Active DCOM service stop,Google redirecting,Windows blocking Host Process

[Active] DCOM service stop,Google redirecting,Windows blocking Host Process

Hello, trying to fix my mother's computer. Got a call from her a few days ago indicating she saw some "funny screen" about a Trojan and now her computer keeps shutting down on it's own.

So far I have installed a new version of the latest McAfee (I get free full retail version from Work - her old one had expired) but it found nothing, did all the Windows updates she was behind on, installed IE 8, ran AdAware (found nothing), and husband installed/ran Malwarebytes and it found that 2 registry keys were disabled, here are the logs:

Malwarebytes' Anti-Malware 1.44
Database version: 3621
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/23/2010 9:31:50 PM
mbam-log-2010-01-23 (21-31-47).txt

Scan type: Quick Scan
Objects scanned: 155981
Time elapsed: 22 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Symptoms are the following:

1) Seems when we run IE we get a popup box shortly after it starts that tells us that DCOM service has shut down and Windows will shut down in 60 seconds. No way to stop it unless we open the clock and push the time back a few hours so that the count down is longer. Restarting the service doesn't stop it from counting down and Windows will eventually reboot when it hits zero.

2) At startup Windows is blocking a "Generic Host Process" as it suspects malicious software. This popup was new after we did a few windows updates. We tried the Microsoft Malicious Software Removal tool - didn't find or remove anything.

3) If we do google searches in IE or Firefox, and we click on any of the results, it redirects to a page that is NOT the one we want. It redirects to pages that appear to be fake search engines.

Here is the DDS Log:


DDS (Ver_09-12-01.01) - NTFSx86
Run by XXXX at 21:13:47.87 on Sat 01/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.203 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Logitech\Profiler\lwemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gail Cotter\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.mdg.ca/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [Start WingMan Profiler] "c:\program files\logitech\profiler\lwemon.exe" /noui
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe "
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe "
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe "
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/229?209ec59309ae4a42aa6787a74b5d4d2b
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-us\msntabres.dll.mui/230?209ec59309ae4a42aa6787a74b5d4d2b
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gailco~1\applic~1\mozilla\firefox\profiles\w0asgy90.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-23 64288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-18 54752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-1-23 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-1-23 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-1-23 144704]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-23 38224]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-1-23 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-1-23 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-1-23 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-1-23 40552]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-1-23 34248]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-01-24 02:06:19 0 d-----w- c:\docume~1\gailco~1\applic~1\Malwarebytes
2010-01-24 02:06:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-24 02:06:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-24 02:06:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-24 02:06:06 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-23 21:54:21 0 d-sh--w- c:\documents and settings\gail cotter\IECompatCache
2010-01-23 21:37:36 6335 ----a-w- c:\windows\system32\Config.MPF
2010-01-23 21:34:00 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2010-01-23 21:33:59 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-01-23 21:33:59 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-01-23 21:33:52 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-01-23 21:33:05 0 d-----w- c:\program files\common files\McAfee
2010-01-23 21:33:02 0 d-----w- c:\program files\McAfee.com
2010-01-23 21:32:51 0 d-----w- c:\program files\McAfee
2010-01-23 21:31:28 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2010-01-23 18:59:42 726528 ----a-w- c:\windows\system32\SET1A.tmp
2010-01-23 18:49:44 0 dc-h--w- c:\windows\ie8
2010-01-23 18:14:43 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-23 18:10:55 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-23 12:30:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-21 17:50:08 0 d-----w- c:\windows\system32\wbem\Repository
2010-01-13 17:30:55 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-21 17:49:02 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2006-12-30 19:10:07 36808256 ----a-w- c:\program files\iTunesSetup(2).exe
2006-12-30 16:18:57 13714856 ----a-w- c:\program files\zlsSetup_65_737_000_en(2).exe
2006-12-02 03:34:39 13714856 ----a-w- c:\program files\zlsSetup_65_737_000_en.exe
2006-11-27 02:29:13 16332072 ----a-w- c:\program files\Install_Messenger_nous.exe
2006-09-14 00:11:53 36636224 ----a-w- c:\program files\iTunesSetup.exe
2006-06-30 22:25:13 6323752 -c--a-w- c:\program files\Thunderbird Setup 1.5.0.4.exe
2006-06-30 22:24:28 5118288 ----a-w- c:\program files\Firefox Setup 1.5.0.4.exe
2006-06-30 20:58:00 2855080 ----a-w- c:\program files\aawsepersonal.exe
2006-06-30 20:53:33 13707688 ----a-w- c:\program files\zlsSetup_65_722_000_en.exe
2006-06-30 20:52:57 17344752 ----a-w- c:\program files\avg71free_394a763.exe
2005-04-01 03:17:42 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2008-09-22 23:20:14 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092220080923\index.dat

============= FINISH: 21:17:30.51 ===============

 

You need to post the Attach.txt log too please.

==

• Go to Start > Control Panel double-click on the Software icon > add/remove programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
• Select it and click Remove.
• Then Download and install the newest version from here:
• http://www.java.com/en/download/manual.jsp

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

Oh, I thought the posting instructions said not to post the attach.txt.

My mother lives an hour away, so I won't be able to go back until next weekend unless I can get remote assistance to work and I remote into her computer. We will see. I will post results when I have a chance.

 

I'll be here