Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Google Hijack and "Windows must now restart because DCOM..."

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Google Hijack and "Windows must now restart because DCOM..."

Unread postby Seeker78 » January 27th, 2010, 1:54 pm

Both of these problems started around the same time a couple weeks ago. If I search google and click the links I am redirected to a search page. Only way around it is to right-click the link and copy & paste it to the address bar. This happens in Both IE and Firefox.

Also my computer keeps restarting as much a 1 every half hour but on average of once ever 1.5 to 2 hours. When it restarts I get the message: "Windows must now restart because DCOM Server Process Launcher Service has terminated". At first it did it once in awhile but it seems to be getting worse.

Here are my Hijackthis log and Uninstal list:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:04 PM, on 1/27/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\sttray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Video Chat\DellVideoChat.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=T-6321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html ... B&M=T-6321
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SightSpeed] "C:\Program Files\Dell Video Chat\DellVideoChat.exe" -bootmode
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: ActiveGS.cab - http://activegs.freetoolsassociation.com/ActiveGS.cab
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9322 bytes


7-Zip 4.57
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player 11.5
Advanced RAR Password Recovery (remove only)
Agile MP4 Video Joiner
AIM 7
Amazon MP3 Downloader 1.0.3
AnyDVD
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Avanquest update
AviSynth 2.5
BigFix
Bonjour
Camera Assistant Software for Gateway
Compatibility Pack for the 2007 Office system
Compel Adaptec WinASPI
CopyTrans Suite Remove Only
Dell Video Chat
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
FlashFXP
Free M4a to MP3 Converter 6.0
Garmin USB Drivers
Garmin WebUpdater
Gateway Connect
Gateway Games
Gateway Recovery Center Installer
GoldWave v5.25
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Guitar Pro 5.2
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IDT Audio
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
iTunes
Jasc Paint Shop Pro 8
Java(TM) 6 Update 15
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LabelPrint
LogMeIn
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office FrontPage 2003
Microsoft Office Live Add-in 1.4
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.16)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 8
neroxml
Norton Internet Security
OGA Notifier 2.0.0048.0
Password Protect USB 3.6.1
Power2Go 5.0
QuickTime
Real Alternative 1.8.2
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
REALTEK USB Wireless LAN Driver
RocketDock 1.3.5
Synaptics Pointing Device Driver
TransferMy DVD
TransferMy Music 3.0
TuneUp Utilities 2009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
WinZip 11.2
Xvid 1.2.1 final uninstall
YASA MP4 Video Converter v3.2 (build 0051)

Any Help is greatly appreciated.

Thanks!
Seeker78
Active Member
 
Posts: 7
Joined: January 27th, 2010, 1:44 pm
Advertisement
Register to Remove

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby MWR 3 day Mod » January 31st, 2010, 1:42 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby jmw3 » February 1st, 2010, 11:08 pm

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is posted is ticked on the POST A REPLY page.

In the meantime please note the following:
  • Please take time to read the Malware Removal Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Right click the .exe file then choose Run as Administrator to run the program. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby Seeker78 » February 1st, 2010, 11:31 pm

Thanks for the reply...I will start backing up files now.
Seeker78
Active Member
 
Posts: 7
Joined: January 27th, 2010, 1:44 pm

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby Seeker78 » February 2nd, 2010, 10:48 pm

DDS (Ver_09-12-01.01) - NTFSx86
Run by Dude at 20:04:54.18 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1205 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\sttray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\TUProgSt.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Dude\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html ... B&M=T-6321
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html ... B&M=T-6321
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.5.0.127\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\dude\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SightSpeed] "c:\program files\dell video chat\DellVideoChat.exe" -bootmode
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\dude\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\dude\appdata\roaming\mozilla\firefox\profiles\pnjjkfo2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\dude\appdata\roaming\mozilla\firefox\profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\dude\appdata\roaming\mozilla\firefox\profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\dude\appdata\roaming\mozilla\firefox\profiles\pnjjkfo2.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\dude\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1105000.07f\symds.sys [2010-1-11 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1105000.07f\symefa.sys [2010-1-11 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100130.002\BHDrvx86.sys [2010-2-2 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1105000.07f\cchpx86.sys [2010-1-11 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100128.002\IDSvix86.sys [2010-1-29 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1105000.07f\ironx86.sys [2010-1-11 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1105000.07f\symtdiv.sys [2010-1-11 340016]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2008-1-20 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-9-21 47640]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.5.0.127\ccsvchst.exe [2010-1-11 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-21 102448]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 347648]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-2-28 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2010-01-10 00:09:54 0 d-----w- C:\New Folder

==================== Find3M ====================

2009-12-16 23:58:05 10 ----a-w- C:\confin.sys
2009-09-25 18:04:24 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-25 18:04:24 51200 ----a-w- c:\windows\inf\infpub.dat
2009-09-25 18:04:23 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-09-10 10:55:47 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-07-17 23:35:37 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-07-17 23:35:37 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-07-17 23:35:37 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-09-11 14:46:28 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2005-08-25 03:10:04 174592 --sha-w- c:\windows\system32\ncfpsys.exe

============= FINISH: 20:07:23.03 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2/28/2008 2:48:06 PM
System Uptime: 2/1/2010 10:24:21 PM (22 hours ago)

Motherboard: Gateway | |
Processor: Intel(R) Pentium(R) Dual CPU T2370 @ 1.73GHz | U2E1 | 1733/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 138 GiB total, 18.471 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 5.206 GiB free.
E: is CDROM ()
G: is FIXED (NTFS) - 466 GiB total, 139.287 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP601: 12/12/2009 4:13:49 AM - Scheduled Checkpoint
RP602: 12/13/2009 2:03:02 AM - Scheduled Checkpoint
RP603: 12/14/2009 1:55:03 AM - Scheduled Checkpoint

==== Installed Programs ======================

7-Zip 4.57
AAC Decoder
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player 11.5
Advanced RAR Password Recovery (remove only)
Agile MP4 Video Joiner
AIM 7
Amazon MP3 Downloader 1.0.3
AnyDVD
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
AutoUpdate
Avanquest update
AviSynth 2.5
BigFix
Bonjour
Camera Assistant Software for Gateway
Compatibility Pack for the 2007 Office system
Compel Adaptec WinASPI
CopyTrans Suite Remove Only
Dell Video Chat
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD Video Mobile
FlashFXP
Free M4a to MP3 Converter 6.0
Garmin USB Drivers
Garmin WebUpdater
Gateway Connect
Gateway Games
Gateway Recovery Center Installer
GoldWave v5.25
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
Guitar Pro 5.2
H.264 Decoder
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IDT Audio
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
iTunes
Jasc Paint Shop Pro 8
Java(TM) 6 Update 15
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LabelPrint
LogMeIn
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office FrontPage 2003
Microsoft Office Live Add-in 1.4
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Office Ultimate 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MKV Splitter
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.16)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 8
neroxml
Norton Internet Security
OGA Notifier 2.0.0048.0
Password Protect USB 3.6.1
Power2Go 5.0
QuickTime
RapidShare Manager
Real Alternative 1.8.2
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
REALTEK USB Wireless LAN Driver
RocketDock 1.3.5
Synaptics Pointing Device Driver
TransferMy DVD
TransferMy Music 3.0
TuneUp Utilities 2009
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
WinRAR archiver
WinZip 11.2
Xvid 1.2.1 final uninstall
YASA MP4 Video Converter v3.2 (build 0051)

==== Event Viewer Messages From Past Week ========

2/1/2010 9:13:25 AM, Error: Microsoft-Windows-SpoolerWin32SPL [3] - The print spooler failed to reopen an existing printer connection because it could not read the configuration information from the registry key S-1-5-21-217875371-810032128-178167479-1000\Printers\Connections\S-1-5-21-217875371-810032128-178167479-1000\Printers\Connections. This can occur if the key name or values are malformed or missing.
2/1/2010 4:00:25 PM, Error: netbt [4321] - The name "WORKGROUP :1d" could not be registered on the interface with IP address 10.0.0.143. The computer with the IP address 10.0.0.166 did not allow the name to be claimed by this computer.
2/1/2010 10:26:18 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/1/2010 10:22:35 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service, but this action failed with the following error: A system shutdown has already been scheduled.
2/1/2010 10:22:35 PM, Error: Service Control Manager [7031] - The Plug and Play service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2/1/2010 10:22:35 PM, Error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
2/1/2010 1:39:36 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the Plug and Play service, but this action failed with the following error: A system shutdown has already been scheduled.
1/29/2010 4:49:24 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer COLELLA-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{1F51C212-3E77-47FD-9790-A8B6D11. The master browser is stopping or an election is being forced.
1/27/2010 12:02:32 PM, Error: EventLog [6008] - The previous system shutdown at 12:00:13 PM on 1/27/2010 was unexpected.
1/27/2010 1:48:33 AM, Error: EventLog [6008] - The previous system shutdown at 1:45:30 AM on 1/27/2010 was unexpected.
1/26/2010 2:12:01 PM, Error: EventLog [6008] - The previous system shutdown at 2:09:36 PM on 1/26/2010 was unexpected.

==== End Of File ===========================


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-02 21:23:27
Windows 6.0.6002 Service Pack 2
Running: 1zirivfr.exe; Driver: C:\Users\Dude\AppData\Local\Temp\pxldapog.sys


---- System - GMER 1.0.15 ----

SSDT 87677668 ZwAlertResumeThread
SSDT 87677748 ZwAlertThread
SSDT 87691DA8 ZwAllocateVirtualMemory
SSDT 8740C0D0 ZwAlpcConnectPort
SSDT 8769C528 ZwAssignProcessToJobObject
SSDT 8769B740 ZwCreateMutant
SSDT 87F9FE18 ZwCreateSymbolicLinkObject
SSDT 87674DE8 ZwCreateThread
SSDT 8769C608 ZwDebugActiveProcess
SSDT 87966518 ZwDuplicateObject
SSDT 876C0A80 ZwFreeVirtualMemory
SSDT 876774A8 ZwImpersonateAnonymousToken
SSDT 87677588 ZwImpersonateThread
SSDT 87401648 ZwLoadDriver
SSDT 876761C8 ZwMapViewOfSection
SSDT 8769B660 ZwOpenEvent
SSDT 876A41E0 ZwOpenProcess
SSDT 878E5768 ZwOpenProcessToken
SSDT 8769B4A0 ZwOpenSection
SSDT 87362A40 ZwOpenThread
SSDT 8769C438 ZwProtectVirtualMemory
SSDT 87F1EF10 ZwResumeThread
SSDT 87D618E0 ZwSetContextThread
SSDT 876C0870 ZwSetInformationProcess
SSDT 8769C6E8 ZwSetSystemInformation
SSDT 8769B580 ZwSuspendProcess
SSDT 87F1EFD0 ZwSuspendThread
SSDT 878E5A30 ZwTerminateProcess
SSDT 87676150 ZwTerminateThread
SSDT 8767F628 ZwUnmapViewOfSection
SSDT 878E54F8 ZwWriteVirtualMemory
SSDT 87F9FF08 ZwCreateThreadEx

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 85514618

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 31: copy of MBR

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
Seeker78
Active Member
 
Posts: 7
Joined: January 27th, 2010, 1:44 pm

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby jmw3 » February 3rd, 2010, 1:45 am

Hi

Remove Programs
Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

Ask Toolbar

If some programs listed are not present, please do not panic

View Hidden Files & Folders Windows Vista
To view Hidden Files & Folders do the following:
Click Start
Open Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option
Click Yes to confirm
Click OK

Upload Files for Scanning
Go to VirusTotal & upload the following File/s for scanning.
  • Copy & paste the following File & Path in the text box next to the Browse button
    Code: Select all
    C:\confin.sys
  • Click Send File
  • If confronted with two options, choose Reanalyse file now
  • Wait for scans to finish then copy & paste the results into your next reply.
TDSSKiller
Download TDSSKiller.zip by Kaspersky Lab from Here & save it to your desktop.
  • Extract (unzip) its contents to your Desktop
  • Double-click the TDSSKiller Folder on your desktop
  • Right-click on TDSSKiller.exe then click Copy then Paste it directly to your Desktop <<--- Important!
  • Highlight then copy all the text (including the quote marks) in the box below
Code: Select all
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"

  • Click Start >> Run. Paste the (above) copied text, into the opened text box then click OK
TDSSKiller will prompt to reboot the PC, to complete the disinfection procedure, if malicious files or services were found
Please reboot if prompted.
After reboot, TDSSKiller will delete malicious registry keys and files, as well as remove itself from the services list.
When finished a log file should be created on your desktop named tdsskiller.txt. Copy the contents of the log & post in your next reply.

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Right-click on ComboFix.exe then choose Run as Administrator & follow the prompts
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


To post in next reply:
VirusTotal results log
TDSSKiller log
ComboFix log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby Seeker78 » February 3rd, 2010, 8:32 pm

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.04 -
AhnLab-V3 5.0.0.2 2010.02.03 -
AntiVir 7.9.1.158 2010.02.03 -
Antiy-AVL 2.0.3.7 2010.02.03 -
Authentium 5.2.0.5 2010.02.03 -
Avast 4.8.1351.0 2010.02.02 -
AVG 9.0.0.730 2010.02.03 -
BitDefender 7.2 2010.02.03 -
CAT-QuickHeal 10.00 2010.02.03 -
ClamAV 0.96.0.0-git 2010.02.03 -
Comodo 3810 2010.02.03 -
DrWeb 5.0.1.12222 2010.02.04 -
eSafe 7.0.17.0 2010.02.03 -
eTrust-Vet 35.2.7278 2010.02.03 -
F-Prot 4.5.1.85 2010.02.03 -
F-Secure 9.0.15370.0 2010.02.03 -
Fortinet 4.0.14.0 2010.02.04 -
GData 19 2010.02.03 -
Ikarus T3.1.1.80.0 2010.02.03 -
Jiangmin 13.0.900 2010.02.03 -
K7AntiVirus 7.10.966 2010.02.03 -
Kaspersky 7.0.0.125 2010.02.04 -
McAfee 5881 2010.02.03 -
McAfee+Artemis 5881 2010.02.03 -
McAfee-GW-Edition 6.8.5 2010.02.03 -
Microsoft 1.5406 2010.02.03 -
NOD32 4833 2010.02.03 -
Norman 6.04.03 2010.02.03 -
nProtect 2009.1.8.0 2010.02.03 -
Panda 10.0.2.2 2010.02.03 -
PCTools 7.0.3.5 2010.02.04 -
Rising 22.33.02.04 2010.02.03 -
Sophos 4.50.0 2010.02.03 -
Sunbelt 3.2.1858.2 2010.02.03 -
TheHacker 6.5.1.0.179 2010.02.03 -
TrendMicro 9.120.0.1004 2010.02.03 -
VBA32 3.12.12.1 2010.02.03 -
ViRobot 2010.2.3.2170 2010.02.03 -
VirusBuster 5.0.21.0 2010.02.03 -
Additional information
File size: 10 bytes
MD5...: 1fab9f131b483bbf0ec5026cb8de9f58
SHA1..: 209da21c94cd0e9fc51d99b6a80554216fd2b809
SHA256: 59753234d797b36d96febbd89d1cfdcd4a551fef5c42b6538a6e824fad33f290
ssdeep: 3:wUTcS:wKH

PEiD..: -
PEInfo: -
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

trid..: Unknown!


18:55:50:860 4008 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
18:55:50:860 4008 ================================================================================
18:55:50:860 4008 SystemInfo:

18:55:50:860 4008 OS Version: 6.0.6002 ServicePack: 2.0
18:55:50:860 4008 Product type: Workstation
18:55:50:860 4008 ComputerName: D-PC
18:55:50:860 4008 UserName: Dude
18:55:50:860 4008 Windows directory: C:\Windows
18:55:50:860 4008 Processor architecture: Intel x86
18:55:50:860 4008 Number of processors: 2
18:55:50:860 4008 Page size: 0x1000
18:55:50:860 4008 Boot type: Normal boot
18:55:50:860 4008 ================================================================================
18:55:50:860 4008 UnloadDriverW: NtUnloadDriver error 2
18:55:50:860 4008 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:55:50:876 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
18:55:51:000 4008 UtilityInit: KLMD drop and load success
18:55:51:000 4008 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
18:55:51:000 4008 UtilityInit: KLMD open success
18:55:51:000 4008 UtilityInit: Initialize success
18:55:51:000 4008
18:55:51:000 4008 Scanning Services ...
18:55:51:000 4008 CreateRegParser: Registry parser init started
18:55:51:000 4008 CreateRegParser: DisableWow64Redirection error
18:55:51:000 4008 wfopen_ex: Trying to open file C:\Windows\system32\config\system
18:55:51:000 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
18:55:51:000 4008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:55:51:000 4008 wfopen_ex: Trying to KLMD file open
18:55:51:000 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
18:55:51:000 4008 wfopen_ex: File opened ok (Flags 2)
18:55:51:000 4008 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 3F1490
18:55:51:000 4008 wfopen_ex: Trying to open file C:\Windows\system32\config\software
18:55:51:000 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
18:55:51:000 4008 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:55:51:000 4008 wfopen_ex: Trying to KLMD file open
18:55:51:000 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
18:55:51:000 4008 wfopen_ex: File opened ok (Flags 2)
18:55:51:000 4008 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 3F1318
18:55:51:000 4008 CreateRegParser: EnableWow64Redirection error
18:55:51:000 4008 CreateRegParser: RegParser init completed
18:55:52:014 4008 GetAdvancedServicesInfo: Raw services enum returned 461 services
18:55:52:014 4008 fclose_ex: Trying to close file C:\Windows\system32\config\system
18:55:52:014 4008 fclose_ex: Trying to close file C:\Windows\system32\config\software
18:55:52:014 4008
18:55:52:014 4008 Scanning Kernel memory ...
18:55:52:014 4008 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:55:52:014 4008 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 866DAAE0
18:55:52:014 4008 DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
18:55:52:014 4008
18:55:52:014 4008 DetectCureTDL3: DEVICE_OBJECT: 8545D030
18:55:52:014 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8545D030
18:55:52:014 4008 DetectCureTDL3: DEVICE_OBJECT: 861CF638
18:55:52:014 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 861CF638
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0x861CF638[0x38]
18:55:52:014 4008 DetectCureTDL3: DRIVER_OBJECT: 84FF9A18
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0x84FF9A18[0xA8]
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0xAB812488[0x1E]
18:55:52:014 4008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
18:55:52:014 4008 DetectCureTDL3: IrpHandler (0) addr: B05D7FC8
18:55:52:014 4008 DetectCureTDL3: IrpHandler (1) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (2) addr: B05D8040
18:55:52:014 4008 DetectCureTDL3: IrpHandler (3) addr: B05D80B8
18:55:52:014 4008 DetectCureTDL3: IrpHandler (4) addr: B05D80B8
18:55:52:014 4008 DetectCureTDL3: IrpHandler (5) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (6) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (7) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (8) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (9) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (10) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (11) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (12) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (13) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (14) addr: B05D7BC4
18:55:52:014 4008 DetectCureTDL3: IrpHandler (15) addr: B05CB7E4
18:55:52:014 4008 DetectCureTDL3: IrpHandler (16) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (17) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (18) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (19) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (20) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (21) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (22) addr: B05D659C
18:55:52:014 4008 DetectCureTDL3: IrpHandler (23) addr: B05D37A2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (24) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (25) addr: 81E449D2
18:55:52:014 4008 DetectCureTDL3: IrpHandler (26) addr: 81E449D2
18:55:52:014 4008 KLMD_ReadMem: Trying to ReadMemory 0xB05CDF26[0x400]
18:55:52:014 4008 TDL3_StartIoHookDetect: CheckParameters: 4, B05D2000, 0
18:55:52:014 4008 TDL3_FileDetect: Processing driver: USBSTOR
18:55:52:014 4008 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:55:52:014 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:55:52:030 4008 TDL3_FileDetect: C:\Windows\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
18:55:52:030 4008
18:55:52:030 4008 DetectCureTDL3: DEVICE_OBJECT: 867DDAC8
18:55:52:030 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 867DDAC8
18:55:52:030 4008 DetectCureTDL3: DEVICE_OBJECT: 85502900
18:55:52:030 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85502900
18:55:52:030 4008 DetectCureTDL3: DEVICE_OBJECT: 85535028
18:55:52:030 4008 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85535028
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x85535028[0x38]
18:55:52:030 4008 DetectCureTDL3: DRIVER_OBJECT: 86F16698
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x86F16698[0xA8]
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x85500030[0x38]
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x854FFA68[0xA8]
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x854D04C8[0x1C]
18:55:52:030 4008 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
18:55:52:030 4008 DetectCureTDL3: IrpHandler (0) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (1) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (2) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (3) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (4) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (5) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (6) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (7) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (8) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (9) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (10) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (11) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (12) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (13) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (14) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (15) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (16) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (17) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (18) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (19) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (20) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (21) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (22) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (23) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (24) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (25) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: IrpHandler (26) addr: 85514618
18:55:52:030 4008 DetectCureTDL3: All IRP handlers pointed to one addr: 85514618
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x85514618[0x400]
18:55:52:030 4008 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
18:55:52:030 4008 Driver "iaStor" Irp handler infected by TDSS rootkit ... 18:55:52:030 4008 KLMD_WriteMem: Trying to WriteMemory 0x8551467D[0xD]
18:55:52:030 4008 cured
18:55:52:030 4008 KLMD_ReadMem: Trying to ReadMemory 0x855144BF[0x400]
18:55:52:030 4008 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
18:55:52:030 4008 Driver "iaStor" StartIo handler infected by TDSS rootkit ... 18:55:52:030 4008 TDL3_StartIoHookCure: Number of patches 1
18:55:52:030 4008 KLMD_WriteMem: Trying to WriteMemory 0x855145B6[0x6]
18:55:52:030 4008 cured
18:55:52:030 4008 TDL3_FileDetect: Processing driver: iaStor
18:55:52:030 4008 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\iaStor.sys
18:55:52:030 4008 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\iaStor.sys
18:55:52:046 4008 TDL3_FileDetect: C:\Windows\system32\DRIVERS\iaStor.sys - Verdict: Infected
18:55:52:046 4008 File C:\Windows\system32\DRIVERS\iaStor.sys infected by TDSS rootkit ... 18:55:52:046 4008 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\iaStor.sys
18:55:52:139 4008 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\iaahci.inf_7baf6192\iaStor.sys:308248, checking..
18:55:52:233 4008 ValidateDriverFile: Stage 1 passed
18:55:52:233 4008 ValidateDriverFile: Stage 2 passed
18:55:52:420 4008 DigitalSignVerifyByHandle: Embedded DS result: 00000000
18:55:52:420 4008 ValidateDriverFile: Stage 3 passed
18:55:52:420 4008 FileCallback: File validated successfully, restore information prepared
18:55:52:716 4008 FindDriverFileBackup: Backup copy found in DriverStore
18:55:52:716 4008 TDL3_FileCure: Backup copy found, using it..
18:55:52:716 4008 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskAC63.tmp
18:55:52:732 4008 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskAC63.tmp, system32\drivers\iaStor.sys)
18:55:52:763 4008 TDL3_FileCure: KLMD jobs schedule success
18:55:52:763 4008 will be cured on next reboot
18:55:52:763 4008 UtilityBootReinit: Reboot required for cure complete..
18:55:52:763 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
18:55:52:794 4008 UtilityBootReinit: KLMD drop success
18:55:52:794 4008 KLMD_ApplyPendList: Pending buffer(6621_708D, 616) dropped successfully
18:55:52:794 4008 UtilityBootReinit: Cure on reboot scheduled successfully
18:55:52:794 4008
18:55:52:794 4008 Completed
18:55:52:794 4008
18:55:52:794 4008 Results:
18:55:52:794 4008 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
18:55:52:794 4008 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:55:52:794 4008 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:55:52:794 4008
18:55:52:794 4008 UnloadDriverW: NtUnloadDriver error 1
18:55:52:794 4008 KLMD_Unload: UnloadDriverW(klmd21) error 1
18:55:52:810 4008 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
18:55:52:810 4008 UtilityDeinit: KLMD(ARK) unloaded successfully


ComboFix 10-02-03.04 - Dude 02/03/2010 19:06:13.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1895 [GMT -5:00]
Running from: c:\users\Dude\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-217875371-810032128-178167479-500
C:\confin.sys
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\users\Dude\AppData\Roaming\SystemProc
c:\windows\system32\stacsv.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-03 18:29 . 2009-08-29 09:00 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVENG.SYS
2010-02-03 18:29 . 2009-08-29 09:00 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVENG32.DLL
2010-02-03 18:29 . 2009-08-29 09:00 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVEX32A.DLL
2010-02-03 18:29 . 2009-08-29 09:00 1323568 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\NAVEX15.SYS
2010-02-03 18:29 . 2009-08-29 09:00 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\ERASER.SYS
2010-02-03 18:29 . 2009-12-09 22:50 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\CCERASER.DLL
2010-02-03 18:29 . 2009-09-23 01:25 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\ECMSVR32.DLL
2010-02-03 18:29 . 2009-08-29 09:00 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.004\EECTRL.SYS
2010-02-02 20:33 . 2009-12-05 04:54 529456 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys
2010-02-02 20:33 . 2009-12-05 04:54 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHRules.dll
2010-02-02 20:33 . 2009-12-05 04:54 1405840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHEngine.dll
2010-02-02 20:33 . 2009-12-05 04:54 668720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx64.sys
2010-02-02 20:33 . 2009-12-05 04:54 610704 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\bbRGen.dll
2010-01-29 22:34 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSvix86.sys
2010-01-29 22:34 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSXpx86.sys
2010-01-29 22:34 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\Scxpx86.dll
2010-01-29 22:34 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSxpx86.dll
2010-01-29 22:34 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSviA64.sys
2010-01-27 22:06 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSvix86.sys
2010-01-27 22:06 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSXpx86.sys
2010-01-27 22:06 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\Scxpx86.dll
2010-01-27 22:06 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSxpx86.dll
2010-01-27 22:06 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSviA64.sys
2010-01-16 07:06 . 2010-01-16 07:06 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-10 00:09 . 2010-01-10 00:09 -------- d-----w- C:\New Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 23:58 . 2008-02-28 19:59 308248 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-01 14:02 . 2008-02-28 20:10 -------- d-----w- c:\program files\Google
2010-02-01 13:59 . 2009-09-22 00:13 -------- d-----w- c:\program files\LogMeIn
2009-12-30 18:00 . 2009-01-03 20:28 -------- d-----w- c:\program files\FlashFXP
2009-12-14 18:49 . 2009-12-17 02:30 471040 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-14 18:49 . 2009-12-17 02:30 43008 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-14 18:49 . 2009-12-17 02:30 347136 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-14 18:49 . 2009-12-17 02:30 340992 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-14 18:49 . 2009-12-17 02:30 1452032 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-10 03:16 . 2009-09-11 13:05 784752 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2009-09-21 21:45 . 2008-08-14 05:51 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-08-25 03:10 . 2008-10-17 05:25 174592 --sha-w- c:\windows\System32\ncfpsys.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-14 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-11-03 4823416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-09-21 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-22 122368]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\users\Dude\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-10-01 16:57 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 23:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 22:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 16:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 16:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Password Protect USB 3.6.1]
2005-08-25 03:10 174592 --sha-w- c:\windows\System32\ncfpsys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,71,c7,93,06,32,ca,01

R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NIS\1105000.07F\symds.sys [1/11/2010 4:56 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1105000.07F\symefa.sys [1/11/2010 4:56 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys [2/2/2010 3:33 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1105000.07F\cchpx86.sys [1/11/2010 4:56 PM 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSvix86.sys [1/29/2010 5:34 PM 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NIS\1105000.07F\ironx86.sys [1/11/2010 4:56 PM 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NIS\1105000.07F\symtdiv.sys [1/11/2010 4:56 PM 340016]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [1/20/2008 9:23 PM 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [9/21/2009 7:14 PM 47640]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [1/11/2010 4:56 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/21/2009 10:58 AM 102448]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [6/10/2009 4:52 AM 347648]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 9:03 AM 135664]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/28/2008 3:10 PM 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:02]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:02]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-217875371-810032128-178167479-1000Core.job
- c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-14 18:17]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-217875371-810032128-178167479-1000UA.job
- c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-14 18:17]

2010-02-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dude.job
- c:\program files\Norton Internet Security\Engine\17.5.0.127\navw32.exe [2010-01-11 06:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Dude\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 19:17
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-02-03 19:21:54
ComboFix-quarantined-files.txt 2010-02-04 00:21

Pre-Run: 21,680,717,824 bytes free
Post-Run: 21,945,155,584 bytes free

- - End Of File - - F5910A99528074BEA21497FC1192C1F8


Computer is running better as far as shutting itself down less and the google page redirect seems to have been fixed.
Seeker78
Active Member
 
Posts: 7
Joined: January 27th, 2010, 1:44 pm

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby jmw3 » February 3rd, 2010, 10:18 pm

Hi

Good to hear the PC is behaving better. Just a little more to do.

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Update Java Runtime
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, & also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 18.
  • Download the latest version of Java Runtime Environment (JRE) 6 Here
  • Scroll down to where it says "JDK 6 Update 18 (JDK or JRE)"
  • Click the orange Download JRE button to the right
  • Select the Windows platform from the dropdown menu
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
  • Click on the link to download Windows Offline Installation & save the file to your desktop
  • Close any programs you may have running - especially your web browser
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs & remove all older versions of Java
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions
  • Reboot your computer once all Java components are removed
  • Then from your desktop double-click on jre-6u18-windows-i586-p.exe to install the newest version
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel
Kaspersky Online Scan
Right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it
Go to Kaspersky website and perform an online antivirus scan
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply
Pictured tutorial if required.

To post in next reply:
ComboFix log
Kaspersky Online Scan log
A new HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby Seeker78 » February 5th, 2010, 11:24 pm

That Kaspersky Online Scan has seemed to really screw things up. I first tried it with IE overnight and after 8 hours it was frozen on the scan screen and I had to manually reboot my pc. Then I tried it in Firefox and didn't get anywhere. And now my computer keeps freezing up and the only way to reboot is holding down the power button.
Seeker78
Active Member
 
Posts: 7
Joined: January 27th, 2010, 1:44 pm

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby Seeker78 » February 5th, 2010, 11:28 pm

anyway here is the combofix log and a new hijackthis log:

ComboFix 10-02-03.04 - Dude 02/03/2010 21:36:31.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1652 [GMT -5:00]
Running from: c:\users\Dude\Desktop\ComboFix.exe
Command switches used :: c:\users\Dude\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-01-04 to 2010-02-04 )))))))))))))))))))))))))))))))
.

2010-02-04 02:44 . 2010-02-04 02:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-02-04 02:44 . 2010-02-04 02:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-02-04 00:45 . 2010-02-04 00:45 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\NAVENG.SYS
2010-02-04 00:45 . 2010-02-04 00:45 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\NAVEX15.SYS
2010-02-04 00:45 . 2009-08-29 09:00 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\NAVENG32.DLL
2010-02-04 00:45 . 2009-08-29 09:00 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\NAVEX32A.DLL
2010-02-04 00:45 . 2009-12-09 22:50 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\CCERASER.DLL
2010-02-04 00:45 . 2009-09-23 01:25 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\ECMSVR32.DLL
2010-02-04 00:45 . 2009-08-29 09:00 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\EECTRL.SYS
2010-02-04 00:45 . 2009-08-29 09:00 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100203.022\ERASER.SYS
2010-02-02 20:33 . 2009-12-05 04:54 529456 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys
2010-02-02 20:33 . 2009-12-05 04:54 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHRules.dll
2010-02-02 20:33 . 2009-12-05 04:54 1405840 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHEngine.dll
2010-02-02 20:33 . 2009-12-05 04:54 668720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx64.sys
2010-02-02 20:33 . 2009-12-05 04:54 610704 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\bbRGen.dll
2010-01-29 22:34 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSvix86.sys
2010-01-29 22:34 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSXpx86.sys
2010-01-29 22:34 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\Scxpx86.dll
2010-01-29 22:34 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSxpx86.dll
2010-01-29 22:34 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSviA64.sys
2010-01-27 22:06 . 2009-10-28 22:37 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSvix86.sys
2010-01-27 22:06 . 2009-10-28 22:37 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSXpx86.sys
2010-01-27 22:06 . 2009-10-28 22:37 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\Scxpx86.dll
2010-01-27 22:06 . 2009-10-28 22:37 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSxpx86.dll
2010-01-27 22:06 . 2009-10-28 22:37 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100125.001\IDSviA64.sys
2010-01-16 07:06 . 2010-01-16 07:06 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-01-10 00:09 . 2010-01-10 00:09 -------- d-----w- C:\New Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 23:58 . 2008-02-28 19:59 308248 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-02-01 14:02 . 2008-02-28 20:10 -------- d-----w- c:\program files\Google
2010-02-01 13:59 . 2009-09-22 00:13 -------- d-----w- c:\program files\LogMeIn
2009-12-30 18:00 . 2009-01-03 20:28 -------- d-----w- c:\program files\FlashFXP
2009-12-14 18:49 . 2009-12-17 02:30 471040 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
2009-12-14 18:49 . 2009-12-17 02:30 43008 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-14 18:49 . 2009-12-17 02:30 347136 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-14 18:49 . 2009-12-17 02:30 340992 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-14 18:49 . 2009-12-17 02:30 1452032 ----a-w- c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-10 03:16 . 2009-09-11 13:05 784752 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2009-09-21 21:45 . 2008-08-14 05:51 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-08-25 03:10 . 2008-10-17 05:25 174592 --sha-w- c:\windows\System32\ncfpsys.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Google Update"="c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-14 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-22 39408]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-11-03 4823416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-09-21 30192]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-08-22 122368]
"SigmatelSysTrayApp"="sttray.exe" [2007-07-27 405504]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-19 40072]

c:\users\Dude\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux5"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 09:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-10-01 16:57 111936 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 23:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-10-01 22:57 289576 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2008-08-11 16:41 63048 ----a-w- c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 16:31 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Password Protect USB 3.6.1]
2005-08-25 03:10 174592 --sha-w- c:\windows\System32\ncfpsys.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-09-06 19:09 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):cf,71,c7,93,06,32,ca,01

R0 SymDS;Symantec Data Store;c:\windows\System32\drivers\NIS\1105000.07F\symds.sys [1/11/2010 4:56 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1105000.07F\symefa.sys [1/11/2010 4:56 PM 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100130.002\BHDrvx86.sys [2/2/2010 3:33 PM 529456]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1105000.07F\cchpx86.sys [1/11/2010 4:56 PM 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100128.002\IDSvix86.sys [1/29/2010 5:34 PM 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\System32\drivers\NIS\1105000.07F\ironx86.sys [1/11/2010 4:56 PM 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\drivers\NIS\1105000.07F\symtdiv.sys [1/11/2010 4:56 PM 340016]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [1/20/2008 9:23 PM 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [9/21/2009 7:14 PM 47640]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.5.0.127\ccsvchst.exe [1/11/2010 4:56 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/21/2009 10:58 AM 102448]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [6/10/2009 4:52 AM 347648]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/1/2010 9:03 AM 135664]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/28/2008 3:10 PM 30192]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 5:25 AM 2589184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService REG_MULTI_SZ HsfXAudioService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:02]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 14:02]

2010-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-217875371-810032128-178167479-1000Core.job
- c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-14 18:17]

2010-02-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-217875371-810032128-178167479-1000UA.job
- c:\users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-14 18:17]

2010-02-02 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Dude.job
- c:\program files\Norton Internet Security\Engine\17.5.0.127\navw32.exe [2010-01-11 06:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\DictionaryCompressionFF.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\Dude\AppData\Roaming\Mozilla\Firefox\Profiles\pnjjkfo2.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 21:45
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.5.0.127\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-02-03 21:49:59
ComboFix-quarantined-files.txt 2010-02-04 02:49
ComboFix2.txt 2010-02-04 00:21

Pre-Run: 35,810,754,560 bytes free
Post-Run: 35,781,713,920 bytes free

- - End Of File - - 802C447A76665723E3A4C47FD6905739


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:59 PM, on 2/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell Video Chat\DellVideoChat.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Dude\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [SightSpeed] "C:\Program Files\Dell Video Chat\DellVideoChat.exe" -bootmode
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: ActiveGS.cab - http://activegs.freetoolsassociation.com/ActiveGS.cab
O16 - DPF: Web-Based Email Tools - http://email.secureserver.net/Download.CAB
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... ader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\GOOGLE\GOOGLE~1\GOOGLEDESKTOPNETWORK3.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8628 bytes
Seeker78
Active Member
 
Posts: 7
Joined: January 27th, 2010, 1:44 pm

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby jmw3 » February 6th, 2010, 8:06 am

Hi

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines (if still present):
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis & reboot.

Uninstall the Kaspersky Online Scan. You should be able to do that via Control Panel>Programs and Features. Then try this one:
ESET Online Scanner
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic
To post in next reply:
ESET Online Scan log
New HijackThis log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia

Re: Google Hijack and "Windows must now restart because DCOM..."

Unread postby jmw3 » February 9th, 2010, 6:52 pm

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 351 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware