M$ Kernel DLS Synthetizer

[yuhr]

This is the story: About 3-4 mos ago all my Yahoo email contacts received some ad email, signed by me. Needless to say, I never sent the ad (about a Google product), nor was it in the Sent Box. In ~3wks it happened again, although the ad was different. Last week a subfolder of My Documents folder disappeared. It was found by File Recover, yet no actual recovery was done because of a defect in the program (I am email corresponding with its vendor, PC Tools). A day later File Recover disappeared without a trace (almost – the only evidence of its presence was a lonely Registry empty folder named “Recovered Files”. A nice tiny program warning of bad websites called Web of Trust (WOT) disappeared twice already, in the space of three days. At least this one is easy to reinstall: it’s a freebie. About a week ago both my CDRW and DVDRW drives stopped functioning: neither can “see” an inserted disc and says something like “Incorrect function. Please insert disc”. In Device Manager near the bottom there is something called “M$ Kernel DLS Synthesizer”. Microsoft website informed me that it is part of Dmusic, whatever it is. The rest of its short description is too technical for me and is, actually, worthless. I want to fix it as I suspect it is related to malfunctioning drives. Updating Kernel’s driver did not change anything. I found a few websites that offered to download Kernel SW, and uninstall it. Yet, when I went back to those websites and got to secondary Download Now pages, my WOT darkened the pages and warn me: Dangerous Site; Very Bad Reputation! So, I ran System Restore and now have dysfunctional Kernel back.
I posted the entire story hear, so you get the fill. Actually, only Kernel DLS problem relates to this forum, I don't think ir has any connection with the rest, but who knows...
I appreciate any help.


m$%20kernel%20dls%20synthetizer.bmp

[yuhr]

Sorry for typos. I'd like to edit the post, but couldn't find the Copy button.

[ocgw]

Sorry for typos. I'd like to edit the post, but couldn't find the Copy button.

Sounds like a virus or trojan

I would run some a full scan w/ major Anit-Virus and Anti-spyware

I use AVG and Spybot

ocgw

peace

[yuhr]

Thanks, I have Superantispyware, Malwarebytes, HijackThis, NoAdware and AdAware. Some provide logfiles in Notepad format, some available only as screenshots.
Logfile created: 10/18/2009 10:27:13
Lavasoft Ad-Aware version: 8.0.8
Extended engine version: 8.1
User performing scan: Yury

*********************** Definitions database information ***********************
Lavasoft definition file: 149.73
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Default Profile (ID: defaultprofile)
Objects scanned: 70365
Objects detected: 65


Type Detected
==========================
Processes.......: 0
Registry entries: 0
Hostfile entries: 0
Files...........: 1
Folders.........: 0
LSPs............: 0
Cookies.........: 64
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0
Description: *hitbox* Family Name: Cookies Clean status: Success Item ID: 408858 Family ID: 0
Description: *.hitbox* Family Name: Cookies Clean status: Success Item ID: 409072 Family ID: 0
Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0
Description: *pointroll* Family Name: Cookies Clean status: Success Item ID: 408826 Family ID: 0
Description: *ads.pointroll* Family Name: Cookies Clean status: Success Item ID: 408927 Family ID: 0
Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0
Description: *traffic.buyservices* Family Name: Cookies Clean status: Success Item ID: 409120 Family ID: 0
Description: www.buy* Family Name: Cookies Clean status: Success Item ID: 409113 Family ID: 0
Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0
Description: *estat* Family Name: Cookies Clean status: Success Item ID: 408873 Family ID: 0
Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0
Description: *clickbank* Family Name: Cookies Clean status: Success Item ID: 408890 Family ID: 0
Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0
Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0
Description: *trafficmp* Family Name: Cookies Clean status: Success Item ID: 408787 Family ID: 0
Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0
Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0
Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0
Description: *questionmarket* Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0
Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0
Description: *.bridgetrack* Family Name: Cookies Clean status: Success Item ID: 409095 Family ID: 0
Description: *statcounter* Family Name: Cookies Clean status: Success Item ID: 409185 Family ID: 0
Description: *rambler* Family Name: Cookies Clean status: Success Item ID: 408818 Family ID: 0
Description: *kontera* Family Name: Cookies Clean status: Success Item ID: 409363 Family ID: 0
Description: *.zedo* Family Name: Cookies Clean status: Success Item ID: 409030 Family ID: 0
Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0
Description: *247realmedia* Family Name: Cookies Clean status: Success Item ID: 408945 Family ID: 0
Description: *realmedia* Family Name: Cookies Clean status: Success Item ID: 409139 Family ID: 0
Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0
Description: *unicast* Family Name: Cookies Clean status: Success Item ID: 409281 Family ID: 0
Description: *casalemedia* Family Name: Cookies Clean status: Success Item ID: 409152 Family ID: 0
Description: *adbrite* Family Name: Cookies Clean status: Success Item ID: 409218 Family ID: 0
Description: *tribalfusion* Family Name: Cookies Clean status: Success Item ID: 408785 Family ID: 0
Description: *insightexpressai* Family Name: Cookies Clean status: Success Item ID: 409259 Family ID: 0
Description: *bs.serving-sys* Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0
Description: *serving-sys* Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0
Description: *coremetrics* Family Name: Cookies Clean status: Success Item ID: 409008 Family ID: 0
Description: *data.coremetrics* Family Name: Cookies Clean status: Success Item ID: 409220 Family ID: 0
Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0
Description: *bizrate.co* Family Name: Cookies Clean status: Success Item ID: 409154 Family ID: 0
Description: *omniture* Family Name: Cookies Clean status: Success Item ID: 408835 Family ID: 0
Description: *.stats.esomniture* Family Name: Cookies Clean status: Success Item ID: 409181 Family ID: 0
Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0
Description: *overstock* Family Name: Cookies Clean status: Success Item ID: 409142 Family ID: 0
Description: stat.dealtime* Family Name: Cookies Clean status: Success Item ID: 409126 Family ID: 0
Description: *dealtime* Family Name: Cookies Clean status: Success Item ID: 409235 Family ID: 0
Description: www.new* Family Name: Cookies Clean status: Success Item ID: 409109 Family ID: 0
Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0
Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0
Description: *adfarm1.adition* Family Name: Cookies Clean status: Success Item ID: 409171 Family ID: 0
Description: *statse.webtrends* Family Name: Cookies Clean status: Success Item ID: 408803 Family ID: 0
Description: *webtrendslive* Family Name: Cookies Clean status: Success Item ID: 408954 Family ID: 0
Description: *.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409033 Family ID: 0
Description: *statse.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409269 Family ID: 0
Description: *betanews* Family Name: Cookies Clean status: Success Item ID: 409366 Family ID: 0
Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0
Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0

Quarantined items:
Description: C:\System Volume Information\_restore{623B90B6-EE30-41CA-AAF4-AB3240FFA45D}\RP2\A0000003.exe Family Name: Win32.Adware.Dap Clean status: Success Item ID: 1386166 Family ID: 5458

Scan and cleaning complete: Finished correctly after 1448 seconds

*********************************** Settings ***********************************

Scan profile:
ID: defaultprofile, enabled:1, value: Default Profile
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: true
ID: scanhostsfile, enabled:1, value: true
ID: scanmru, enabled:1, value: true
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value: C:\
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: true
ID: onlyexecutables, enabled:1, value: false
ID: skiplargerthan, enabled:1, value: 20480
ID: scanrootkits, enabled:1, value: true

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Wed Jan 28 10:29:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Wed Jan 28 10:29:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: true
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: false
ID: networkprotection, enabled:0, value: false
ID: usespywareheuristics, enabled:0, value: false
ID: extendedengine, enabled:0, value: false
ID: useheuristics, enabled:0, value: false
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: YUHRTW
Processor name: Intel(R) Pentium(R) 4 CPU 2.40GHz
Processor identifier: x86 Family 15 Model 2 Stepping 7
Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 519, number of processors 1
Physical memory available: 463400960 bytes
Physical memory total: 1072480256 bytes
Virtual memory available: 1943105536 bytes
Virtual memory total: 2147352576 bytes
Memory load: 56%
Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 624 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 692 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 716 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 760 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 772 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 928 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 996 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1092 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1220 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 1456 name: E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1556 name: E:\Program Files\Alwil Software\Avast4\ashServ.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1924 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 480 name: C:\WINDOWS\Explorer.EXE owner: Yury domain: YUHRTW
PID: 496 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY
PID: 384 name: C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 132 name: C:\Program Files\iolo\common\lib\ioloServiceManager.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1052 name: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe owner: Yury domain: YUHRTW
PID: 1148 name: E:\Program Files\Process Lasso\processlasso.exe owner: Yury domain: YUHRTW
PID: 1208 name: C:\Program Files\Logitech\MouseWare\system\em_exec.exe owner: Yury domain: YUHRTW
PID: 1204 name: E:\Program Files\Process Lasso\processgovernor.exe owner: Yury domain: YUHRTW
PID: 1300 name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1304 name: E:\Program Files\NoAdware\NoAdware5.exe owner: Yury domain: YUHRTW
PID: 1408 name: C:\WINDOWS\system32\pctspk.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1692 name: E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 808 name: E:\Program Files\Alwil Software\Avast4\ashWebSv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 356 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1248 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 3620 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4016 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1812 name: C:\WINDOWS\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3716 name: E:\Program Files\Mozilla Firefox\firefox.exe owner: Yury domain: YUHRTW
PID: 3824 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Yury domain: YUHRTW

Startup items:
Name: RunNarrator
imagepath: Narrator.exe
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name: Logitech Utility
imagepath: Logi_MwX.Exe
Name: avast!
imagepath: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Name: ProcessSupervisorGUI
imagepath: E:\Program Files\Process Lasso\processlasso.exe
Name: ProcessGovernor
imagepath: E:\Program Files\Process Lasso\processgovernor.exe
Name: Adobe Reader Speed Launcher
imagepath: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: WPDShServiceObj
imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5}
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *
Name:
imagepath: autocheck smrgdf C:\Documents and Settings\Yury\Application Data\iolo\
Name:
imagepath: lsdelete

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: aswUpdSv
displayname: avast! iAVS4 Control Service
Name: AudioSrv
displayname: Windows Audio
Name: avast! Antivirus
displayname: avast! Antivirus
Name: avast! Mail Scanner
displayname: avast! Mail Scanner
Name: avast! Web Scanner
displayname: avast! Web Scanner
Name: Bonjour Service
displayname: Bonjour Service
Name: CryptSvc
displayname: CryptSvc
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: dmserver
displayname: Logical Disk Manager
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: gusvc
displayname: Google Updater Service
Name: helpsvc
displayname: Help and Support
Name: HidServ
displayname: HID Input Service
Name: ioloFileInfoList
displayname: iolo FileInfoList Service
Name: ioloSystemService
displayname: iolo System Service
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LightScribeService
displayname: LightScribeService Direct Disc Labeling Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: Netman
displayname: Network Connections
Name: Nla
displayname: Network Location Awareness (NLA)
Name: NWCWorkstation
displayname: Client Service for NetWare
Name: Pctspk
displayname: PCTEL Speaker Phone
Name: PlugPlay
displayname: Plug and Play
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TapiSrv
displayname: Telephony
Name: Themes
displayname: Themes
Name: W32Time
displayname: Windows Time
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wscsvc
displayname: Security Center
Name: WZCSVC
displayname: Wireless Zero Configuration


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:17 AM, on 10/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Process Lasso\processlasso.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Program Files\Process Lasso\processgovernor.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\Program Files\NoAdware\NoAdware5.exe
C:\WINDOWS\system32\pctspk.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
F2 - REGystem.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: Babylon Plug In - {A057A204-BACC-4D26-9E83-2DB586E27190} - C:\PROGRA~1\BABYLO~1\BABYLO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Babylon Plug In - {A057A204-BACC-4D26-9E83-2DB586E27190} - C:\PROGRA~1\BABYLO~1\BABYLO~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ProcessSupervisorGUI] E:\Program Files\Process Lasso\processlasso.exe
O4 - HKLM\..\Run: [ProcessGovernor] E:\Program Files\Process Lasso\processgovernor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [TClockEx] E:\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [NoAdware5] "E:\Program Files\NoAdware\NoAdware5.exe" :Min:
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirvana/controls/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236737152390
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/Nirvana/controls/DiskMD3Ctrl.dll
O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Nirvana/controls/pcpitstopAntiVirus.dll
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Nirvana/controls/pcpitstop2.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--
End of file - 8972 bytes

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

10/18/2009 10:11:50 AM
mbam-log-2009-10-18 (10-11-50).txt

Scan type: Quick Scan
Objects scanned: 105989
Time elapsed: 4 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


superantispyware.bmp

[ocgw]

Dmusic is part of a free music download program, it might be a trojan, I would uninstall it, if that didn't fix your problem I would try running full deep scans w/ Avira, AVG and maybe Avast untill I got the problem rooted out

ocgw

peace

[minidv2dvd]

i'd add gmer.exe, mbr.exe, and catchme.exe to the list of anti-badthings to run. avast free is very good also.

[yuhr]

Attached is a screenshot of Search results (cannot be copied). It appears to be a part of Windows, not a malware. According to M$, it's somehow related to Kernel DLS, also part of Windows, since it is listed in Device Manager and does not show up in any of antimalware programs. Is it possible that music download program you refer to has its namesake? According to Search results, none of found files is a malware. The last listed one is on my desktop: it's the name I gave to my screenshot.

dmusic.bmp

[minidv2dvd]

yes i'd agree dmusic.dll can be a standard m.s. system32 .dll but it shouldn't load and have an ! in devices. i've never seen it load on any xp computer.

what's the date on the system32 .dll? is it 4-14-2008? and file properties look like this?


2009-10-22_191343.bmp

[yuhr]

New Start>Search looks slightly different: attachment. There are 4 *dll files. From the top down: 1.Created:9/26/08, Modified:7/17/08(?); 2.C4/13/08, M8/4/04(?);3.C9/27/09, M7/9/04(?);4.C7/17/04, M4/13/08.
Such illogical results are pretty often seen in Properties, at least on this PC.
Yes, it looks exactly like yours.

dmusic2.bmp

[yuhr]

gmer results are att., but are useless to me, as I cannot understand nor interpret them. mbr.exe found 1 medium infection:rpff.dll\Mozilla FF. Should I mark it as False Positive?
The latter appear easy (and fast) to operate, no puzzles, just remove the threat. But it is very annoying: its littli window pops up above the clock and asks me about real time protection. Right now I don't have enough experience with it, cannot make a $30 decision without your help. Is it worse it?
Catchme is pending: if it turns out as simple as described (i. e. is able to delete malicious files automatically), I'll download it.

gmer,%2010-22-09.txt

[ocgw]

gmer results are att., but are useless to me, as I cannot understand nor interpret them. mbr.exe found 1 medium infection:rpff.dll\Mozilla FF. Should I mark it as False Positive?
The latter appear easy (and fast) to operate, no puzzles, just remove the threat. But it is very annoying: its littli window pops up above the clock and asks me about real time protection. Right now I don't have enough experience with it, cannot make a $30 decision without your help. Is it worse it?
Catchme is pending: if it turns out as simple as described (i. e. is able to delete malicious files automatically), I'll download it.

gmer,%2010-22-09.txt

This is Dmusic

http://www.dmusic.com/

It is NOT part of any M$ OS

If you have this on your system remove it

ocgw

peace

[minidv2dvd]

dmusic.dll is part of m.s. os's since windows 95.

post the gmer first screen when it completes after first starting it. if nothing is in red then a full scan isn't needed.

go into windows/system32/ and right click on the dmusic.dll file. select properties. does it match the picture i posted?

except for avast, all the programs i listed are free. i wouldn't pay for the avast real time protection, unless you feel it's needed for the type of sites you visit.

[yuhr]

ocgw, with all my respect: your link is to www.dmusic.com/ .
I just found C:\windows\System32 .
They have one part of their name in common, the suffixes are very different. Yours is a web address, mine is part of the Windows file path. I am not sure it's possible to uninstall it (i. e. without uninstalling Windows).
Go to this site: http://msdn.microsoft.com/en-us/library/aa940369(WinEmbedded.5).aspx and read about dmusic.sys file (it's not about www.dmusic.com/
According to this file Properties, it was created in 2004 (although I never pay much attention to Properties: my PC was built in '03, Service Pack3 was added much later than 2004.