Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DCOM Server Launcher Issues


  • This topic is locked This topic is locked
33 replies to this topic

#1 Heavily Armed Pixie

Heavily Armed Pixie

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 01 January 2014 - 09:11 PM

I'm running a Dell Inspiron 530S, with XP Home edition. Very recently (today), my computer shut off with no warning. The screen went blank (though the fans did not pause and no lights went off) and then it began booting up again. I tried to run a virus scan, but it did it again. After that, I was getting an error that the DCOM server launcher has shut down unexpectedly and my computer needs to restart. Which it then did, after sixty seconds. This happened about three times before I got fed up and looked into it on Google.

Looking into the issue, I managed to discover that I can change it so my system does not restart, but instead the response from the computer is to restart the application. So I made that change and that's the only change I've made.

 

More research into the matter -- trying to FIX IT from happening at all -- tells me that this might be due to malware. I'd like to make sure that's not the case, and if so, get rid of the buggies.

 

Help please?


Edited by Heavily Armed Pixie, 01 January 2014 - 09:17 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 03 January 2014 - 10:12 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Also

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#3 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 03 January 2014 - 05:43 PM

Hi there. Thanks for your help, I appreciate it so much! 

 

Here's the logs, as requested (the two copy/pasted logs, and the attached "addition" file).





Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-01-2014 01
Ran by (administrator) on NEW on 03-01-2014 17:31:53
Running from C:\Documents and Settings\NAMEREDACTED\Desktop
Microsoft Windows XP Service Pack 3 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

ATTENTION: If processes are not listed WMI should be repaired.


==================== Processes (Whitelisted) ===================

0

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDCPL] - C:\WINDOWS\RTHDCPL.EXE [16132608 2007-07-16] (Realtek Semiconductor Corp.)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [1107552 2012-07-09] ()
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2012-02-23] (Apple Inc.)
HKLM\...\Run: [Freecorder FLV Service] - "C:\Program Files\Freecorder\FLVSrvc.exe" /run
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2013\avgui.exe [4411952 2013-11-20] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [AVG_TRAY] - C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-09-05] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
Winlogon\Notify\LMIinit: C:\Windows\system32\LMIinit.dll (LogMeIn, Inc.)
HKLM\...\Policies\Explorer: [NoCDBurning] 0
HKCU\...\Run: [Google Update] - C:\Documents and Settings\Desiree Delmastro\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [136176 2010-08-28] (Google Inc.)
HKU\Administrator\...\RunOnce: [spchecker] - "C:\Program Files\AVG\AVG10\Notification\SPCheckerTE.exe"
SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} -  No File
BootExecute: autocheck autochk * lsdeletesprestrtsprestrtC:\PROGRA~1\AVG\AVG2013\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,ICQ Search = http://www.icq.com/search/results.php?q={searchTerms}&ch_id=osd
URLSearchHook: HKCU - (No Name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} -  No File
URLSearchHook: HKCU - BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
SearchScopes: HKCU - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={01CCB0C1-87F8-4954-8E2D-5B16A963DC63}&mid=1e5ef7ba74a747d6a723d153e67b4b56-ab734e0c84f706d700338534921eaa4d802af3e9&lang=us&ds=AVG&pr=pa&d=2011-12-07 03:20:18&v=9.0.0.18&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933
BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll ()
BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: Yontoo - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)
Toolbar: HKLM - BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
Toolbar: HKLM - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.1.0.12\AVG Secure Search_toolbar.dll ()
Toolbar: HKCU - &Address - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
Toolbar: HKCU - &Links - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
Toolbar: HKCU - BitTorrentBar Toolbar - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file://C:\Program Files\Yahtzee\Images\stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235510026328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235510020343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file://C:\Program Files\Yahtzee\Images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\11.2.0\ViProtocol.dll ()
Winsock: Catalog5 04 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 167.206.251.130 167.206.251.129

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Desiree Delmastro\Application Data\Mozilla\Firefox\Profiles\fo8rbyqz.default-1365107352359
FF Homepage: hxxp://search.conduit.com/?ctid=CT3320418&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SPF00FF173-02E1-4956-8F59-21443224CF47&SSPV=
FF SelectedSearchEngine: Conduit Search
FF NewTab: hxxp://search.conduit.com/?ctid=CT3320418&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=&Lay=1&UM=2&UP=SPF00FF173-02E1-4956-8F59-21443224CF47
FF Plugin: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @adobe.com/ShockwavePlayer - C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\11.2.0\\npsitesafety.dll (AVG Technologies)
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @java.com/DTPlugin,version=10.9.2 - C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.9.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin - C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin: @videolan.org/vlc,version=2.0.5 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @zylom.com/ZylomGamesPlayer - C:\Documents and Settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll (Zylom)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @adobe.com/FlashPlayer - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll No File
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin - C:\Documents and Settings\Desiree Delmastro\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin - C:\Documents and Settings\Desiree Delmastro\Application Data\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @talk.google.com/O3DPlugin - C:\Documents and Settings\Desiree Delmastro\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Documents and Settings\Desiree Delmastro\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Documents and Settings\Desiree Delmastro\Local Settings\Application Data\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF SearchPlugin: C:\Documents and Settings\Desiree Delmastro\Application Data\Mozilla\Firefox\Profiles\fo8rbyqz.default-1365107352359\searchplugins\conduit-search.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF HKLM\...\Firefox\Extensions: [avg@toolbar] - C:\Documents and Settings\All Users\Application Data\AVG Secure Search\11.1.0.12\
FF Extension: AVG Security Toolbar - C:\Documents and Settings\All Users\Application Data\AVG Secure Search\11.1.0.12\
FF HKLM\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\
FF Extension: AVG Do Not Track - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack\
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4\
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4\

========================== Services (Whitelisted) =================

S4 aawservice; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [611664 2008-07-07] (Lavasoft)
S4 AdobeActiveFileMonitor7.0; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-09-16] (Adobe Systems Incorporated)
R2 ATKKeyboardService; C:\WINDOWS\ATKKBService.exe [253440 2009-07-21] (ASUSTeK COMPUTER INC.)
S4 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
S4 DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [70656 2007-03-19] ()
R2 LicCtrlService; C:\WINDOWS\runservice.exe [2560 2009-07-10] ()
S4 PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [66872 2008-02-08] ()
S4 Skype C2C Service; C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3064000 2012-08-13] (Skype Technologies S.A.)
S4 vToolbarUpdater11.2.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.2.0\ToolbarUpdater.exe [935008 2012-07-09] ()
R2 JavaQuickStarterService; "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf"
S3 stllssvr; "C:\Program Files\Common Files\SureThing Shared\stllssvr.exe" [x]

==================== Drivers (Whitelisted) ====================

S4 abp480n5; C:\Windows\system32\DRIVERS\ABP480N5.SYS [23552 2004-08-12] (Microsoft Corporation)
R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [41160 2007-01-27] (SlySoft, Inc.)
R3 asusgsb; C:\Windows\System32\drivers\asusgsb.sys [12416 2009-02-17] (ASUSTeK Computer Inc.)
R1 asuskbnt; C:\Windows\System32\drivers\atkkbnt.sys [11136 2009-02-17] (ASUSTeK COMPUTER INC.)
R3 ASUSVRC; C:\Windows\System32\DRIVERS\AsusVRC.sys [18432 2007-01-29] (ASUSTeK COMPUTER INC.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.)
S3 CamDrL; C:\Windows\System32\DRIVERS\Camdrl.sys [326656 2004-10-08] (Logitech Inc.)
S3 CCDECODE; C:\Windows\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R2 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [15440 2006-12-13] (Elaborate Bytes AG)
S3 FsUsbExDisk; C:\WINDOWS\system32\FsUsbExDisk.SYS [36608 2009-02-19] ()
R3 LVUSBSta; C:\Windows\System32\drivers\lvusbsta.sys [22016 2005-05-27] (Logitech Inc.)
S3 mamotou; C:\Windows\System32\DRIVERS\mamotou.sys [49377 2007-02-02] (Mobile Action Technology Inc.)
S3 MaRdPnp; C:\Windows\System32\DRIVERS\MaRdP2K.sys [49867 2005-08-18] (Mobile Action Technology Inc.)
R2 MaVctrl; C:\Windows\System32\DRIVERS\MaVc2K.sys [11986 2007-01-16] (Mobile Action Technology Inc.)
S3 NdisIP; C:\Windows\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NVHDA; C:\Windows\System32\drivers\nvhda32.sys [119656 2011-07-07] (NVIDIA Corporation)
S4 sptd; C:\Windows\System32\Drivers\sptd.sys [685816 2007-11-26] (Duplex Secure Ltd.)
R3 Video3D; C:\Windows\System32\Drivers\Video3D32.sys [10752 2009-02-17] (ASUSTeK COMPUTER INC.)
S3 lmimirr; system32\DRIVERS\lmimirr.sys [x]
S4 LMIRfsClientNP; No ImagePath
S1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [x]
U5 ScsiPort; C:\Windows\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
U3 TlntSvr;
U1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-03 17:31 - 2014-01-03 17:32 - 00017200 _____ C:\Documents and Settings\Desiree Delmastro\Desktop\FRST.txt
2014-01-03 17:31 - 2014-01-03 17:31 - 00000000 ____D C:\FRST
2014-01-03 17:30 - 2014-01-03 17:30 - 01064581 _____ (Farbar) C:\Documents and Settings\Desiree Delmastro\Desktop\FRST.exe
2014-01-01 20:20 - 2014-01-01 20:20 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
2014-01-01 20:20 - 2014-01-01 20:20 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Mozilla
2014-01-01 14:27 - 2014-01-01 14:27 - 00028672 _____ C:\WINDOWS\system32\zsaif.vfw
2014-01-01 14:17 - 2014-01-03 16:39 - 00000088 _____ C:\WINDOWS\system32\xeufzd.oon
2014-01-01 14:14 - 2014-01-01 14:27 - 00000098 _____ C:\WINDOWS\system32\ruovq.yvo
2014-01-01 14:14 - 2014-01-01 14:14 - 00000064 _____ C:\WINDOWS\system32\sdlmiwu.iti
2014-01-01 13:56 - 2014-01-01 13:56 - 00101213 ____S C:\WINDOWS\system32\obukn.ckg
2013-12-19 19:09 - 2013-12-19 19:10 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-12-08 11:25 - 2013-12-08 11:27 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Application Data\Open Download Manager
2013-12-08 11:23 - 2013-12-17 06:30 - 00000000 ____D C:\Program Files\OpenDownloaderManager
2013-12-08 11:23 - 2013-12-08 11:23 - 00000000 _____ C:\END
2013-12-08 10:49 - 2013-12-08 10:49 - 00000000 ____D C:\Program Files\iPod
2013-12-08 10:48 - 2013-12-08 10:51 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1

==================== One Month Modified Files and Folders =======

2014-01-03 17:32 - 2014-01-03 17:31 - 00017200 _____ C:\Documents and Settings\Desiree Delmastro\Desktop\FRST.txt
2014-01-03 17:31 - 2014-01-03 17:31 - 00000000 ____D C:\FRST
2014-01-03 17:31 - 2008-07-22 20:33 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Desktop\Misc Junk
2014-01-03 17:30 - 2014-01-03 17:30 - 01064581 _____ (Farbar) C:\Documents and Settings\Desiree Delmastro\Desktop\FRST.exe
2014-01-03 17:23 - 2010-04-22 18:53 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Application Data\Skype
2014-01-03 17:22 - 2007-11-21 20:00 - 00000000 ____D C:\Program Files\MUSHclient
2014-01-03 16:39 - 2014-01-01 14:17 - 00000088 _____ C:\WINDOWS\system32\xeufzd.oon
2014-01-03 09:03 - 2011-02-27 13:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\MFAData
2014-01-02 23:04 - 2004-08-10 12:59 - 00000283 _____ C:\WINDOWS\wiadebug.log
2014-01-01 20:38 - 2011-04-04 20:43 - 01944881 _____ C:\WINDOWS\WindowsUpdate.log
2014-01-01 20:33 - 2013-06-30 14:45 - 00034285 _____ C:\Documents and Settings\Desiree Delmastro\avgui.log
2014-01-01 20:31 - 2004-08-10 12:59 - 00000048 _____ C:\WINDOWS\wiaservc.log
2014-01-01 20:30 - 2011-06-15 17:09 - 00000553 ___SH C:\WINDOWS\system32\mmf.sys
2014-01-01 20:26 - 2010-08-07 12:27 - 00000178 ___SH C:\Documents and Settings\Administrator\ntuser.ini
2014-01-01 20:20 - 2014-01-01 20:20 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
2014-01-01 20:20 - 2014-01-01 20:20 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Mozilla
2014-01-01 20:08 - 2007-11-21 15:00 - 00000178 ___SH C:\Documents and Settings\Desiree Delmastro\ntuser.ini
2014-01-01 14:27 - 2014-01-01 14:27 - 00028672 _____ C:\WINDOWS\system32\zsaif.vfw
2014-01-01 14:27 - 2014-01-01 14:14 - 00000098 _____ C:\WINDOWS\system32\ruovq.yvo
2014-01-01 14:15 - 2011-09-16 06:30 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\LogMeIn
2014-01-01 14:14 - 2014-01-01 14:14 - 00000064 _____ C:\WINDOWS\system32\sdlmiwu.iti
2014-01-01 14:13 - 2012-04-24 20:05 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2014-01-01 14:12 - 2012-05-19 15:36 - 00000000 __HDC C:\WINDOWS\$NtUninstallKB961118$
2014-01-01 13:56 - 2014-01-01 13:56 - 00101213 ____S C:\WINDOWS\system32\obukn.ckg
2013-12-29 00:10 - 2009-05-12 17:59 - 00000000 ____D C:\Program Files\Kingpin
2013-12-28 22:57 - 2011-10-29 16:39 - 00000000 ____D C:\Program Files\Origin
2013-12-28 20:54 - 2010-09-21 19:48 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Application Data\vlc
2013-12-28 19:57 - 2012-11-08 18:53 - 00000000 ____D C:\Program Files\Dragon Age 2
2013-12-28 18:14 - 2011-10-29 16:41 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Local Settings\Application Data\Origin
2013-12-28 18:14 - 2011-10-29 16:41 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Application Data\Origin
2013-12-28 18:14 - 2011-04-04 18:04 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Origin
2013-12-28 16:48 - 2007-11-19 12:54 - 00000000 ____D C:\Program Files\Adobe
2013-12-28 16:45 - 2012-11-10 12:01 - 00000000 ____D C:\Program Files\Steam
2013-12-28 16:42 - 2012-12-08 23:52 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Local Settings\Application Data\Jaksta_Technologies_Pty_L
2013-12-28 16:42 - 2012-12-08 23:48 - 00000000 ____D C:\Program Files\Applian Technologies
2013-12-23 19:37 - 2004-08-10 13:01 - 00000000 ____D C:\WINDOWS\system32\FxsTmp
2013-12-21 17:24 - 2011-07-09 12:11 - 01600610 ___SH C:\Documents and Settings\Desiree Delmastro\Desktop\Thumbs.db
2013-12-19 19:10 - 2013-12-19 19:09 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-12-17 06:30 - 2013-12-08 11:23 - 00000000 ____D C:\Program Files\OpenDownloaderManager
2013-12-15 14:22 - 2004-08-10 12:52 - 00000000 ____D C:\WINDOWS\Help
2013-12-10 08:24 - 2013-05-29 21:58 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2013-12-10 08:24 - 2011-05-06 17:04 - 01143861 _____ C:\WINDOWS\setupapi.log
2013-12-08 11:27 - 2013-12-08 11:25 - 00000000 ____D C:\Documents and Settings\Desiree Delmastro\Application Data\Open Download Manager
2013-12-08 11:23 - 2013-12-08 11:23 - 00000000 _____ C:\END
2013-12-08 10:51 - 2013-12-08 10:48 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\188F1432-103A-4ffb-80F1-36B633C5C9E1
2013-12-08 10:51 - 2009-11-13 20:58 - 00000000 ____D C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
2013-12-08 10:51 - 2009-08-26 16:57 - 00000000 ____D C:\Program Files\iTunes
2013-12-08 10:49 - 2013-12-08 10:49 - 00000000 ____D C:\Program Files\iPod
2013-12-08 10:49 - 2009-08-26 16:55 - 00000000 ____D C:\Program Files\Common Files\Apple

Files to move or delete:
====================
C:\Documents and Settings\All Users\hash.dat


Some content of TEMP:
====================
C:\Documents and Settings\Desiree Delmastro\Local Settings\temp\SkypeSetup.exe
C:\Documents and Settings\Desiree Delmastro\Local Settings\temp\tbFree.dll
C:\Documents and Settings\Desiree Delmastro\Local Settings\temp\{2C17DC6E-1FF9-422A-8199-DF03E6719C62}-31.0.1650.57_chrome_installer.exe


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

 

 

 

 

Farbar Recovery Scan Tool (x86) Version: 02-01-2014 01
Ran by Desiree Delmastro at 2014-01-03 17:36:30
Running from C:\Documents and Settings\Desiree Delmastro\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\WINDOWS\system32\rpcss.dll
[2004-08-12 09:04] - [2009-02-09 07:10] - 0401408 ____A (Microsoft Corporation) 2b23bccb63f52ef36bc46a601121a886

C:\WINDOWS\system32\dllcache\rpcss.dll
[2012-05-19 14:16] - [2009-02-09 07:10] - 0401408 ___AC (Microsoft Corporation) 42f9900ada04885e153868573ebc893f

C:\WINDOWS\ServicePackFiles\i386\rpcss.dll
[2012-05-19 15:20] - [2008-04-13 19:12] - 0399360 ____N (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\ERDNT\cache\rpcss.dll
[2011-06-17 17:32] - [2004-08-12 09:04] - 0395776 ____A (Microsoft Corporation) 5c83a4408604f737717ab96371201680

C:\WINDOWS\$NtUninstallKB956572_0$\rpcss.dll
[2012-05-19 14:27] - [2004-08-12 09:04] - 0395776 ____C (Microsoft Corporation) 5c83a4408604f737717ab96371201680

C:\WINDOWS\$NtUninstallKB956572$\rpcss.dll
[2012-05-19 15:35] - [2008-04-13 19:12] - 0399360 ____C (Microsoft Corporation) 2589fe6015a316c0f5d5112b4da7b509

C:\WINDOWS\$NtServicePackUninstall$\rpcss.dll
[2012-05-19 15:24] - [2009-02-09 05:20] - 0399360 ____C (Microsoft Corporation) 01095febf33beea00c2a0730b9b3ec28

C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[2012-05-19 14:16] - [2009-02-09 05:56] - 0401408 ____A (Microsoft Corporation) 9222562d44021b988b9f9f62207fb6f2

C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll
[2012-05-19 14:16] - [2009-02-09 07:10] - 0401408 ____A (Microsoft Corporation) 6b27a5c03dfb94b4245739065431322c

C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\rpcss.dll
[2012-05-19 14:16] - [2009-02-09 05:01] - 0401408 ____A (Microsoft Corporation) 24b5d53b9accc1e2edcf0a878d6659d4

C:\i386\rpcss.dll
[2007-11-21 17:13] - [2004-08-04 05:00] - 0395776 ____A (Microsoft Corporation) 5c83a4408604f737717ab96371201680

=== End Of Search ===

Attached Files


Edited by Heavily Armed Pixie, 04 January 2014 - 10:42 AM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 03 January 2014 - 06:56 PM

Hello,

 

First please create a new System Restore Point

http://support.microsoft.com/kb/948247

 

If you have an installation CD with XP go ahead and install the Recovery Console for XP (just in case before we proceed):

http://support.microsoft.com/kb/307654

 

 

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press the "Scan" button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#5 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 04 January 2014 - 10:41 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 04-01-2014
Ran by ADMINISTRATOR at 2014-01-04 10:33:07 Run:1
Running from C:\Documents and Settings\NAMEREDACTED\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
URLSearchHook: HKCU - (No Name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} -  No File
URLSearchHook: HKCU - BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
C:\Program Files\BitTorrentBar
SearchScopes: HKCU - DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT1060933
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO: BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
BHO: Yontoo - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo\YontooIEClient.dll (Yontoo LLC)
C:\Program Files\Yontoo
Toolbar: HKLM - BitTorrentBar Toolbar - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
Toolbar: HKCU - BitTorrentBar Toolbar - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - C:\Program Files\BitTorrentBar\prxtbBit0.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
FF Homepage: hxxp://search.conduit.com/?ctid=CT3320418&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SPF00FF173-02E1-4956-8F59-21443224CF47&SSPV=
FF SelectedSearchEngine: Conduit Search
FF NewTab: hxxp://search.conduit.com/?ctid=CT3320418&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=&Lay=1&UM=2&UP=SPF00FF173-02E1-4956-8F59-21443224CF47
FF SearchPlugin: C:\Documents and Settings\NAMEREDACTED\Application Data\Mozilla\Firefox\Profiles\fo8rbyqz.default-1365107352359\searchplugins\conduit-search.xml
S1 SBRE; \??\C:\WINDOWS\system32\drivers\SBREdrv.sys [x]
2014-01-01 14:27 - 2014-01-01 14:27 - 00028672 _____ C:\WINDOWS\system32\zsaif.vfw
2014-01-01 14:17 - 2014-01-03 16:39 - 00000088 _____ C:\WINDOWS\system32\xeufzd.oon
2014-01-01 14:14 - 2014-01-01 14:27 - 00000098 _____ C:\WINDOWS\system32\ruovq.yvo
2014-01-01 14:14 - 2014-01-01 14:14 - 00000064 _____ C:\WINDOWS\system32\sdlmiwu.iti
2014-01-01 13:56 - 2014-01-01 13:56 - 00101213 ____S C:\WINDOWS\system32\obukn.ckg
C:\Documents and Settings\Desiree Delmastro\Local Settings\temp\tbFree.dll
Replace: C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll C:\WINDOWS\system32\rpcss.dll
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:27D40D6F
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMP:C7DEC6B7
end
*****************

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{855F3B16-6D32-4fe6-8A56-BBB695989046} => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} => Value deleted successfully.
HKCR\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} => Key deleted successfully.
C:\Program Files\BitTorrentBar => Moved successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.
HKCR\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} => Key deleted successfully.
HKCR\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777} => Key deleted successfully.
HKCR\CLSID\{CA6319C0-31B7-401E-A518-A07C3DB8F777} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} => Key deleted successfully.
HKCR\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} => Key deleted successfully.
C:\Program Files\Yontoo => Moved successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} => Value deleted successfully.
HKCR\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{88C7F2AA-F93F-432C-8F0E-B7D85967A527} => Value deleted successfully.
HKCR\CLSID\{88C7F2AA-F93F-432C-8F0E-B7D85967A527} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Value deleted successfully.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Key deleted successfully.
Firefox homepage deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox newtab deleted successfully.
C:\Documents and Settings\Desiree Delmastro\Application Data\Mozilla\Firefox\Profiles\fo8rbyqz.default-1365107352359\searchplugins\conduit-search.xml => Moved successfully.
SBRE => Service deleted successfully.
C:\WINDOWS\system32\zsaif.vfw => Moved successfully.
C:\WINDOWS\system32\xeufzd.oon => Moved successfully.
Could not move "C:\WINDOWS\system32\ruovq.yvo" => Scheduled to move on reboot.
C:\WINDOWS\system32\sdlmiwu.iti => Moved successfully.
Could not move "C:\WINDOWS\system32\obukn.ckg" => Scheduled to move on reboot.
C:\Documents and Settings\Desiree Delmastro\Local Settings\temp\tbFree.dll => Moved successfully.
C:\WINDOWS\system32\rpcss.dll => Moved successfully.
C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\rpcss.dll copied successfully to C:\WINDOWS\system32\rpcss.dll
C:\Documents and Settings\All Users\Application Data\TEMP => ":27D40D6F" ADS removed successfully.
C:\Documents and Settings\All Users\Application Data\TEMP => ":C7DEC6B7" ADS removed successfully.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-04 10:37:34)<=

C:\WINDOWS\system32\ruovq.yvo => Is moved successfully.
C:\WINDOWS\system32\obukn.ckg => Moved successfully.

==== End of Fixlog ====

 

 

 

Farbar Service Scanner Version: 05-12-2013
Ran by Desiree Delmastro (administrator) on 04-01-2014 at 10:40:29
Running from "C:\Documents and Settings\Desiree Delmastro\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".

cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is set to Demand. The default start type is Auto.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc: "%SystemRoot%\System32\cryptsvc.dll".


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(12) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0D00000004000000010000000200000003000000560000000A0000000B000000090000000C00000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****


Edited by Heavily Armed Pixie, 04 January 2014 - 10:43 AM.


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 04 January 2014 - 01:55 PM

Hello,

 

 

Do you still experience problems with DCOM Server Process Launcher?

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#7 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 04 January 2014 - 02:06 PM

I haven't had an issue with the DCOM since I told it to "restart the application" rather than rebooting the machine. I was hoping the whole reason it was crashing (causing it to reboot in the first place) wasn't due to Malware, which is why I'm here.

 

Short answer is: no, I'm not still having a problem with it.

 

 

 

 

 

Rkill 2.6.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/04/2014 02:04:00 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\WINDOWS\ATKKBService.exe (PID: 1232) [WD-HEUR]
 * C:\WINDOWS\runservice.exe (PID: 1752) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Reparse Point/Junctions Found (Most likely legitimate)!

     * C:\WINDOWS\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a => C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492 [Dir]
     * C:\WINDOWS\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35 => C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5 [Dir]

Checking Windows Service Integrity:

 * Automatic Updates (wuauserv) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 01/04/2014 02:06:18 PM
Execution time: 0 hours(s), 2 minute(s), and 17 seconds(s)
 



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 04 January 2014 - 02:39 PM

I haven't had an issue with the DCOM since I told it to "restart the application" rather than rebooting the machine. I was hoping the whole reason it was crashing (causing it to reboot in the first place) wasn't due to Malware, which is why I'm here.

 

 

It was due to malware and I hope we fixed that. Please see if the problem will appear again if you set the default settings back for DCOM and let me know.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 04 January 2014 - 03:01 PM

I just re-enabled the "restart computer" bit. I'll wait a bit and report back in a couple hours as to whether or not the issue has stopped.



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 04 January 2014 - 05:25 PM

Hi,

 

 

Nice to hear there is an improvement. We should repair a few windows services like WMI and should set the cryptographic service to automatic startup type.

 

Also can I ask why did you disable the Automatic Updates and the Background Intelligent Transfer Service services?

 

Also I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

 

STEP 1

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Rootkit mbamicontw5.gif and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

 

 

STEP 4

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 5

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#11 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 05 January 2014 - 12:13 PM

Working on all this right now, just FYI.



#12 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 05 January 2014 - 12:19 PM

Okay, first I note that my computer has NOT tried to reboot due to DCOM errors since I re-enabled "reboot the system". We seem to be okay there.

 

PASTE BIN RESULTS FROM ROUGEKILLER: http://pastebin.com/faRnE9mh

When closing RougeKiller, it asked me if I wanted to delete the items it found ("Items have not been deleted, do you really want to quit?). You didn't mention doing that, so I wanted to ask you about it before I go further. Should I delete them, or just close the program without deleting, and continue on with the next step?


Edited by Heavily Armed Pixie, 05 January 2014 - 12:21 PM.


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 05 January 2014 - 02:02 PM

Hello,

 

No, it's not needed to delete the entries, they are as it should be. Only the MBR part in the log concern me a bit:

 

[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown

 

but we will see what TDSSKiller log will show us.

 

 

Regards,

Georgi


cXfZ4wS.png


#14 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:34 AM

Posted 05 January 2014 - 03:53 PM

Still working on this, Malwarebytes Anti-Root is taking a while.



#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:34 AM

Posted 05 January 2014 - 03:58 PM

No worries. :)

Take your time.

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users