> Web Pages Not Loading Properly On Any Browser.

pk909 · June 22, 2008

Hi all,

I've got a really annoying problem when surfing the internet. Quite often the pages won't load or will show a blank page. When using Firefox I get a message saying "Transferring data from xxxxx" and the page never appears. If I hit refresh it sometimes loads a tiny amount of the screen and then says "done" or it will display the code of the page. Sometimes it loads a blank grey screen, again saying the page has finished loading. After hitting refresh several times the page usually loads.

I know my connection is ok because I can stream radio and play online games for hours without disconnecting, the problem only affects my web browsing. I've run the following scans:

Avast! Anti-virus

Spybot S&D

AdAware

Vundofix

VirtumundoBeGone

CCleaner

I've also followed a manual guide on removing the vundo trojan, here:

Firefox cannot load certain web sites (Vundo trojan)

None of these methods have worked and I still have the problem, no matter what browser I use.

However, if i boot my machine into safe mode with networking the problem isn't there and I can surf fine.

I'm connecting to my router with an ethernet cable and have tried different filters and a different router, the problem still persists.

I'm hoping someone can offer some suggestions as to what I can try next as this problem is driving me round the bend http://www.bleepingcomputer.com/forums/style_emoticons/default/sad.gif

Thanks in advance

P

June 22, 2008

You may have a load of other trash running so please follow the steps below.

Your computer could be infected with Malware.

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent.
It is a combination of the words malicious and software.
The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Required Cleanup Steps
1. Disable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled
2. Run a Temporary file and cache cleaner (ATF)
3. Run 2 Anti-Malware scanners (Listed Below)
4. Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below)
5. Clear out old System Restore points
6. If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested.

The reason to run multiple scanners is to ensure that no single scanner is missing something.

The time it takes will vary depending on your system and your internet connection speed.

Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes.

The ESET online scan should take between 1 to 3 hours.

In most cases, these scans will suffice to clean and disinfect your computer.

Heavily infected systems or slower PCs can take much longer to scan and clean.

For best results print the following instructions and bookmark this Web page

To keep this guide printer-friendly, use your cursor to highlight the contents below.

From your browser select File - Print and in the printer dialog box under "Print range"

click the

Selection

choice to print out these instructions for removal of malware.

http://kixhelp.com/wr/images-freepchelp/printer-selection.gif

__________________________________________________

STEP 1

Disable Spybot Search & Destroys' TEA TIMER: (if installed)
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

__________________________________________________

STEP 2

Follow these instructions carefully.
Download ATF-Cleaner from
Snapfiles.com
to remove un-needed temporary files from your computer that may contain malware.
You can also download it from
Majorgeeks.com
When you run ATF-Cleaner, check the items as shown below for Main.
For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
NOTE:
If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
Then click on "Empty Selected".

http://kixhelp.com/wr/images-freepchelp/atf-cleaner01.gif

.

http://kixhelp.com/wr/images-freepchelp/atf-cleaner02.gif

__________________________________________________

STEP 3

Install and run the free version (not the Professional version) of SUPERAntiSpyware from
SUPERAntiSpyware.com
- Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files.
- You do not have to send them your e-mail address, just click next.
- You can leave the automated check for updates on.
- You can uncheck "Send a diagnostic report to research center" if you don't want to send the information.
- DO NOT
  allow SUPERAntiSpyware to protect your Home Page settings.
- On the
  Top Left
  select the
  Scan your computer
  button.
- Make sure there is a CHECK MARK on all
  Fixed Drives
  .
- Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so.

__________________________________________________

STEP 4

Install and run
Malwarebytes' Anti-Malware
from
Malwarebytes - (direct download)
- Accept all defaults for the installer
- Allow the program to update the definitions
- Click on the
  Quick Scan
  and click Next.
- If any items are found allow it to clean them and then Reboot your computer.

__________________________________________________

STEP 5

Run an online scan with ESET from
Free Virus Scan: Use ESET's Online Antivirus Scanner
- You
  must
  use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
- If your computer is running Window's Vista, then you
  must first
  start Internet Explorer as an Administrator. To do so, right-click on the
  Internet Explorer
  icon in the Start Menu and select "
  Run as administrator
  " from the popup context menu.
- Accept the terms and click "Start".
- Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
- Click "Start" to begin the scan.
- When completed restart your computer

__________________________________________________

Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating.

At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted.

If required this is the download link for TrendMicro™ HijackThis™

Unless instructed to by the Technician helping you then do not download this tool.

Once you and the Technician agree that your system appears to be clean then you should delete all your System Restore points and recreate a new one.

Please follow the instructions here

How to turn off and turn on System Restore in Windows XP

How to turn off and turn on System Restore in Windows Vista

pk909 · June 22, 2008

Wolfeymole,

Thanks for the reply and the instructions. I've followed all the steps and so far so good, the problem seems to have improved. The software picked up quite a few problems my other scans hadn't so hopefully that has sorted it.

I'll continue testing it and if it starts happening again i'll let you know.

Thanks again :)

P

June 22, 2008

Please do PK as we may have to ask you to run the software from Trend Micro.

pk909 · June 23, 2008

Hmm, it looks like I jumped the gun as i've logged on today and i'm still getting problems when surfing. They don't seem as bad but i'm still having to click refresh several times to get pages to load.

What do you suggest I try next?

P

June 23, 2008

As I mentioned earlier PK please now follow the instructions for Hijack This.

Please download the latest version of HijackThis from Trend Micro and click on Download Hijack This Installer and save it to your desktop.

Doubleclick HJTInstall.exe to install HijackThis.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log by copying and pasting in your next reply.

