Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DCOM [10005] - DCOM got error "%1058"


  • This topic is locked This topic is locked
6 replies to this topic

#1 b477l3h4x

b477l3h4x

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 19 January 2009 - 12:31 AM

it shut off windows auto-updater and now requests that i turn it back on with weird warning pop up boxes and whenever i click the x(close) button or any button it opens up a random windows looking security website, i also seem to have a problem blocking pop-ups whenever an internet browser is open, which before this happened was never a problem



DDS (Ver_09-01-18.01) - NTFSx86
Run by Owner at 0:16:15.28 on Mon 01/19/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1124 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\MMTray.exe
C:\WINDOWS\system32\MMTray2k.exe
C:\WINDOWS\system32\MMTrayLSI.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: {098308de-ca26-4d05-b0c2-ad628b5a8696} - c:\windows\system32\tuvTjgfe.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXQgddD.dll
BHO: {77ab5974-55a3-4737-9fd5-b93c64307f78} - c:\windows\system32\jktyrhnc.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {DF4E7A0C-E233-4906-B4C1-A404356541FF} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [A00F477DDC5E.exe] c:\docume~1\owner\locals~1\temp\_A00F477DDC5E.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CHotkey] zHotkey.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [MMTray] MMTray.exe
mRun: [MMTray2K] MMTray2k.exe
mRun: [MMTrayLSI] MMTrayLSI.exe
mRun: [SiteAdvisor] c:\program files\siteadvisor\6253\SiteAdv.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [2cec6c86] rundll32.exe "c:\windows\system32\rrowgfai.dll",b
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: cbXQgddD - cbXQgddD.dll
Notify: __c00B9590 - c:\windows\system32\__c00B9590.dat
AppInit_DLLs: qwzbaq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXQgddD.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvTjgfe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3hdkdth4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\3hdkdth4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07051001.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R4 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2008-3-13 472320]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-6-5 14336]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-6-4 9344]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;c:\windows\system32\drivers\AWRTPD.sys [2007-6-4 6272]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;c:\windows\system32\drivers\AWRTRD.sys [2007-6-4 8320]
S4 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" --> c:\program files\lavasoft\ad-aware 2007\aawservice.exe [?]

=============== Created Last 30 ================

2009-01-18 19:12 123,392 a------- c:\windows\system32\__c0095837.exe
2009-01-18 13:32 116,736 a------- c:\windows\system32\jktyrhnc.dll
2009-01-18 13:30 129,024 a------- c:\windows\system32\qwzbaq.dll
2009-01-18 13:30 129,024 a------- c:\windows\system32\iiousryh.dll
2009-01-17 13:33 1,403,911 ---sh--- c:\windows\system32\iafgworr.ini
2009-01-17 13:33 72,704 a------- c:\windows\system32\rrowgfai.dll
2009-01-17 13:30 129,024 a------- c:\windows\system32\mcnrtz.dll
2009-01-17 13:30 129,024 a------- c:\windows\system32\rjflsdtd.dll
2009-01-17 13:14 123,392 a------- c:\windows\system32\__c00BD6F4.exe
2009-01-16 13:30 129,024 a------- c:\windows\system32\wzsccu.dll
2009-01-16 13:30 129,024 a------- c:\windows\system32\tlikoold.dll
2009-01-16 13:27 1,403,887 ---sh--- c:\windows\system32\vukhdvny.ini
2009-01-16 13:27 72,704 -------- c:\windows\system32\ynvdhkuv.dll
2009-01-15 19:07 25,088 a------- c:\windows\system32\__c00B9590.dat
2009-01-15 13:30 129,024 a------- c:\windows\system32\ykhqmx.dll
2009-01-15 13:30 129,024 a------- c:\windows\system32\fkgvjmdw.dll
2009-01-15 13:27 1,376,113 ---sh--- c:\windows\system32\cejaliph.ini
2009-01-15 13:27 72,704 -------- c:\windows\system32\hpilajec.dll
2009-01-14 13:27 129,024 a------- c:\windows\system32\zqyhjg.dll
2009-01-14 13:27 129,024 a------- c:\windows\system32\dhjoqbvo.dll
2009-01-14 13:25 1,376,113 ---sh--- c:\windows\system32\vwomkdls.ini
2009-01-14 13:25 72,704 -------- c:\windows\system32\sldkmowv.dll
2009-01-14 13:21 119,389 a--sh--- c:\windows\system32\efgjTvut.ini2
2009-01-14 13:21 119,389 a--sh--- c:\windows\system32\efgjTvut.ini
2009-01-14 13:21 302,592 a------- c:\windows\system32\tuvTjgfe.dll
2009-01-14 13:16 36,352 a------- c:\windows\system32\cbXQgddD.dll
2009-01-10 04:03 <DIR> --d----- c:\program files\ro
2009-01-10 03:55 <DIR> --d--r-- c:\program files\OnyxiaRO on Dvd
2008-12-22 21:26 <DIR> --d----- c:\program files\Ventrilo
2008-12-22 21:25 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2007-12-30 11:02 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2007-12-30 11:02 47,360 a------- c:\docume~1\owner\applic~1\pcouffin.sys
2005-07-08 08:38 5,525 a------- c:\program files\readme.txt
2008-08-24 20:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 0:17:13.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 19 January 2009 - 03:06 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 b477l3h4x

b477l3h4x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 19 January 2009 - 02:51 PM

well that is disheartening to say the least, im posting two logs by combofix mainly because i tend to do things step by step with the instuctions which caused combofix to run with just my eset antivirus/spyware off and firewall still on and no recover thing installed, the second log was done with firewall and antivirus/spyware off for bonus no interference and i installed the system recovery thing. also thanks for your help


ComboFix 09-01-19.01 - Owner 2009-01-19 14:09:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1169 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\Favorites\Online Security Test.url
c:\program files\Common Files\companion wizard
c:\program files\Seekmo Programs
c:\windows\system32\__c0095837.exe
c:\windows\system32\__c00B9590.dat
c:\windows\system32\__c00BD6F4.exe
c:\windows\system32\cbXQgddD.dll
c:\windows\system32\dhjoqbvo.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\efgjTvut.ini
c:\windows\system32\efgjTvut.ini2
c:\windows\system32\fkgvjmdw.dll
c:\windows\system32\hpilajec.dll
c:\windows\system32\iiousryh.dll
c:\windows\system32\jktyrhnc.dll
c:\windows\system32\mcnrtz.dll
c:\windows\system32\qwzbaq.dll
c:\windows\system32\rjflsdtd.dll
c:\windows\system32\rrowgfai.dll
c:\windows\system32\sldkmowv.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\stera.log
c:\windows\system32\tlikoold.dll
c:\windows\system32\tmp.reg
c:\windows\system32\tuvTjgfe.dll
c:\windows\system32\wzsccu.dll
c:\windows\system32\ykhqmx.dll
c:\windows\system32\ynvdhkuv.dll
c:\windows\system32\zqyhjg.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FOPN
-------\Legacy_VSPF
-------\Legacy_VSPF_HK


