removal' started by Kwongsup, Feb 1, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Kwongsup

    Kwongsup Thread Starter

    Joined:
    Feb 1, 2010
    Messages:
    4
    I have a problem where DCOM server process launcher shut down unexpectedly and restarts my computer
    I have read other threads on this site and followed some of the direction. I downloaded super anti-spyware and also disabled auto shutdown.
    Also I used another anti-spyware program and got rid of over 1000 spyware and malware items.

    I used combofix.exe and here are my logs


    Start Time= Mon 02/01/2010 12:30:59.79
    QuickScan did not find any signs of infected files
    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

    2010-02-01 01:29:08 ( .D... ) "C:\Program Files\SUPERAntiSpyware"
    2010-02-01 01:29:08 ( .D... ) "C:\Documents and Settings\Kim\Application Data\SUPERAntiSpyware.com"
    2010-02-01 01:27:04 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
    2010-01-20 20:32:20 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
    2010-01-09 16:31:16 ( .D... ) "C:\Program Files\Common Files\McAfee"
    2010-01-09 16:31:10 ( .D... ) "C:\Program Files\McAfee.com"
    2010-01-09 16:30:50 ( .D... ) "C:\Program Files\McAfee"
    2010-01-04 18:17:46 29634504 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
    2009-12-21 13:14:06 1208832 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
    2009-12-21 13:14:06 916480 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
    2009-12-21 13:14:04 5942784 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
    2009-12-21 13:14:04 1985536 ( A.... ) "C:\WINDOWS\system32\iertutil.dll"
    2009-12-21 13:14:04 594432 ( A.... ) "C:\WINDOWS\system32\msfeeds.dll"
    2009-12-21 13:14:04 206848 ( ..... ) "C:\WINDOWS\system32\occache.dll"
    2009-12-21 13:14:04 184320 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
    2009-12-21 13:14:04 55296 ( A.... ) "C:\WINDOWS\system32\msfeedsbs.dll"
    2009-12-21 13:14:04 25600 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
    2009-12-21 13:14:02 11070464 ( A.... ) "C:\WINDOWS\system32\ieframe.dll"
    2009-12-21 13:14:02 387584 ( ..... ) "C:\WINDOWS\system32\iedkcs32.dll"
    2009-12-21 07:19:18 173056 ( ..... ) "C:\WINDOWS\system32\ie4uinit.exe"
    2009-12-11 15:44:40 ( .D... ) "C:\Program Files\AVG"
    2009-11-21 16:51:44 94208 ( A.... ) "C:\WINDOWS\DIIUnin.exe"
    2009-11-02 20:42:06 195456 ( ..... ) "C:\WINDOWS\system32\MpSigStub.exe"

    ((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries are not shown
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
    "PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
    "IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
    "eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
    "AGRSMMSG"="AGRSMMSG.exe"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "HonorAutoRunSetting"=dword:00000001
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
    "NoDriveTypeAutoRun"=dword:00000091
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
    "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
    "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
    "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.EXE "
    "item"="Adobe Reader Speed Launch"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
    "backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
    "location"="Common Startup"
    "command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.EXE "
    "item"="Adobe Reader Synchronizer"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    "path"="C:\\Documents and Settings\\Kim\\Start Menu\\Programs\\Startup\\OneNote 2007 Screen Clipper and Launcher.lnk"
    "backup"="C:\\WINDOWS\\pss\\OneNote 2007 Screen Clipper and Launcher.lnkStartup"
    "location"="Startup"
    "command"="C:\\PROGRA~1\\MICROS~2\\Office12\\ONENOTEM.EXE /tsr"
    "item"="OneNote 2007 Screen Clipper and Launcher"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="GoogleUpdate"
    "hkey"="HKCU"
    "command"="\"C:\\Documents and Settings\\Kim\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe\" /c"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="msmsgs"
    "hkey"="HKCU"
    "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "inimapping"="0"
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
    "item"="TeaTimer"
    "hkey"="HKCU"
    "command"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
    "inimapping"="0"

    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At9.job
    C:\WINDOWS\tasks\McDefragTask.job
    C:\WINDOWS\tasks\McQcTask.job
    Completion time: Mon 02/01/2010 12:35:03.32
    ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt
     
  2. Kwongsup

    Kwongsup Thread Starter

    Joined:
    Feb 1, 2010
    Messages:
    4
    I turned off auto shut down but it keeps showing the message. so I type "shutdown -a" and it works for that session only.
     
  3. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, Kwongsup :)

    Welcome.

    Please read the following through carefully so that you understand what to do
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

      "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
     
  4. Kwongsup

    Kwongsup Thread Starter

    Joined:
    Feb 1, 2010
    Messages:
    4
    19:34:16:764 3980 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
    19:34:16:764 3980 ================================================================================
    19:34:16:764 3980 SystemInfo:
    19:34:16:764 3980 OS Version: 5.1.2600 ServicePack: 2.0
    19:34:16:764 3980 Product type: Workstation
    19:34:16:764 3980 ComputerName: KIM-2CA530838FC
    19:34:16:774 3980 UserName: Kim
    19:34:16:774 3980 Windows directory: C:\WINDOWS
    19:34:16:774 3980 Processor architecture: Intel x86
    19:34:16:774 3980 Number of processors: 1
    19:34:16:774 3980 Page size: 0x1000
    19:34:16:774 3980 Boot type: Normal boot
    19:34:16:774 3980 ================================================================================
    19:34:16:774 3980 UnloadDriverW: NtUnloadDriver error 1
    19:34:16:774 3980 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
    19:34:16:774 3980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    19:34:16:864 3980 LoadDriverW: Driver already loaded
    19:34:16:864 3980 KLMD_DropNLoadW: LoadDriverW(klmd21) error 1056
    19:34:16:864 3980 UtilityInit: KLMD drop and load failed, trying to open device
    19:34:16:864 3980 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
    19:34:16:864 3980 UtilityInit: KLMD open success
    19:34:16:864 3980 UtilityInit: Initialize success
    19:34:16:864 3980
    19:34:16:874 3980 Scanning Services ...
    19:34:16:874 3980 CreateRegParser: Registry parser init started
    19:34:16:874 3980 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
    19:34:16:874 3980 CreateRegParser: DisableWow64Redirection error
    19:34:16:874 3980 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    19:34:16:874 3980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
    19:34:16:874 3980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:34:16:874 3980 wfopen_ex: Trying to KLMD file open
    19:34:16:874 3980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
    19:34:16:874 3980 wfopen_ex: File opened ok (Flags 2)
    19:34:16:874 3980 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 274DE8
    19:34:16:874 3980 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    19:34:16:874 3980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
    19:34:16:874 3980 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    19:34:16:874 3980 wfopen_ex: Trying to KLMD file open
    19:34:16:874 3980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
    19:34:16:874 3980 wfopen_ex: File opened ok (Flags 2)
    19:34:16:874 3980 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 274CD8
    19:34:16:874 3980 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
    19:34:16:874 3980 CreateRegParser: EnableWow64Redirection error
    19:34:16:874 3980 CreateRegParser: RegParser init completed
    19:34:17:405 3980 GetAdvancedServicesInfo: Raw services enum returned 329 services
    19:34:17:405 3980 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    19:34:17:405 3980 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    19:34:17:405 3980
    19:34:17:405 3980 Scanning Kernel memory ...
    19:34:17:405 3980 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
    19:34:17:405 3980 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 83335330
    19:34:17:405 3980 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
    19:34:17:405 3980
    19:34:17:405 3980 DetectCureTDL3: DEVICE_OBJECT: 833859F0
    19:34:17:405 3980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 833859F0
    19:34:17:405 3980 KLMD_ReadMem: Trying to ReadMemory 0x833859F0[0x38]
    19:34:17:405 3980 DetectCureTDL3: DRIVER_OBJECT: 83335330
    19:34:17:405 3980 KLMD_ReadMem: Trying to ReadMemory 0x83335330[0xA8]
    19:34:17:405 3980 KLMD_ReadMem: Trying to ReadMemory 0xE101ED60[0x18]
    19:34:17:405 3980 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (0) addr: F88BBC30
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (1) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (2) addr: F88BBC30
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (3) addr: F88B5D9B
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (4) addr: F88B5D9B
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (5) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (6) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (7) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (8) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (9) addr: F88B6366
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (10) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (11) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (12) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (13) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (14) addr: F88B644D
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (15) addr: F88B9FC3
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (16) addr: F88B6366
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (17) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (18) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (19) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (20) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (21) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (22) addr: F88B7EF3
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (23) addr: F88BCA24
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (24) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (25) addr: 804FB8DE
    19:34:17:405 3980 DetectCureTDL3: IrpHandler (26) addr: 804FB8DE
    19:34:17:405 3980 TDL3_FileDetect: Processing driver: Disk
    19:34:17:405 3980 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    19:34:17:405 3980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    19:34:17:425 3980 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    19:34:17:425 3980
    19:34:17:425 3980 DetectCureTDL3: DEVICE_OBJECT: 83365AB8
    19:34:17:425 3980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83365AB8
    19:34:17:425 3980 DetectCureTDL3: DEVICE_OBJECT: 8336C030
    19:34:17:425 3980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8336C030
    19:34:17:425 3980 DetectCureTDL3: DEVICE_OBJECT: 83388D98
    19:34:17:425 3980 KLMD_GetLowerDeviceObject: Trying to get lower device object for 83388D98
    19:34:17:425 3980 KLMD_ReadMem: Trying to ReadMemory 0x83388D98[0x38]
    19:34:17:425 3980 DetectCureTDL3: DRIVER_OBJECT: 8334DAB8
    19:34:17:425 3980 KLMD_ReadMem: Trying to ReadMemory 0x8334DAB8[0xA8]
    19:34:17:425 3980 KLMD_ReadMem: Trying to ReadMemory 0x83366030[0x38]
    19:34:17:425 3980 KLMD_ReadMem: Trying to ReadMemory 0x8338A210[0xA8]
    19:34:17:425 3980 KLMD_ReadMem: Trying to ReadMemory 0xE1947B90[0x1A]
    19:34:17:425 3980 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (0) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (1) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (2) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (3) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (4) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (5) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (6) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (7) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (8) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (9) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (10) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (11) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (12) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (13) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (14) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (15) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (16) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (17) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (18) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (19) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (20) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (21) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (22) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (23) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (24) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (25) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: IrpHandler (26) addr: 83315618
    19:34:17:425 3980 DetectCureTDL3: All IRP handlers pointed to one addr: 83315618
    19:34:17:425 3980 KLMD_ReadMem: Trying to ReadMemory 0x83315618[0x400]
    19:34:17:425 3980 TDL3_IrpHookDetect: TDL3 is already cured
    19:34:17:425 3980 KLMD_ReadMem: Trying to ReadMemory 0x833154BF[0x400]
    19:34:17:425 3980 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
    19:34:17:425 3980 TDL3_FileDetect: Processing driver: atapi
    19:34:17:425 3980 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk11.tmp
    19:34:17:425 3980 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk11.tmp
    19:34:17:475 3980 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk11.tmp - Verdict: Clean
    19:34:17:485 3980
    19:34:17:485 3980 Completed
    19:34:17:485 3980
    19:34:17:485 3980 Results:
    19:34:17:485 3980 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    19:34:17:485 3980 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    19:34:17:505 3980 File objects infected / cured / cured on reboot: 0 / 0 / 0
    19:34:17:505 3980
    19:34:17:505 3980 UnloadDriverW: NtUnloadDriver error 1
    19:34:17:505 3980 KLMD_Unload: UnloadDriverW(klmd21) error 1
    19:34:17:515 3980 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    19:34:17:515 3980 UtilityDeinit: KLMD(ARK) unloaded successfully
     