Notes:

Do not use the AnalyseThis button, its findings are dangerous if misinterpreted.

Do not have Hijackthis fix anything yet. Most of what it finds will be harmless, or required for your computer to run like it should.

pk909 · June 23, 2008

Here is my logfile:

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\MagicDisc\MagicDisc.exe

C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE

C:\Program Files\Sun\StarOffice 8\program\soffice.exe

C:\Program Files\Sun\StarOffice 8\program\soffice.BIN

C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\a-squared Free\a2service.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

pk909 · June 23, 2008

sorry, i've been trying to send it in two parts as it was too big, my connection has been so bad its taken ages :(

part 2:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! Search - Web Search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [bTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe

O4 - Startup: StarOffice 8.lnk = C:\Program Files\Sun\StarOffice 8\program\quickstart.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138541459156

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: Cricket 2007 Drivers Auto Removal (pr2agnqb) (pr2agnqb) - Codemasters - C:\WINDOWS\system32\pr2agnqb.exe

O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

June 23, 2008

There should be a one last part to the log PK once you have submitted that I will then move it to the Malware forum for our malware team to look at.

pk909 · June 23, 2008

That was the whole log, the only bit I missed was:

--

End of file - 10600 bytes

but I didn't think you'd need that. I've run hijack this again and got the same logfile.

P

June 23, 2008

Thanks PK now I will move it and we ask that you allow a Malware expert to look at this information and offer advice to assist you.

Please bear with us on this.

pk909 · June 23, 2008

No problem Wolfeymole, thanks for the assistance :)

June 29, 2008

I notice the lack of support on your post PK and I will try to take steps to rectify this situation.

Please accept my apologies. :mad:

AdvancedSetup · June 29, 2008

There are a couple of items that I need to do some research about. Will get back to you later tonight on them.

Think it may be some services you have running and no so much Malware.

Wife wants me to do some stuff so will try to be back later tonight on this.

AdvancedSetup · June 30, 2008

Okay well you have WAY too much stuff running on startup for one thing.

You have some services that if it were my machine I'd remove, but it's up to you.

You have Kontiki K Service running which may be from something like "Sky By Broadband" or similar provider.

Unlikely that it is needed. Here is how to remove it.

First go into your Control Panel, Add/Remove and see if there is an uninstaller for it and use that first. Then reboot your computer and see if the manual method is still required to complete removing it.

This is from another site that was having an issue with this software.

Well, the manual uninstall seemed to work. For those of you in a similar position, here's what I did:

1. Went into the Services applet (Control Panel - Administrative Tools - Services) and stopped the KService service. I also set it to Disabled.
2. Opened Regedit, went to HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run and deleted the entry for 'kdx'.
3. Still in Regedit, went to HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services and deleted the entry for 'kdx'.
4. Deleted the entire folder where KService was installed (in my case 'C:\Program Files\KService')
5. Restarted the machine.

It all seems to have worked OK. Use these notes at your own risk though

You also have CDAC11BA.EXE which is an Anti-Piracy driver software. It could be there if you've ever installed Turbo Tax or some versions of AutoCAD or similar programs that use Anti-Piracy with their product. I would remove it myself and then if some product gave me trouble I would re-install it.

Start REGEDIT and from the menu search for CDAC11BA.EXE to see if you can determine what application might have installed it and let me know and we can try to remove it.

Please remove Party Poker as well.

Run HJT and place a check mark on the following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

Then click on "Fix selected"

Download

Deckard's System Scanner (DSS)

to your

Desktop

.

Note: You must be logged onto an account with administrator privileges.

Close
all applications and windows.
Double-click
on
dss.exe
to run it, and follow the prompts.
When the scan is complete, two text files will open -
main.txt

<- this one will be maximized
and
extra.txt
<-this one will be minimized
Copy
(Ctrl+A then Ctrl+C)
and paste
(Ctrl+V)
the contents of
main.txt
and the extra.txt to your post in your reply

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Notes:

The first time that the Deckard scanner is run, the extra.txt is generated in a minimized window. The second time you will not obtain the extra.txt. You must go to

Start

=>

Run

and copy the following

"%userprofile%\desktop\dss.exe" /config

in the line and click OK You will receive a pop-up box with options to check for the Main log and Extra Log and Options.

When done please post back the Deckard's System Log and we can continue looking at your system.

pk909 · June 30, 2008

Hi AdvancedSetup,

Firstly thanks for the assistance its greatly appreciated. I've followed your instructions and manually disabled the Kontiki service. I manged to find CDAC11BA.EXE in the registry but couldn't work out what had installed it. I've removed Party Poker, run HJT and removed the entries as advised. I've done a full scan with DSS and the results are as follows:

Part 1

Deckard's System Scanner v20071014.68

Run by Administrator on 2008-06-30 10:37:48

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --

83: 2008-06-30 09:02:55 UTC - RP405 - Deckard's System Scanner Restore Point

82: 2008-06-29 17:34:46 UTC - RP404 - Installed ATI Catalyst Control Center

81: 2008-06-29 17:29:57 UTC - RP403 - Removed Realtek High Definition Audio Driver

80: 2008-06-29 17:29:33 UTC - RP402 - Removed ATI Catalyst Registration

79: 2008-06-29 17:25:23 UTC - RP401 - Installed ATI Catalyst Registration

-- First Restore Point --

1: 2008-04-01 11:29:22 UTC - RP323 - Installed DirectX

Performed disk cleanup.

-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:37:49, on 30/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\a-squared Free\a2service.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Sun\StarOffice 8\program\soffice.exe

C:\Program Files\Sun\StarOffice 8\program\soffice.BIN

C:\Documents and Settings\Administrator\desktop\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE