# WIndows must now restart because DCOM Server Process Launcher Service has terminated



## racinggirl (Jan 22, 2010)

I have been having issues with my computer for several weeks now. It started with unwanted redirects on search engines. I have run several types of virus scans-AVG, Microsoft Live....did not help. I have a Toshiba Satellite A305D with Windows Vista. Now I am getting several shut down messages: HOST PROCESS FOR WINDOWS SERVICE STOPPED WORKING & MUST CLOSE, WINDOWS MUST NOW RESTART BECUASE DCOM SERVER PORCESS LAUNCHER SERVICE HAS TERMINATED UNEXPECTEDLY & WINDOWS MUST NOW RESTART BECAUSE THE PLUG AND PLAY SERVICE TERMINATED UNEXPECTEDLY. It is getting very frustrating and I do not know what to do. I did an only chat with Microsoft that did not help anything....they just reloaded a new driver. I have run Hijack This and the log is below. Please advise as I use my computer for work and I don't know where to turn for help or who to trust if Microsoft did not take car of it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:47 PM, on 1/23/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Toshiba\TRCMan\TRCMan.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Hp\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rmlsweb.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TRCMan] C:\Program Files\TOSHIBA\TRCMan\TRCMan.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PCMAgent] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://oas.support.microsoft.com/ActiveX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {10DE6CF7-3E36-445B-985D-07603082B36B} (FormLoader.Loader) - https://forms.orefonline.com/OLF/Runtime/FormLoader_RMLS.CAB
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.rmlsweb.com/XMLSearch/XMLCache.CAB
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} (HPDDClientExec Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} (RIM AxLoader) - http://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rebac.webex.com/client/T26L/nbr/ieatgpc1.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.listingpromotertor.com/LPPublisher/ui/XUpload.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Jumpstart\jswpsapi.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
--
End of file - 11677 bytes

Thank you so very much.


----------



## JSntgRvr (Jul 1, 2003)

Hello, *racinggirl* 

Lets take a deeper look.

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
OTL should now start. Change the following settings
Change *Drivers* to *All*
Change *Registry* to *All*
Under *File Scans*, change *File age* to *30*

Under the Custom Scan box paste this in

*netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
*

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please post the contents of these files in your next reply.









*GMER Rootkit Scanner* - Download - Homepage
_Why?_ Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the GMER log as an initial check for the presence of rootkits:
 Extract the contents of the zipped file to desktop. 
 Double click GMER.exe.








 If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on *NO*, then use the following settings for a more complete scan.. 
 In the right panel, you will see several boxes that have been checked. Ensure the following are *UNCHECKED* ...
 Sections
 IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\) 
 Show All (don't miss this one)
 
_Click the image to enlarge it_

 Then click the Scan button & wait for it to finish. 
 Once done click on the *[Save..]* button, and in the File name area, type in *"ark.txt"* 
Save the log where you can easily find it, such as your desktop.
_**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries _
Please copy and paste the report into your Post.


----------



## racinggirl (Jan 22, 2010)

Ok...I ran all the scans from OTL and gmer. I have attached them as they are long and will not fit into here as a message. Hopefully I did this correctly. Below are the results. Please let me know what I should do from here. Thanks so very much.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *racinggirl* 


 Please double-click *OTL.exe* to run it. (*Note:* If you are running on Vista, right-click on the file and choose *Run As Administrator*).
*Copy the lines in the quote below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):


```
:OTL
SRV - File not found [On_Demand | Stopped] --  -- (McSysmon)
SRV - File not found [Unknown | Stopped] --  -- (McShield)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

:files
C:\Windows\system32\drivers\atapi.sys | C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys /replace
```

 Return to OTL, right click in the *"Custom Scans/Fixes"* window and choose *Paste*.
Click the red *Run Fix* button.
The computer will restart
A report will be produced and saved in the *C:\_OTL\MovedFiles* folder. Open that report and post its contents in a reply.
You ran combofix. Please also post the latest Combofix report. It should be available in your C:\ folder.


----------



## racinggirl (Jan 22, 2010)

Hello there...ok here are my results from the OTL and the combofix. Hope this helps you.....I appreciate your help!  The combofix files are attached so as to not take up too much space.

Error: Unable to interpret <Code:> in the current context!
Error: Unable to interpret <---------> in the current context!
========== OTL ==========
Error: No service named McShield was found to stop!
Unable to stop service McShield!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== FILES ==========
Unable to replace file: C:\Windows\system32\drivers\atapi.sys with C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys without a reboot.

OTL by OldTimer - Version 3.1.26.0 log created on 01242010_174417
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...


----------



## JSntgRvr (Jul 1, 2003)

Hi, *racinggirl* 








Please download Malwarebytes' Anti-Malware from *Here*.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under *Upgrading Java*, to download and install the latest version.


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.
 Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

*Upgrading Java* :

Download the latest version of *Java SE Runtime Environment (JRE)JRE 6 Update 18*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u18-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the *jre-6u18-windows-i586.exe* and select "Run as an Administrator.")


----------



## racinggirl (Jan 22, 2010)

Hello there,

Ok....so I keep trying to run the Kaspersky Online Scanner 7 (I've actually been trying for 24 hours now) and I can not get through the scan because of the windows shutting down and restarting itself. I am still getting the messages : Host Process for Windows Services stopped working and must close; Windows must now restart because the DCOM Server Process Launder service terminated unexpected and Windows must not restarte because a plug and play service terminated.

I was able to run the program you asked and the information is below. I am barely keeping this thing going as I use it for work constantly but it is continually resetting itself and I can not get anything done. Any other suggestions. You have been so very helpful and I appreciate it.

Malwarebytes' Anti-Malware 1.44
Database version: 3631
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882
1/24/2010 9:36:47 PM
mbam-log-2010-01-24 (21-36-47).txt
Scan type: Quick Scan
Objects scanned: 115695
Time elapsed: 9 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *racinggirl* 

Please download ComboFix from *Here* or *Here* to your Desktop.

***Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop***

If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

During the download, rename *Combofix* to *Combo-Fix* as follows:



















It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
*Very Important!* Temporarily *disable* your *anti-virus*, *script blocking* and any *anti-malware* real-time protection _*before*_ performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results"_.
_Click on *this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask._
-----------------------------------------------------------​

Close any open browsers. 
*WARNING: Combofix will disconnect your machine from the Internet as soon as it starts*
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------​
Double click on *combo-Fix.exe* & follow the prompts.
Install the Recovery Console if prompted.
When finished, it will produce a report for you. 
Please post the *"C:\Combo-Fix.txt" *.
***Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall***

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.


----------



## racinggirl (Jan 22, 2010)

Hello again,

So here is the latest combo-fix record based on your last request. Right after it ran and the system came back up, it brought up the Windows must now restart because the DCOM Server Process Launder service terminated unexpectedly....then it promptly shut down. 

Thought you should know..


----------



## JSntgRvr (Jul 1, 2003)

Run Microsoft® Windows® Malicious Software Removal Tool

1. Click the Download button on this page to start the download.

2. To start the installation immediately, click Run.

Click *here* to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file, then on *Start* and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, chose the *Complete Scan*.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from *Dr.Web *you saved previously in your next reply.


----------



## racinggirl (Jan 22, 2010)

Hello again,

I am not having much luck. When I downloaded the Microsoft program, it would only run until it hit this file and then would restart itself. I would get a blue screen telling me the system was shuting down and a count down at the bottom of the screen. I tired several times and it always stopped at this file:
C:\Program Files\InstallShield Installation Infromation\{2883F6F5-0509-43F3...\setup.exe
Then it took me several times just to get the DrWeb to download. I have tried to run it several times and the computer always gives me the two standard windows saying it is going to shut down because a plug and play has stopped or the DCOM. The scan did get far enough to ID 2 viruses but the scan doesn't finish EVER before it shuts down. 

I am really, really frustrated. I use this computer for 6-7 hours a day for work and I have to keep stopping and saving my work in order to let it reset every time I see these messages. Is there any chance of getting this resolved or do I need to find someone local to try and quickly make the repairs since I am not doing a very good job.

I appreciate all your help and suggestions. You are very kind.


----------



## JSntgRvr (Jul 1, 2003)

Click on *GMER.* Let it do the initial scan (it will run this upon start). Save and post that report. If unable to run GMER follow this steps:

First, you must verify that you can access the Vista Recovery Environment.
To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu.
If the option 'Repair your computer' is available, select it.

If not available, you will need to insert your Vista installation dvd and restart, then press any key when prompted to boot from the cd.
At the Install Windows screen, select Repair your computer. (image below)










Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. *Note - you must run it only once!*
As instructed when the tool runs, restart the computer and logon to the Recovery Environment.
Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.










Type the following bolded command at the _x:\sources>_ prompt (or _x:\windows\system32>_) then hit Enter.

*cd /d x:\windows* <--- the red x represents your operating system drive letter, as shown in the image below










At the *C:\Windows>* prompt type the following command then hit Enter

*look.bat*

You will see many files copied then return to the _x:\windows>_ prompt.
Type *Exit* then restart your computer and logon in normal mode.
Please run maxlook.exe again now. *Note - you must run it only once!*
It will produce looklog.txt on the desktop and open it.
Please post the results here.


----------



## racinggirl (Jan 22, 2010)

Hello there again,

So I can not get GMER to run. The disk I have for my computer is the Toshiba Recovery and Applications/Drivers. Vista was already on my computer when I purchased it and I dont have a disk with only Vista on it. Should I use the Recovery Disks?


----------



## JSntgRvr (Jul 1, 2003)

The developer of that program has developed an easier method to determine if the infection Max++ is present. It is only a diagnosis tool:

Please download maxhandle.exe by noahdfear to your desktop
Double click and run the application
An active internet connection is required so that maxhandle.exe may download a tool from SysInternals (every time it is run).
Log is saved to c:\maxhandle.txt
If Max++ is not found *Nothing found!* is echoed to the screen - no log is produced.
Please post the results for my review

Download *OTL* to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
OTL should now start. Change the following settings
Change *Drivers* to *All*
Change *Registry* to *All*
Under *File Scans*, change *File age* to *30*

Under the Custom Scan box paste this in

*netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys 
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
*

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. *OTL.Txt* and *Extras.Txt*. These are saved in the same location as OTL.
Please post the contents of these files in your next reply.


----------



## racinggirl (Jan 22, 2010)

Well there.....ok so the first program ran fine without any log as it said it did not find anything. The OTL program i ran twice because it changed the days timing back to 14 after I put in 30 and hit quick scan. It did that the second time as well. There was no Extra.txt produced either time but I have attached the other log. I know you are trying really hard but can you please tell me if I stand a chance of getting this done they way I am trying things now. I'm so upset about this stupid computer and I don't understand what you are looking for or if you even believe we can do anything together to repair this laptop.

Thank you for your time.


----------



## JSntgRvr (Jul 1, 2003)

Please verify that you can access the Vista Recovery Environment. To do so, restart your computer and begin tapping the F8 key to enable the Advanced Start menu. If the option 'Repair your computer' is available, select it.

If you are able to reach the Vista Recovery Environment following the steps above, please let me know.

Chances are the atapi.sys file is infected and no tool has been able to fix. I would like to do this throughout the Vista Recovery Environment.


----------



## racinggirl (Jan 22, 2010)

Good morning....here is the screen information I receive when I hit F8 on start up:

Choose Advnace Options for: Microsoft Windows Vista

Safe Mode
Safe Mode with Networking
Safe Mode with command prompt

Enable Boot Logging
Enable Low Resolution video
Last known good configuration (advanced)
Directiry Servied Restore Mode

Debugging Mods

Disable Automatice restart on system failure
Deiable Driver Signature Enforcement

Stare Windows Normally.

Please Advise

Thankd


----------



## racinggirl (Jan 22, 2010)

An addition to my last post.....I was typing really fast becasue the computer was getting ready to reboot and I left one option out and I think it might be the workable option.....

Directory Services Restore Mode

I have not backed up my data on this computer. I have an external harddrive but someone borrowed it and I have not seen it since. If you explain what I need to do to backup the data I will do that o the external drive just in case if you think I need.

So to recap here are my options:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Enable Boot Logging
Enable Low Resolution Video
Last known good configuration (advanced)
Directory Services Restore Mode
Debugging Mode
Disable automatic restart on system failure
Deable Drive Signature Enforement

Start Windows Normally.

Hope all that helps. Thanks again.


----------



## JSntgRvr (Jul 1, 2003)

Click on the Vista Orb and type CMD on the searchbox. On top of the window, right click CMD and select "Run as an Administrator".

The MSDOS window will be displayed, running as an administrator. At the prompt copy and paste the following command and press Enter:

*Copy C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys C:\*

You should receive a message, 1 file copied. This is important. If the message is not received the next set of instrucions wont work.

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Right click on the Avenger.zip folder and select "Extract All..."
 Follow the prompts and extract the *avenger* folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):


```
Begin copying here:
Files to move:
C:\atapi.sys | C:\Windows\system32\drivers\atapi.sys
```
_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, open the avenger folder and *start The Avenger program* by clicking on its icon.

 Right click on the window under *Input script here:*, and select Paste.
 You can also click on this window and press (*Ctrl+V*) to paste the contents of the clipboard.
 Click on *Execute*
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Delete*", The Avenger will actually *restart your system twice.*)
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh OTL log *.


----------



## racinggirl (Jan 22, 2010)

Good evening....all righty....here are the txt files. Once again the OTL did not produce a Extra.txt file and it changed my search criteria to 14 days from 30 days. It has done that the last couple times I have run it. Please advise.....


----------



## JSntgRvr (Jul 1, 2003)

Hi

It is very difficult to replace the *atapi.sys* file, as the locations are restricted. Vista is not allowing the move. Lets try another option.

*Please read the following through carefully so that you understand what to do*

Download *TDSSKiller* and save it to your Desktop.
Extract its contents to your desktop and make sure *TDSSKiller.exe* (the contents of the zipped file) is on the Desktop itself, *not* within a folder on the desktop.
Click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quote marks) Then press *Ctrl+Shift+Enter.*

*"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v*

If it says "Hidden service detected" *DO NOT* type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called "*TDSSKiller.txt*" please copy and paste the contents of that file here.

Please download *SystemLook* from one of the links below and save it to your Desktop.
*Download Mirror #1
Download Mirror #2*

Double-click *SystemLook.exe* to run it.
Copy the content of the following codebox into the main textfield:


> :filefind
> *atapi*



Click the *Look* button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
*Note:* The log can also be found on your Desktop entitled *SystemLook.txt*


----------



## racinggirl (Jan 22, 2010)

Hello there....so I downloaded the TDSSKiller to my desktop but when I copy and paste the information in the search window from the Vista Orb it does not find anything so I have not gone any farther. So I did not move on to the next step. Please advise.

Thanks so much for your time and patience.


----------



## racinggirl (Jan 22, 2010)

Ok so I figured out what I was doing wrong and here is the file:

:filefind
*atapi* 09:00:22:964 3580 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
09:00:22:964 3580 ================================================================================
09:00:22:964 3580 SystemInfo:
09:00:22:964 3580 OS Version: 6.0.6002 ServicePack: 2.0
09:00:22:964 3580 Product type: Workstation
09:00:22:964 3580 ComputerName: OWNER-PC
09:00:22:964 3580 UserName: Owner
09:00:22:964 3580 Windows directory: C:\Windows
09:00:22:964 3580 Processor architecture: Intel x86
09:00:22:964 3580 Number of processors: 2
09:00:22:964 3580 Page size: 0x1000
09:00:22:980 3580 Boot type: Normal boot
09:00:22:980 3580 ================================================================================
09:00:22:980 3580 UnloadDriverW: NtUnloadDriver error 2
09:00:22:980 3580 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:00:22:980 3580 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
09:00:23:104 3580 UtilityInit: KLMD drop and load success
09:00:23:104 3580 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
09:00:23:104 3580 UtilityInit: KLMD open success
09:00:23:104 3580 UtilityInit: Initialize success
09:00:23:104 3580 
09:00:23:104 3580 Scanning Services ...
09:00:23:104 3580 CreateRegParser: Registry parser init started
09:00:23:104 3580 CreateRegParser: DisableWow64Redirection error
09:00:23:104 3580 wfopen_ex: Trying to open file C:\Windows\system32\config\system
09:00:23:214 3580 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
09:00:23:214 3580 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:00:23:214 3580 wfopen_ex: Trying to KLMD file open
09:00:23:214 3580 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
09:00:23:214 3580 wfopen_ex: File opened ok (Flags 2)
09:00:23:214 3580 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 25E1480
09:00:23:214 3580 wfopen_ex: Trying to open file C:\Windows\system32\config\software
09:00:23:214 3580 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
09:00:23:214 3580 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:00:23:214 3580 wfopen_ex: Trying to KLMD file open
09:00:23:214 3580 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
09:00:23:214 3580 wfopen_ex: File opened ok (Flags 2)
09:00:23:214 3580 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 25E14A8
09:00:23:214 3580 CreateRegParser: EnableWow64Redirection error
09:00:23:214 3580 CreateRegParser: RegParser init completed
09:00:24:930 3580 GetAdvancedServicesInfo: Raw services enum returned 471 services
09:00:24:930 3580 fclose_ex: Trying to close file C:\Windows\system32\config\system
09:00:24:930 3580 fclose_ex: Trying to close file C:\Windows\system32\config\software
09:00:24:930 3580 
09:00:24:930 3580 Scanning Kernel memory ...
09:00:24:930 3580 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
09:00:24:930 3580 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 853EE3E0
09:00:24:930 3580 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
09:00:24:930 3580 
09:00:24:930 3580 DetectCureTDL3: DEVICE_OBJECT: 853ECAC8
09:00:24:930 3580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 853ECAC8
09:00:24:930 3580 DetectCureTDL3: DEVICE_OBJECT: 853F8890
09:00:24:930 3580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 853F8890
09:00:24:930 3580 DetectCureTDL3: DEVICE_OBJECT: 853E5030
09:00:24:930 3580 KLMD_GetLowerDeviceObject: Trying to get lower device object for 853E5030
09:00:24:930 3580 KLMD_ReadMem: Trying to ReadMemory 0x853E5030[0x38]
09:00:24:930 3580 DetectCureTDL3: DRIVER_OBJECT: 86272A38
09:00:24:930 3580 KLMD_ReadMem: Trying to ReadMemory 0x86272A38[0xA8]
09:00:24:930 3580 KLMD_ReadMem: Trying to ReadMemory 0x853DD028[0x38]
09:00:24:930 3580 KLMD_ReadMem: Trying to ReadMemory 0x8449FD40[0xA8]
09:00:24:930 3580 KLMD_ReadMem: Trying to ReadMemory 0x852E9140[0x1A]
09:00:24:930 3580 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
09:00:24:930 3580 DetectCureTDL3: IrpHandler (0) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (1) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (2) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (3) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (4) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (5) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (6) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (7) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (8) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (9) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (10) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (11) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (12) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (13) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (14) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (15) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (16) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (17) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (18) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (19) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (20) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (21) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (22) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (23) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (24) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (25) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: IrpHandler (26) addr: 852ED841
09:00:24:930 3580 DetectCureTDL3: All IRP handlers pointed to one addr: 852ED841
09:00:24:930 3580 KLMD_ReadMem: Trying to ReadMemory 0x852ED841[0x400]
09:00:24:930 3580 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
09:00:24:930 3580 Driver "atapi" Irp handler infected by TDSS rootkit ... 09:00:24:930 3580 KLMD_WriteMem: Trying to WriteMemory 0x852ED8BA[0xD]
09:00:24:930 3580 cured
09:00:24:930 3580 KLMD_ReadMem: Trying to ReadMemory 0x852ED6EC[0x400]
09:00:24:930 3580 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
09:00:24:930 3580 Driver "atapi" StartIo handler infected by TDSS rootkit ... 09:00:24:930 3580 TDL3_StartIoHookCure: Number of patches 1
09:00:24:930 3580 KLMD_WriteMem: Trying to WriteMemory 0x852ED7F5[0x6]
09:00:24:930 3580 cured
09:00:24:930 3580 TDL3_FileDetect: Processing driver: atapi
09:00:24:930 3580 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
09:00:24:930 3580 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
09:00:24:961 3580 TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
09:00:24:961 3580 File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 09:00:24:961 3580 TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
09:00:27:129 3580 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys:19944, checking..
09:00:27:145 3580 ValidateDriverFile: Stage 1 passed
09:00:27:145 3580 ValidateDriverFile: Stage 2 passed
09:00:27:348 3580 DigitalSignVerifyByHandle: Embedded DS result: 00000000
09:00:27:348 3580 ValidateDriverFile: Stage 3 passed
09:00:27:348 3580 FileCallback: File validated successfully, restore information prepared
09:00:30:109 3580 FindDriverFileBackup: Backup copy found in DriverStore
09:00:30:109 3580 TDL3_FileCure: Backup copy found, using it..
09:00:30:109 3580 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskEA2F.tmp
09:00:30:156 3580 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskEA2F.tmp, system32\drivers\atapi.sys)
09:00:30:156 3580 TDL3_FileCure: KLMD jobs schedule success
09:00:30:156 3580 will be cured on next reboot
09:00:30:156 3580 UtilityBootReinit: Reboot required for cure complete..
09:00:30:171 3580 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
09:00:30:171 3580 UtilityBootReinit: KLMD drop success
09:00:30:171 3580 KLMD_ApplyPendList: Pending buffer(2E1B_698E, 616) dropped successfully
09:00:30:171 3580 UtilityBootReinit: Cure on reboot scheduled successfully
09:00:30:171 3580 
09:00:30:171 3580 Completed
09:00:30:171 3580 
09:00:30:187 3580 Results:
09:00:30:187 3580 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
09:00:30:187 3580 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:00:30:187 3580 File objects infected / cured / cured on reboot: 1 / 0 / 1
09:00:30:187 3580 
09:00:30:187 3580 UnloadDriverW: NtUnloadDriver error 1
09:00:30:187 3580 KLMD_Unload: UnloadDriverW(klmd21) error 1
09:00:30:187 3580 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
09:00:30:187 3580 UtilityDeinit: KLMD(ARK) unloaded successfully

Here is the system look log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:05 on 30/01/2010 by Owner (Administrator - Elevation successful)
========== filefind ==========
Searching for "*atapi* "
C:\$INPLACE.~TR\Machine\DATA\Windows\inf\iteatapi.inf --a--- 33660 bytes [10:25 02/11/2006] [10:25 02/11/2006] E4EB9FDA7CA1965653EAB8C109CCE546
C:\$INPLACE.~TR\Machine\DATA\Windows\inf\iteatapi.PNF --a--- 17916 bytes [10:25 02/11/2006] [12:51 02/11/2006] 73DF176A398D10A2338BBD40B56EF72E
C:\atapi.sys --a--- 19944 bytes [05:43 30/01/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\ERDNT\cache\atapi.sys --a--- 19944 bytes [21:29 16/01/2010] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\inf\iteatapi.inf --a--- 33660 bytes [10:25 02/11/2006] [10:25 02/11/2006] E4EB9FDA7CA1965653EAB8C109CCE546
C:\Windows\inf\iteatapi.PNF --a--- 17916 bytes [10:25 02/11/2006] [12:51 02/11/2006] 73DF176A398D10A2338BBD40B56EF72E
C:\Windows\System32\DriverStore\en-US\iteatapi.inf_loc --a--- 308 bytes [12:40 02/11/2006] [12:40 02/11/2006] DBC002F0F2C65A0519A1BD24D84B22C2
C:\Windows\System32\DriverStore\FileRepository\iteatapi.inf_431397fb\iteatapi.inf --a--- 33660 bytes [10:25 02/11/2006] [06:35 02/11/2006] E4EB9FDA7CA1965653EAB8C109CCE546
C:\Windows\System32\DriverStore\FileRepository\iteatapi.inf_431397fb\iteatapi.sys --a--- 35944 bytes [10:25 02/11/2006] [09:50 02/11/2006] BCED60D16156E428F8DF8CF27B0DF150
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys --a--- 19944 bytes [04:38 18/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys --a--- 19048 bytes [10:25 02/11/2006] [09:49 02/11/2006] 4F4FCB8B6EA06784FB6D475B7EC7300F
C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\System32\drivers\atapi.sys --a--- 19944 bytes [04:38 18/09/2009] [07:01 30/01/2010] 1F05B78AB91C9075565A9D8A4B880BC4
C:\Windows\System32\drivers\iteatapi.sys --a--- 35944 bytes [07:36 02/11/2006] [09:50 02/11/2006] BCED60D16156E428F8DF8CF27B0DF150
C:\Windows\System32\en-US\WinSATAPI.dll.mui --a--- 6144 bytes [12:41 02/11/2006] [12:41 02/11/2006] 64BDEA749C5954CECAB7EC5E9CC24D39
C:\Windows\System32\WinSATAPI.dll --a--- 383488 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3FCB7347D2DE38488C85A31EA7838A3C
C:\Windows\winsxs\Manifests\x86_iteatapi.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_20cdea2c37532736.manifest --a--- 1913 bytes [12:39 02/11/2006] [12:39 02/11/2006] 99D99FA87B40A9FB8F9284AD0D7A71C9
C:\Windows\winsxs\x86_iteatapi.inf.resources_31bf3856ad364e35_6.0.6000.16386_en-us_20cdea2c37532736\iteatapi.inf_loc --a--- 308 bytes [12:40 02/11/2006] [12:40 02/11/2006] DBC002F0F2C65A0519A1BD24D84B22C2
C:\Windows\winsxs\x86_microsoft-windows-w..emassessmenttoolapi_31bf3856ad364e35_6.0.6001.18000_none_e39e6219f79a63c6\WinSATAPI.dll --a--- 383488 bytes [02:23 21/01/2008] [02:23 21/01/2008] 3FCB7347D2DE38488C85A31EA7838A3C
C:\Windows\winsxs\x86_microsoft-windows-w..nttoolapi.resources_31bf3856ad364e35_6.0.6000.16386_en-us_86f384ab3e5358a7\WinSATAPI.dll.mui --a--- 6144 bytes [12:41 02/11/2006] [12:41 02/11/2006] 64BDEA749C5954CECAB7EC5E9CC24D39
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys --a--- 21560 bytes [02:23 21/01/2008] [02:23 21/01/2008] 2D9C903DC76A66813D350A562DE40ED9
C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys --a--- 19944 bytes [04:38 18/09/2009] [06:32 11/04/2009] 1F05B78AB91C9075565A9D8A4B880BC4
-=End Of File=-

Thanks so much.....I think I just needed more coffee


----------



## JSntgRvr (Jul 1, 2003)

Test the computer. Attempt to re-create the error message and let me know the outcome.


----------



## racinggirl (Jan 22, 2010)

I don't understand what you are asking me. I was able to get everything to run and posted the logs.....FYI. Right now I can not get Outlook to open at all.

Here is the message I get:

Cannot start Microsoft Office Outlook. Cannot opent he Outlook Window.

Thanks,


----------



## racinggirl (Jan 22, 2010)

Hello for the 3rd time today 

I did a redirect on the navpane for Outlook and it seemed to work......


----------



## JSntgRvr (Jul 1, 2003)

Have the DCOM Server errors ceased?


----------



## racinggirl (Jan 22, 2010)

Yeah....yes it seems like all is well now  One last question, what anti-virus/security system do you recommend I should be using. I have tried several different ones over the years.....Norton, Trend Micro, AVG, Microsoft Live. What do you think I should use, especially given this last week.

Thank you again for all your help and patience.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *racinggirl* 

Congratulations.

My choice for an antivirus will be *AVAST.*

*Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.*

*Follow these steps to uninstall Combofix.*

 Click the Vista *Orb*
 Now copy and paste *"c:\users\Owner\Desktop\Combo-Fix.exe" /Uninstall* in the searchbox (including the quotation marks) and press Ctrl+Shift+Enter
Launch *OTL* and click on the Cleanup button. Follow the prompts.

Best wishes!


----------

