Jump to content

Windows XP Recovery virus


Fordy
 Share

Recommended Posts

Hi,

Someone has brought me their PC to try and assist as they believe it has a trojan virus.

The PC would not boot up and was booting into a blue screen with lots of writing on it. They booted from the original CD ROM and reinstalled Windows. This then allowed them to start windows but when they did they were faced with lots of pop ups regarding issues with RAM and the hard drive and what appeared to be the Windows recovery console was displayed. At this point they ran a Malwarebytes quick scan which picked up a large number of issues. They also then installed superantispyware which found a lot more issues. They selected for the software to deal with the problems on both occasions and now the pop ups etc have stopped.

What they now have is a PC which appears to be on a very old version of windows prior to service pack 1a. On one of the user profiles the files still appear to be hidden following the virus. On selecting to install new files on the PC itbrings up the error "the procedure entry point xx could not be located in the dynamic link library xx".

This is all beyond my nunderstanding so I was hoping that you can help to just ensure all virus issues have been sorted and restore the PC to be fully working again.

I've run the dds application and got the following:

dds

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2800.1106

Run by Geoffery at 19:53:06 on 2011-10-27

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.43 [GMT 1:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\WINDOWS\System32\lexpps.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Mozilla Firefox\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.freeserve.com/

uDefault_Page_URL = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm

uSearch Bar = hxxp://www.websearch.com/ie.aspx?tb_id=50245

uInternet Settings,ProxyOverride = <local>

mSearchAssistant = hxxp://www.websearch.com/ie.aspx?tb_id=50245

mCustomizeSearch =

uURLSearchHooks: H - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

TB: Freeserve: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\freese~1\fsbar\FSBar.dll

TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe

mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm

IE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htm

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284129697171

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{3E176829-9D27-47D4-A4CE-0834311C956E} : DhcpNameServer = 192.168.1.254

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

SEH: {9914B4D2-F63E-48C1-ABA6-635153835DAC} - No File

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Authentication Packages = msv1_0 c:\windows\system32\gebca.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\geoffery\application data\mozilla\firefox\profiles\w34bwcdg.default\

FF - prefs.js: network.proxy.type - 0

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]

R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-8-19 116336]

R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\Savrtpel.sys [2002-7-25 34992]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVENG.SYS [2003-5-16 61732]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVEX15.SYS [2003-5-16 519333]

R3 SAVRT;SAVRT;c:\windows\system32\drivers\savrt.sys [2002-7-25 235184]

S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

.

============= FINISH: 19:54:17.01 ===============

attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 25/10/2011 23:48:26

System Uptime: 27/10/2011 07:36:37 (12 hours ago)

.

Motherboard: Dell Computer Corporation | | 07W080

Processor: Intel® Pentium® 4 CPU 2.00GHz | Socket 478 | 1993/400mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 28 GiB total, 22.303 GiB free.

D: is CDROM (CDFS)

E: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1: 25/10/2011 22:53:29 - System Checkpoint

RP2: 26/10/2011 23:24:50 - System Checkpoint

.

==== Installed Programs ======================

.

Adobe Download Manager 2.0 (Remove Only)

Adobe Reader 6.0.1

AOL UK

BACS

Broadcom Advanced Control Suite

Canon PhotoRecord

Canon PowerShot A200 WIA Driver

Canon Utilities PhotoStitch 3.1

Canon Utilities RemoteCapture 2.5

Canon Utilities ZoomBrowser EX

Conexant SmartHSFi V92 56K DF PCI Modem

Dell Picture Studio - Dell Image Expert

Dell Solution Center

Digital Line Detect

DVDSentry

Easy CD Creator 5 Basic

Freeserve Search toolbar

Help and Support Customization

Intel® Extreme Graphics Driver

Lexmark Supplies Monitor

Lexmark Z25-Z35

LiveReg (Symantec Corporation)

LiveUpdate 1.80 (Symantec Corporation)

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft Works 7.0

Modem Helper

Mozilla Firefox 7.0.1 (x86 en-GB)

NetWaiting

Norton AntiVirus 2003

Orange Search Toolbar

Paint Shop Pro 7

PowerDVD

RealPlayer Basic

Search Relevancy

Security Update for Step By Step Interactive Training (KB898458)

SelectRebates

SUPERAntiSpyware

Tiscali 10.0

Tiscali Messenger 2.0

Viewpoint Media Player (Remove Only)

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

.

==== Event Viewer Messages From Past Week ========

.

26/10/2011 22:00:57, error: Service Control Manager [7034] - The WinTools for IE service service terminated unexpectedly. It has done this 1 time(s).

25/10/2011 23:58:41, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ZESOFT service to connect.

25/10/2011 23:58:41, error: Service Control Manager [7000] - The ZESOFT service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

25/10/2011 23:49:02, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

25/10/2011 23:43:57, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

.

==== End Of File ===========================

Hope you can help.

Regards

David

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

Really appreciate your support with this thanks.

MBAM log, combofix log and 2 DDS logs follow below:-

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8064

Windows 5.1.2600 Service Pack 1

Internet Explorer 6.0.2800.1106

01/11/2011 21:50:43

mbam-log-2011-11-01 (21-50-43).txt

Scan type: Quick scan

Objects scanned: 167696

Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Combofix Log

ComboFix 11-11-01.04 - Geoffery 01/11/2011 22:09:11.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.125 [GMT 0:00]

Running from: c:\documents and settings\Geoffery\Desktop\ComboFix.exe

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Start Menu\Programs\Zango

c:\documents and settings\All Users\Start Menu\Programs\Zango\Reset Cursor.lnk

c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Customer Support Center.lnk

c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Games!.lnk

c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Library.lnk

c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Screensavers!.lnk

c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Uninstall Instructions.lnk

c:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Videos!.lnk

c:\documents and settings\Geoffery\Start Menu\Programs\Windows XP Repair

c:\documents and settings\Geoffery\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnk

c:\documents and settings\Geoffery\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnk

c:\documents and settings\Geoffery\WINDOWS

c:\program files\Toolbar

c:\program files\Toolbar\common.dll

c:\program files\Toolbar\CT5Upd.exe

c:\program files\Toolbar\ctupgd.exe

c:\program files\Toolbar\ctupgrd.dll

c:\program files\Toolbar\Cursors\cursors.xml

c:\program files\Toolbar\gykhxlmu.rmr

c:\program files\Toolbar\nzqlihv.wzg

c:\program files\Toolbar\rw.wzg

c:\program files\Toolbar\TBPS.dat

c:\program files\Toolbar\Update\tb3.cab

c:\program files\Toolbar\Update\zwipvbh.wzg

c:\program files\Toolbar\xlmurin.wzg

c:\program files\Toolbar\xzxsv.wzg

c:\program files\Toolbar\yildhvi.olt

c:\program files\Toolbar\yywr.wzg

c:\program files\Toolbar\yywsv.wzg

c:\program files\Toolbar\zwipvbh.wzg

c:\windows\system32\0cfvmd4p.dat

c:\windows\system32\9mjuabbh.dat

c:\windows\system32\adxldkmm.ini

c:\windows\system32\aifvjvox.ini

c:\windows\system32\bdmthdgx.ini

c:\windows\system32\biribykr.ini

c:\windows\system32\btkrxayd.ini

c:\windows\system32\cjmjedke.ini

c:\windows\system32\cvyjgycj.ini

c:\windows\system32\dayqoqsb.ini

c:\windows\system32\dpjosfqh.ini

c:\windows\system32\dwwtekcf.ini

c:\windows\system32\ecaerssl.exe

c:\windows\system32\elkhmoeu.ini

c:\windows\system32\extpbdaj.ini

c:\windows\system32\fauhmkjl.ini

c:\windows\system32\feewthmy.ini

c:\windows\system32\fejkqawt.ini

c:\windows\system32\ffohqpug.ini

c:\windows\system32\fgcqnxnp.ini

c:\windows\system32\fxpafpfq.ini

c:\windows\system32\fxqliivf.ini

c:\windows\system32\gpgrytrd.ini

c:\windows\system32\griiodkw.ini

c:\windows\system32\grpipmki.ini

c:\windows\system32\gtqdjsaf.ini

c:\windows\system32\hddkuerr.ini

c:\windows\system32\hflbgnva.ini

c:\windows\system32\hxkkpnce.ini

c:\windows\system32\hyhxstoj.ini

c:\windows\system32\ikgdjldy.ini

c:\windows\system32\ilytlsxn.ini

c:\windows\system32\ithmmoff.ini

c:\windows\system32\iypgujxq.ini

c:\windows\system32\iytgsedv.ini

c:\windows\system32\jiixffih.ini

c:\windows\system32\jkfosxxq.ini

c:\windows\system32\jtjrokjt.ini

c:\windows\system32\jvukktcg.ini

c:\windows\system32\kcavemxg.ini

c:\windows\system32\kmpacjsf.ini

c:\windows\system32\kovimgyg.ini

c:\windows\system32\kuyfnelu.ini

c:\windows\system32\kvdtwyti.ini

c:\windows\system32\lklinhao.ini

c:\windows\system32\lnunxymw.ini

c:\windows\system32\lxfnffog.ini

c:\windows\system32\mbohqopc.ini

c:\windows\system32\mkuiytpo.ini

c:\windows\system32\mvjdanda.ini

c:\windows\system32\nawkyfgv.ini

c:\windows\system32\nnydayra.ini

c:\windows\system32\nsucpxlg.ini

c:\windows\system32\ntgvirvo.ini

c:\windows\system32\nvfewfpb.ini

c:\windows\system32\octrixue.ini

c:\windows\system32\ojvfucfm.ini

c:\windows\system32\oltalenh.ini

c:\windows\system32\opuowxll.ini

c:\windows\system32\otevbgsq.ini

c:\windows\system32\oxorvamx.exe

c:\windows\system32\oyqdvqin.ini

c:\windows\system32\pgnmlygs.ini

c:\windows\system32\phhcwipv.ini

c:\windows\system32\phobcjxr.ini

c:\windows\system32\phrwtslf.ini

c:\windows\system32\popfiesu.ini

c:\windows\system32\psuqaipu.ini

c:\windows\system32\qkixthnr.ini

c:\windows\system32\rdgtfbqb.ini

c:\windows\system32\rjekemeb.ini

c:\windows\system32\rtbvcdra.ini

c:\windows\system32\sdexgpmr.ini

c:\windows\system32\sibmpwka.ini

c:\windows\system32\tboryjoq.ini

c:\windows\system32\tdxhfuas.ini

c:\windows\system32\tosvrnbx.exe

c:\windows\system32\tslfkvfb.ini

c:\windows\system32\twqcphmi.ini

c:\windows\system32\uaolboax.ini

c:\windows\system32\uccttyeb.ini

c:\windows\system32\ujwmrwpc.ini

c:\windows\system32\umocxykp.exe

c:\windows\system32\uwqyqhjb.exe

c:\windows\system32\uyscxkos.ini

c:\windows\system32\vbxjqcpw.ini

c:\windows\system32\veqbjtld.ini

c:\windows\system32\vuxoebxe.ini

c:\windows\system32\xakbnltv.ini

c:\windows\system32\xixhuuuf.ini

c:\windows\system32\xluccjcg.ini

c:\windows\system32\yidkhvsl.ini

c:\windows\system32\yopphctd.exe

c:\windows\SYSTEM32\ywrppbpt.ini

c:\windows\SYSTEM32\ywrppbpt.ini2

c:\windows\SYSTEM32\ywrppbpt.tmp

c:\windows\TSOC.LOG

.

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected

Restored copy from - c:\i386\QMGR.DLL

.

.

((((((((((((((((((((((((( Files Created from 2011-10-01 to 2011-11-01 )))))))))))))))))))))))))))))))

.

.

2011-10-26 21:52 . 2011-10-26 21:52 -------- d-----w- c:\documents and settings\Monica\Application Data\SUPERAntiSpyware.com

2011-10-26 21:51 . 2011-10-26 21:52 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-10-26 21:51 . 2011-10-26 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2011-10-26 21:37 . 2011-10-26 21:37 -------- d-s---w- c:\documents and settings\Monica\UserData

2011-10-26 21:20 . 2011-10-26 21:20 -------- d-----w- c:\documents and settings\Monica\Local Settings\Application Data\Mozilla

2011-10-26 21:10 . 2011-10-26 21:10 -------- d-----w- c:\documents and settings\Geoffery\Local Settings\Application Data\Mozilla

2011-10-26 21:00 . 2011-10-26 21:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-26 20:53 . 2011-10-26 21:08 -------- d-----w- c:\documents and settings\Geoffery\Local Settings\Application Data\Google

2011-10-26 19:10 . 2011-10-26 19:10 -------- d--h--w- c:\documents and settings\Geoffery\Application Data\Malwarebytes

2011-10-26 19:07 . 2011-10-26 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-10-26 19:07 . 2011-08-31 17:00 20552 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-26 19:07 . 2011-11-01 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-26 19:03 . 2002-08-29 00:32 21760 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2011-10-25 21:57 . 2003-01-13 12:50 151552 ----a-w- c:\windows\system32\igfxres.dll

2011-10-25 21:48 . 2002-09-03 17:11 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll

2011-10-25 21:48 . 2002-09-03 17:11 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys

2011-10-25 21:48 . 2002-09-03 17:10 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll

2011-10-25 21:48 . 2002-09-03 16:26 86074 -c--a-w- c:\windows\system32\dllcache\voicesub.dll

2011-10-25 21:48 . 2002-09-03 16:26 426042 -c--a-w- c:\windows\system32\dllcache\voicepad.dll

2011-10-25 21:48 . 2002-09-03 16:26 72192 -c--a-w- c:\windows\system32\dllcache\uniime.dll

2011-10-25 21:46 . 2002-09-03 16:41 6656 -c--a-w- c:\windows\system32\dllcache\migregdb.exe

2011-10-25 21:45 . 2002-09-03 16:29 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe

2011-10-25 21:42 . 2002-09-03 17:10 27648 -c--a-w- c:\windows\system32\dllcache\wabmig.exe

2011-10-25 21:40 . 2002-09-03 16:46 83968 -c--a-w- c:\windows\system32\dllcache\mtxoci.dll

2011-10-25 21:30 . 2002-09-03 17:16 7046 ----a-r- c:\windows\SET72.tmp

2011-10-25 21:30 . 2002-09-03 16:35 13608 ----a-r- c:\windows\SET54.tmp

2011-10-25 21:30 . 2002-09-03 16:50 1086182 ----a-r- c:\windows\SET3F.tmp

2011-10-25 20:57 . 2002-08-29 02:40 20480 ----a-w- c:\windows\system32\hidserv.dll

2011-10-25 20:57 . 2001-08-17 12:48 13952 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-10-25 20:57 . 2001-08-17 12:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-10-25 20:54 . 2002-09-03 17:16 7046 ----a-r- c:\windows\SET71.tmp

2011-10-25 20:54 . 2002-09-03 16:35 13608 ----a-r- c:\windows\SET53.tmp

2011-10-25 20:54 . 2002-09-03 16:50 1086182 ----a-r- c:\windows\SET3E.tmp

2011-10-25 19:47 . 2002-09-03 17:04 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2011-10-25 19:47 . 2002-09-03 17:04 24661 ----a-w- c:\windows\system32\spxcoins.dll

2011-10-25 19:47 . 2002-09-03 16:35 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2011-10-25 19:47 . 2002-09-03 16:35 13312 ----a-w- c:\windows\system32\irclass.dll

2011-10-25 19:47 . 2002-09-03 17:16 7046 ----a-r- c:\windows\SETB1.tmp

2011-10-25 19:47 . 2002-09-03 16:35 13608 ----a-r- c:\windows\SET93.tmp

2011-10-25 19:47 . 2002-09-03 16:50 1086182 ----a-r- c:\windows\SET7E.tmp

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-29 07:09 . 2011-10-26 21:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe

.

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll

.

c:\windows\System32\wscntfy.exe ... is missing !!

c:\windows\System32\xmlprov.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]

"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-05-16 26112]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]

"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2002-01-28 885760]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-03 13312]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [2003-5-16 32839]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-16 24576]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 16:27 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 21:55 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 23:38 116608]

.

Contents of the 'Scheduled Tasks' folder

.

2003-06-14 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 04:00]

.

2011-01-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job

- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-19 21:24]

.

2003-06-14 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-05-16 08:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.freeserve.com/

uInternet Settings,ProxyOverride = <local>

IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm

IE: Search with Freeserve - c:\progra~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

TCP: DhcpNameServer = 192.168.1.254

FF - ProfilePath - c:\documents and settings\Geoffery\Application Data\Mozilla\Firefox\Profiles\w34bwcdg.default\

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

ShellExecuteHooks-{9914B4D2-F63E-48C1-ABA6-635153835DAC} - (no file)

AddRemove-8sk24fbg - c:\windows\8sk24fbg.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-01 22:21

Windows 5.1.2600 Service Pack 1 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Toolbar]

@DACL=(02 0000)

"TB_ID"="50245"

"CFG_VER"="\02.+-+-+-"

"CHECK_DAYS"="\02."

"CAPTION"="\02Pb^o`e\1dQlli_^o"

"AUTOHIGHLIGHT"="\02-"

"AUTOSEARCH"="\02."

"AUTOSESEARCH"="\02."

"AUTOCOMPLETE"="\02."

"USECTRLENTER"="\02."

"USEALTENTER"="\02."

"USESHIFTENTER"="\02."

"ALLOWUPDATE"="\02."

"KEEPHISTORY"="\02."

"PRESERVEHISTORY"="\02."

"NARROWSEARCH"="\02."

"AUTOSHOW"="\02."

"TAKEADSUPPORTSETTINGS"="\02."

"DISABLEADSUPPORTSEARCH"="\02."

"DIALOG_PAUSE"="\020-"

"REGISTRATION_PAUSE"="\02."

"URL_FOLDER_NAME"="\02Tb_\1dPb^o`e\1dQllip"

"URL_ITEMS_1"="\02Eljbyeqqm7,,ttt+tb_pb^o`e+`lj,"

"URL_ITEMS_2"="\02Cobnrbkqiv\1d>phba\1dNrbpqflkpyeqqm7,,ttt+tb_pb^o`e+`lj,Ebim,Ebim\\Qlli_^o+^pmu"

"URL_ITEMS_3"="\02Qbojp\1dlc\1dRpbyeqqm7,,ttt+tb_pb^o`e+`lj,ibd^i,qbojp+^pmu"

"URL_ITEMS_4"="\02Mofs^`v\1dMlif`vyeqqm7,,ttt+tb_pb^o`e+`lj,ibd^i,mofs^`v+^pmu"

"INSTALL_CONFIRM_1"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_Pq^qFkpqIld+^pju,PbqPq^qrp<Q_Fa:\"q_\\fa#Jlari:PQ0\\AII\\FK#QRFa:\"qrfa#fkcl:pb^o`efkpq^ii#pa^qb:\"fa^qb#pqfjb:\"fqfjb"

"UNINSTALL_CONFIRM"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_Pq^qFkpqIld+^pju,PbqPq^qrp<Q_Fa:\"q_\\fa#Jlari:PQ0\\AII\\RK#QRFa:\"qrfa#fkcl:pb^o`eobjls^i#pa^qb:\"fa^qb#pqfjb:\"fqfjb"

"INSTALL_CONFIRM_SYS"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_FkpqIld+^pju,DbqUJI<Q_Fa:\"q_\\fa#Q^phFa:\"q^ph\\fa#Jlari:@LKCFOJ#Bsbkq\\fa:PQ0\\PVP#Mltbo\\r:\"rpbop#fkcl:\"ob^plk#QRFA:\"qrfa"

"INSTALL_CONFIRM_SYSEX"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_FkpqIld+^pju,DbqUJI<Q_Fa:\"q_\\fa#Q^phFa:\"q^ph\\fa#Jlari:@LKCFOJ#Bsbkq\\fa:PQ0\\PVPBU#Mltbo\\r:\"rpbop#fkcl:\"ob^plk#QRFA:\"qrfa"

"RECOVERY_URL"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,aki,Q\\2-/12,Q?MP+`^_"

"NONUTF_DOMAINS"="\02fp.+yaf`qflk^ov+yqebp^rorp+y^j^wlk+"

"KEYWORDS_IMPORT"="\02tb_pb^o`e:eqqm7,,ttt+tb_pb^o`e+`ljypb^o`e:eqqm7,,ttt+tb_pb^o`e+`ljydlldib:eqqm7,,ttt+dlldib+`lj"

"BB_HELP_URL"="\02eqqm7,,ttt+tb_pb^o`e+`lj,ebim,ebim\\pq+^pmu n\\/54"

"SEARCH_INST"="\02wawfs)wde)eh_awfseuwjjsf)qowjdwjdoeh_awfskwoj)eh_videt)eh_pcjdsf)eatiudif)eh_awfsvlwedsf)dfinwj\1dqcwftsf)dfinwjpcjdsf)fkbdfnwj)eh_easshsf)aojhwdfil"

"BBDSERVICE"="\02eqqm7,,^p+^at^sb+`lj,^p+^pju,??A<q_fa:\"q_\\fa#qrfa:\"qrfa#pb^o`e\\nrbov:#bkdfkb\\k^jb:#lia\\alj:#`\\efpq:\"`\\efpq#kbt\\roi:\"kbt\\roi"

"OBE_FCAP"="\02.-"

"OVERRIDE_HOMEPAGE_DIALOG"="\02-"

"USEENTER"="\02-"

"USEAUTOSEARCH"="\02-"

"ERROR404"="\02-"

"OVERRIDE_AUTOSEARCH_DIALOG"="\02-"

"AUTO_SEARCH"="\02eqqm7,,po+tb_pb^o`e+`lj,^p+^pmu<n:\"pb^o`e#q:2-/12"

"ERROR_PAGE"="\02eqqm7,,^p+^at^sb+`lj,pb^o`e\\1-1+^pmu<^cc:.#n:\"p#@lab:\"`lab#q_\\fa:\"q_\\fa"

"USESEARCHASSISTANT"="\02."

"OVERRIDE_IESEARCH_DIALOG"="\02."

"SEARCH_PAGE"="\02eqqm7,,ttt+tb_pb^o`e+`lj,fb+^pmu<q_\\fa:\"q_\\fa"

"SEARCH_PAGE_INFO"="\02Tb_Pb^o`e+`lj"

"USEBB"="\02-"

"OVERRIDE_BBACTIVATE_DIALOG"="\02-"

"ACSIZE"="\02-"

"USEBBENH"="\02-"

"POPUPBLOCKER"="\02."

"OVERRIDE_JSDEBUG_DIALOG"="\02."

"DEACTIVATETOOLBARS"="\02."

"OVERRIDE_DEACTIVATE_DIALOG"="\02-"

"ITime"=hex:c5,a0,9c,2f,1c,c4,e2,40

"IGU"="\02x4B6164.C*?0@0*1B32*>@36*5AC.6315A@/.z"

"STUI"="\02S01>/.0>///C/@352-225C/.@.B5?C-B>4-/22041-042621131?1.1@212-260400/?/A/?/C02/A/A/?/B/B/A00"

"IEC"=dword:00000222

"SEC"=dword:00000000

"SOC"=dword:00000000

"UC"=dword:00000001

"AllowUseDefskin"="1"

"RTime"="38529.8852629398"

"UCL"="\02dblccbov\0a\07"

"LastCFG"=dword:00009687

"FIT"="\020510/+56.6/50116"

"LogCount"=dword:00000026

"NO_AUTOSEARCH_HOOK"="\02."

"IE_RESET"="\02."

"IE4"=dword:00000000

"IAS"=dword:00000000

"GSTC"=dword:00000018

"STC"=dword:00000000

"AVGSEARCH"="0.07"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(640)

c:\windows\System32\ODBC32.dll

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

- - - - - - - > 'lsass.exe'(696)

c:\windows\System32\dssenh.dll

.

- - - - - - - > 'explorer.exe'(2496)

c:\windows\System32\msi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\windows\wanmpsvc.exe

.

**************************************************************************

.

Completion time: 2011-11-01 22:28:49 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-01 22:28

.

Pre-Run: 23,821,475,840 bytes free

Post-Run: 23,756,296,192 bytes free

.

winxpsp1_en_hom_bf.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

.

- - End Of File - - 36BE41720041FF3196C3705F5BACFB3C

DDS Files

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2800.1106

Run by Geoffery at 22:29:37 on 2011-11-01

Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.85 [GMT 0:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.freeserve.com/

uInternet Settings,ProxyOverride = <local>

uURLSearchHooks: H - No File

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll

BHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll

BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll

TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll

TB: Freeserve: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\freese~1\fsbar\FSBar.dll

TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe

mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol70t~1.lnk - c:\program files\aol 7.0\aoltray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm

IE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htm

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284129697171

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{3E176829-9D27-47D4-A4CE-0834311C956E} : DhcpNameServer = 192.168.1.254

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\geoffery\application data\mozilla\firefox\profiles\w34bwcdg.default\

FF - prefs.js: network.proxy.type - 0

.

============= SERVICES / DRIVERS ===============

.

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]

R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\Savrtpel.sys [2002-7-25 34992]

S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]

S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-8-19 116336]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVENG.SYS [2003-5-16 61732]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVEX15.SYS [2003-5-16 519333]

S3 SAVRT;SAVRT;c:\windows\system32\drivers\savrt.sys [2002-7-25 235184]

.

=============== Created Last 30 ================

.

2011-11-01 21:58:51 -------- d-sha-r- C:\cmdcons

2011-11-01 21:56:44 98816 ----a-w- c:\windows\sed.exe

2011-11-01 21:56:44 518144 ----a-w- c:\windows\SWREG.exe

2011-11-01 21:56:44 256000 ----a-w- c:\windows\PEV.exe

2011-11-01 21:56:44 208896 ----a-w- c:\windows\MBR.exe

2011-10-26 21:51:45 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-10-26 21:51:45 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2011-10-26 21:10:00 -------- d-----w- c:\documents and settings\geoffery\local settings\application data\Mozilla

2011-10-26 21:00:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-26 20:53:51 -------- d-----w- c:\documents and settings\geoffery\local settings\application data\Google

2011-10-26 19:10:57 -------- d-----w- c:\documents and settings\geoffery\application data\Malwarebytes

2011-10-26 19:07:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-10-26 19:07:43 20552 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-26 19:07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-26 19:03:39 21760 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

2011-10-25 21:57:29 151552 ----a-w- c:\windows\system32\igfxres.dll

2011-10-25 21:48:07 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll

2011-10-25 21:48:07 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys

2011-10-25 21:48:04 86074 -c--a-w- c:\windows\system32\dllcache\voicesub.dll

2011-10-25 21:48:04 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll

2011-10-25 21:48:04 426042 -c--a-w- c:\windows\system32\dllcache\voicepad.dll

2011-10-25 21:48:00 72192 -c--a-w- c:\windows\system32\dllcache\uniime.dll

2011-10-25 21:46:49 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys

2011-10-25 21:45:46 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe

2011-10-25 21:42:21 43008 -c--a-w- c:\windows\system32\dllcache\wab.exe

2011-10-25 21:40:30 83968 -c--a-w- c:\windows\system32\dllcache\mtxoci.dll

2011-10-25 21:30:28 7046 ----a-r- c:\windows\SET72.tmp

2011-10-25 21:30:26 13608 ----a-r- c:\windows\SET54.tmp

2011-10-25 21:30:24 1086182 ----a-r- c:\windows\SET3F.tmp

2011-10-25 20:57:43 20480 ----a-w- c:\windows\system32\hidserv.dll

2011-10-25 20:57:41 13952 ----a-w- c:\windows\system32\drivers\kbdhid.sys

2011-10-25 20:57:35 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2011-10-25 20:54:15 7046 ----a-r- c:\windows\SET71.tmp

2011-10-25 20:54:13 13608 ----a-r- c:\windows\SET53.tmp

2011-10-25 20:54:11 1086182 ----a-r- c:\windows\SET3E.tmp

2011-10-25 19:47:42 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2011-10-25 19:47:42 24661 ----a-w- c:\windows\system32\spxcoins.dll

2011-10-25 19:47:42 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2011-10-25 19:47:42 13312 ----a-w- c:\windows\system32\irclass.dll

2011-10-25 19:47:22 7046 ----a-r- c:\windows\SETB1.tmp

2011-10-25 19:47:21 13608 ----a-r- c:\windows\SET93.tmp

2011-10-25 19:47:16 1086182 ----a-r- c:\windows\SET7E.tmp

.

==================== Find3M ====================

.

.

============= FINISH: 22:30:02.60 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 25/10/2011 23:48:26

System Uptime: 01/11/2011 22:20:59 (0 hours ago)

.

Motherboard: Dell Computer Corporation | | 07W080

Processor: Intel® Pentium® 4 CPU 2.00GHz | Socket 478 | 1993/400mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 28 GiB total, 22.15 GiB free.

D: is CDROM (CDFS)

E: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP1: 25/10/2011 22:53:29 - System Checkpoint

RP2: 26/10/2011 23:24:50 - System Checkpoint

RP3: 01/11/2011 21:57:02 - ComboFix created restore point

.

==== Installed Programs ======================

.

Adobe Download Manager 2.0 (Remove Only)

Adobe Reader 6.0.1

AOL UK

BACS

Broadcom Advanced Control Suite

Canon PhotoRecord

Canon PowerShot A200 WIA Driver

Canon Utilities PhotoStitch 3.1

Canon Utilities RemoteCapture 2.5

Canon Utilities ZoomBrowser EX

Conexant SmartHSFi V92 56K DF PCI Modem

Dell Picture Studio - Dell Image Expert

Dell Solution Center

Digital Line Detect

DVDSentry

Easy CD Creator 5 Basic

Freeserve Search toolbar

Help and Support Customization

Intel® Extreme Graphics Driver

Lexmark Supplies Monitor

Lexmark Z25-Z35

LiveReg (Symantec Corporation)

LiveUpdate 1.80 (Symantec Corporation)

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft Works 7.0

Modem Helper

Mozilla Firefox 7.0.1 (x86 en-GB)

NetWaiting

Norton AntiVirus 2003

Orange Search Toolbar

Paint Shop Pro 7

PowerDVD

RealPlayer Basic

Search Relevancy

Security Update for Step By Step Interactive Training (KB898458)

SUPERAntiSpyware

Tiscali 10.0

Tiscali Messenger 2.0

Viewpoint Media Player (Remove Only)

WebFldrs XP

Windows Genuine Advantage Validation Tool (KB892130)

.

==== Event Viewer Messages From Past Week ========

.

26/10/2011 22:00:57, error: Service Control Manager [7034] - The WinTools for IE service service terminated unexpectedly. It has done this 1 time(s).

25/10/2011 23:58:41, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ZESOFT service to connect.

25/10/2011 23:58:41, error: Service Control Manager [7000] - The ZESOFT service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

25/10/2011 23:49:02, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

25/10/2011 23:43:57, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}

01/11/2011 22:23:04, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Terminal Services service to connect.

01/11/2011 22:23:04, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.

01/11/2011 22:23:04, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.

01/11/2011 22:23:04, error: Service Control Manager [7000] - The Terminal Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

.

==== End Of File ===========================

Once again Thanks for your help!

Regards

David

Link to post
Share on other sites

  • Staff

Hi,

Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):

Orange Search Toolbar

Restart your computer.

Your antivirus (Norton 2003) is incredibly old. Are you still paying for it?? If not, I highly recommend uninstalling it. All of the following are excellent free antiviruses. Be sure to only install one.

Microsoft Security Essentials (what I use)

AntiVir

avast!.

Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 1, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.

Let me know if the update was successful.

Link to post
Share on other sites

Thanks for all your help.

Removed Orange Search and the old Norton and replaced with a new version of Norton which is being kept uptodate now.

Updated Windows to service pack 3 and everything seems to be working OK.

Thanks again to everyone for their fantastic help on this forum.

Link to post
Share on other sites

  • Staff

Great!

I want to make sure that everything is actually okay. Please grab a fresh copy of ComboFix, run it, and post its log.

Run TFC by OldTimer to clear temporary files:

  • Please download TFC from here and save it to your desktop.
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

  • 3 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.