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-17 13:33 . 2009-01-18 13:33 1,403,911 --ahs---- c:\windows\system32\iafgworr.ini
2009-01-16 13:27 . 2009-01-17 13:28 1,403,887 --ahs---- c:\windows\system32\vukhdvny.ini
2009-01-15 13:27 . 2009-01-15 13:27 1,376,113 --ahs---- c:\windows\system32\cejaliph.ini
2009-01-14 13:25 . 2009-01-15 13:26 1,376,113 --ahs---- c:\windows\system32\vwomkdls.ini
2009-01-10 04:03 . 2009-01-13 12:26 <DIR> d-------- c:\program files\ro
2009-01-10 03:55 . 2009-01-10 03:55 <DIR> dr------- c:\program files\OnyxiaRO on Dvd
2008-12-22 21:26 . 2008-12-22 21:26 <DIR> d-------- c:\program files\Ventrilo
2008-12-22 21:25 . 2008-12-22 21:26 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 14:45 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-13 10:58 --------- d-----w c:\program files\World of Warcraft
2008-12-23 02:38 --------- d-----w c:\documents and settings\Owner\Application Data\Ventrilo
2008-12-19 01:22 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 21:39 --------- d-----w c:\documents and settings\Owner\Application Data\Vso
2008-12-11 20:10 --------- d-----w c:\program files\Warcraft III
2008-12-11 20:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 03:28 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-09 02:59 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-03 22:08 --------- d-----w c:\program files\TVersity Codec Pack
2007-12-30 16:02 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2005-07-08 13:38 5,525 ----a-w c:\program files\readme.txt
2008-08-25 01:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082420080825\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"SiteAdvisor"="c:\program files\SiteAdvisor\6253\SiteAdv.exe" [2006-07-24 35992]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-13 1443072]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"CHotkey"="zHotkey.exe" [2005-05-03 c:\windows\zHotkey.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]
"MMTray"="MMTray.exe" [2003-03-25 c:\windows\system32\MMTray.exe]
"MMTray2K"="MMTray2k.exe" [2003-03-25 c:\windows\system32\MMTray2k.exe]
"MMTrayLSI"="MMTrayLSI.exe" [2003-03-25 c:\windows\system32\MMTrayLSI.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote Table Of Contents.onetoc2 [2008-07-21 3656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.l3acm"= L3codecp.acm
"MSACM.CEGSM"= mobilev.acm
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.avrn"= AvidAVICodec.dll
"VIDC.mszh"= avimszh.dll
"vidc.zlib"= avizlib.dll
"vidc.div3"= DivXc32.dll
"vidc.div4"= DivXc32f.dll
"vidc.ap41"= DivXc32f.dll
"vidc.dvx4"= divx4.dll
"vidc.em2v"= ETXCodec.dll
"vidc.hfyu"= huffyuv.dll
"vidc.vp31"= vp31vfw.dll
"vidc.sjpg"= pmjpeg32.dll
"vidc.rud0"= rududu.dll
"msacm.wrpr"= aviwrap.dll
"vidc.wrpr"= aviwrap.dll
"vidc.wnv1"= WNVPLAY1.DLL
"msacm.divxa32"= DivXa32.acm
"vidc.advs"= Dvc.dll
"vidc.aflc"= flccodec32.dll
"vidc.afli"= flccodec32.dll
"vidc.aasc"= Aasc32.dll
"vidc.asv1"= asusasv1.dll
"vidc.asv2"= asusasv2.dll
"vidc.mwv1"= icmw_32.dll
"vidc.bt20"= btvvc32.drv
"vidc.y41p"= btvvc32.drv
"msacm.pcdv"= pcdv.acm
"vidc.cdvc"= CSCCDVC.DLL
"vidc.ddvc"= CSCdvsd.DLL
"vidc.dps0"= DpsAviCC.dll
"MSVideo"= DPSVidCap.drv
"vidc.frwu"= frwu.dll
"vidc.frwd"= frwd.dll
"vidc.frwt"= frwt.dll
"vidc.glzw"= GLZW.dll
"vidc.gpeg"= GPEG.dll
"msacm.imc"= IMC32.ACM
"vidc.i263"= i263_32.drv
"vidc.ir21"= IR21_R.DLL
"vidc.rt21"= IR21_R.DLL
"vidc.dcmj"= MCMJPG32.DLL
"vidc.dv25"= DigiVCap.dll
"vidc.dv50"= DigiVCap.dll
"vidc.msmc"= DigiVCap.dll
"vidc.mmjp"= DigiVCap.dll
"vidc.mmes"= DigiVCap.dll
"vidc.vixl"= Miroxl32.dll
"vidc.mjpg"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.mj2c"= M3JP2K32.dll
"vidc.tvmj"= MMTVMJ.dll
"vidc.fljp"= MMTVMJ.dll
"vidc.nt00"= NTCodec.dll
"vidc.pdvc"= idvcodec.dll
"vidc.ipdv"= idvcodec.dll
"vidc.pvw2"= pvwv220.dll
"vidc.pimj"= pvljpg20.dll
"vidc.mjpx"= pvmjpg21.dll
"vidc.miro"= mirodv2avi.dll
"vidc.mjpa"= rtmjpgcdc.dll
"vidc.pim1"= pclepim1.dll
"msacm.qmpeg"= qmpeg.acm
"vidc.rmp4"= rmp4.dll
"vidc.sony"= sonydv.dll
"vidc.s422"= tekyuv.dll
"vidc.vssv"= vsscodec.dll
"vidc.cscd"= camcodec.dll
"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0stera\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 15:21 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-09-18 09:16 171464 c:\program files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 19:24 50760 c:\program files\Common Files\AOL\1149718736\EE\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-02-28 16:07 1828136 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 15:29 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-02-28 08:59 570664 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 11:43 8466432 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 13:49 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1149718736\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\1149718736\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1149718736\\EE\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Unused Desktop Shortcuts\\utorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8922:TCP"= 8922:TCP:BitComet 8922 TCP
"8922:UDP"= 8922:UDP:BitComet 8922 UDP
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"41952:TCP"= 41952:TCP:tversity

R4 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2008-03-13 472320]
R4 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-06-05 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
- - - - ORPHANS REMOVED - - - -

BHO-{098308DE-CA26-4D05-B0C2-AD628B5A8696} - c:\windows\system32\tuvTjgfe.dll
BHO-{77AB5974-55A3-4737-9FD5-B93C64307F78} - c:\windows\system32\jktyrhnc.dll
HKLM-Run-MBkLogOnHook - c:\program files\McAfee\MBK\LogOnHook.exe
Notify-__c00B9590 - c:\windows\system32\__c00B9590.dat
MSConfigStartUp-PC Connection Agent - c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-PlayNC Launcher - c:\program files\ncsoft\launcher\NCLauncher.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hdkdth4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\SiteAdvisor\6261\FF\components\FFHook.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3hdkdth4.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07051001.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 14:16:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\RMSvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-19 14:23:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 19:23:28

Pre-Run: 20,493,004,800 bytes free
Post-Run: 29,157,961,728 bytes free

340 --- E O F --- 2008-12-18 08:01:06

Attached Files

  • Attached File  log2.txt   14.18KB   4 downloads


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 19 January 2009 - 04:14 PM

Hi,

Your second log - the second time you ran Combofix shows these deletions:

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cejaliph.ini
c:\windows\system32\iafgworr.ini
c:\windows\system32\vukhdvny.ini
c:\windows\system32\vwomkdls.ini


So everything looks OK again :thumbup2:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 b477l3h4x

b477l3h4x
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 19 January 2009 - 06:30 PM

seems to be going well, its no longer bugging me to turn auto-updater back on and no more random pop-ups, i must admit i was pretty much sure from your first comment that i was going to be getting some new pieces for my computer hopefully now i can hold on to this harddrive and its contents for a little longer. thanks for the help, hopefully whatever is left over if anything it will stay quiet and stop messing with my comp

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 20 January 2009 - 02:04 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 PM

Posted 21 January 2009 - 09:29 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users