  5. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
    1. If you are using Firefox, make sure that your download settings are as follows:
      • Tools->Options->Main tab
      • Set to "Always ask me where to Save the files".
    2. During the download, rename Combofix to Combo-Fix as follows:

      [​IMG]

      [​IMG]

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​
    7. Double click on combo-Fix.exe & follow the prompts.
    8. Install the Recovery Console if prompted.
    9. When finished, it will produce a report for you.
    10. Please post the "C:\Combo-Fix.txt" .
    **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
     
  6. Kwongsup

    Kwongsup Thread Starter

    Joined:
    Feb 1, 2010
    Messages:
    4
    My newest combofix file

    ComboFix 10-03-11.06 - Kim 03/12/2010 14:54:45.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.189 [GMT -6:00]
    Running from: c:\documents and settings\Kim\Desktop\Combo-Fix.exe
    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\documents and settings\Kim\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    .
    ((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 )))))))))))))))))))))))))))))))
    .
    2010-03-12 20:26 . 2010-03-12 20:26 -------- d-----w- C:\Nexon
    2010-03-12 19:27 . 2010-03-12 19:27 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    2010-03-12 19:27 . 2010-03-12 19:27 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
    2010-03-12 19:27 . 2010-03-12 19:27 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
    2010-03-12 19:27 . 2010-03-12 19:27 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
    2010-03-12 19:27 . 2010-03-12 19:27 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
    2010-03-12 19:27 . 2010-03-12 19:27 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
    2010-03-12 19:27 . 2010-03-12 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
    2010-03-11 02:24 . 2010-03-11 02:24 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
    2010-02-26 15:43 . 2010-02-26 15:43 356352 ----a-w- c:\windows\system32\emp105.exe
    2010-02-24 16:48 . 2010-02-25 14:43 49152 ----a-w- c:\windows\system32\emp101.exe
    2010-02-16 02:05 . 2010-02-16 02:05 -------- d-sh--w- c:\documents and settings\Kim\IECompatCache
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-03-12 14:41 . 2010-02-01 07:30 117760 ----a-w- c:\documents and settings\Kim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-03-11 02:27 . 2009-07-19 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-02-19 01:27 . 2009-07-19 04:16 -------- d-----w- c:\program files\PartyGaming
    2010-02-18 02:19 . 2010-01-09 22:30 -------- d-----w- c:\program files\McAfee
    2010-02-01 07:30 . 2010-02-01 07:30 52224 ----a-w- c:\documents and settings\Kim\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-02-01 07:29 . 2010-02-01 07:29 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-02-01 07:29 . 2010-02-01 07:29 65024 ----a-r- c:\documents and settings\Kim\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    2010-02-01 07:29 . 2010-02-01 07:29 5120 ----a-r- c:\documents and settings\Kim\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
    2010-02-01 07:29 . 2010-02-01 07:29 18944 ----a-r- c:\documents and settings\Kim\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    2010-02-01 07:29 . 2010-02-01 07:29 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-02-01 07:29 . 2010-02-01 07:29 -------- d-----w- c:\documents and settings\Kim\Application Data\SUPERAntiSpyware.com
    2010-02-01 07:27 . 2010-02-01 07:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2010-01-21 02:50 . 2010-01-21 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-01-21 02:32 . 2010-01-21 02:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-01-20 18:27 . 2009-10-29 04:35 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-01-15 18:00 . 2004-08-04 20:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
    2009-12-31 16:14 . 2004-08-04 20:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
    2009-12-21 19:14 . 2004-08-04 20:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2009-12-21 19:13 . 2009-12-21 19:13 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-12-16 12:58 . 2009-06-29 07:50 343040 ----a-w- c:\windows\system32\mspaint.exe
    2009-12-14 07:35 . 2004-08-04 20:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-01-05 2002160]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
    "AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 88209]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
    backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^Kim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\Kim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2004-08-04 06:06 1667584 ------w- c:\program files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-01-26 21:31 2144088 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "WMPNetworkSvc"=3 (0x3)
    "SoundMAX Agent Service (default)"=2 (0x2)
    "ose"=3 (0x3)
    "odserv"=3 (0x3)
    "idsvc"=3 (0x3)
    "hpqwmi"=3 (0x3)
    "Ati HotKey Poller"=2 (0x2)
    "McSysmon"=3 (0x3)
    "McShield"=2 (0x2)
    "McProxy"=2 (0x2)
    "McODS"=3 (0x3)
    "mcmscsvc"=2 (0x2)
    "MpfService"=2 (0x2)
    "McNASvc"=2 (0x2)
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]
    R3 WPC54GSv2;Linksys Wireless Notebook Adapter WPC54Gv3 Driver;c:\windows\system32\drivers\WPC54GSv2.SYS [7/7/2009 8:27 PM 610816]
    S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPMp50.sys --> c:\windows\system32\Drivers\CBPMp50.sys [?]
    S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [7/7/2009 8:27 PM 27072]
    .
    Contents of the 'Scheduled Tasks' folder
    2010-01-09 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-09 18:22]
    2010-01-09 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-09 18:22]
    .
    .
    ------- Supplementary Scan -------
    .
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    .
    - - - - ORPHANS REMOVED - - - -
    MSConfigStartUp-Google Update - c:\documents and settings\Kim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-03-12 15:01
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(876)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2010-03-12 15:04:34
    ComboFix-quarantined-files.txt 2010-03-12 21:04
    ComboFix2.txt 2010-02-01 18:35
    Pre-Run: 25,344,212,992 bytes free
    Post-Run: 26,322,489,344 bytes free
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    - - End Of File - - 27579AB4EA05DA1BBB2264864C74FE8B
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/899452

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice