Fordy Posted October 27, 2011 ID:489435 Share Posted October 27, 2011 Hi,Someone has brought me their PC to try and assist as they believe it has a trojan virus.The PC would not boot up and was booting into a blue screen with lots of writing on it. They booted from the original CD ROM and reinstalled Windows. This then allowed them to start windows but when they did they were faced with lots of pop ups regarding issues with RAM and the hard drive and what appeared to be the Windows recovery console was displayed. At this point they ran a Malwarebytes quick scan which picked up a large number of issues. They also then installed superantispyware which found a lot more issues. They selected for the software to deal with the problems on both occasions and now the pop ups etc have stopped.What they now have is a PC which appears to be on a very old version of windows prior to service pack 1a. On one of the user profiles the files still appear to be hidden following the virus. On selecting to install new files on the PC itbrings up the error "the procedure entry point xx could not be located in the dynamic link library xx".This is all beyond my nunderstanding so I was hoping that you can help to just ensure all virus issues have been sorted and restore the PC to be fully working again.I've run the dds application and got the following:dds.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 6.0.2800.1106Run by Geoffery at 19:53:06 on 2011-10-27Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.43 [GMT 1:00]..============== Running Processes ===============.C:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\WINDOWS\System32\LXSUPMON.EXEC:\WINDOWS\System32\lexpps.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Mozilla Firefox\firefox.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.freeserve.com/uDefault_Page_URL = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htmuSearch Bar = hxxp://www.websearch.com/ie.aspx?tb_id=50245uInternet Settings,ProxyOverride = <local>mSearchAssistant = hxxp://www.websearch.com/ie.aspx?tb_id=50245mCustomizeSearch = uURLSearchHooks: H - No FileBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dllBHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dllBHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dllTB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dllTB: Freeserve: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\freese~1\fsbar\FSBar.dllTB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dllEB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dllEB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dlluRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgroundmRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [DVDSentry] c:\windows\system32\DSentry.exemRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERmRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exemRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exemRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUNdRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEIE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htmIE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htmIE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htmIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXEIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dllDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284129697171DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabTCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{3E176829-9D27-47D4-A4CE-0834311C956E} : DhcpNameServer = 192.168.1.254Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLNotify: igfxcui - igfxsrvc.dllSEH: {9914B4D2-F63E-48C1-ABA6-635153835DAC} - No FileSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLLSA: Authentication Packages = msv1_0 c:\windows\system32\gebca.dll.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\geoffery\application data\mozilla\firefox\profiles\w34bwcdg.default\FF - prefs.js: network.proxy.type - 0.============= SERVICES / DRIVERS ===============.R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-8-19 116336]R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\Savrtpel.sys [2002-7-25 34992]R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVENG.SYS [2003-5-16 61732]R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVEX15.SYS [2003-5-16 519333]R3 SAVRT;SAVRT;c:\windows\system32\drivers\savrt.sys [2002-7-25 235184]S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176].=============== Created Last 30 ================..==================== Find3M ====================..============= FINISH: 19:54:17.01 ===============attachUNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft Windows XP Home EditionBoot Device: \Device\HarddiskVolume2Install Date: 25/10/2011 23:48:26System Uptime: 27/10/2011 07:36:37 (12 hours ago).Motherboard: Dell Computer Corporation | | 07W080Processor: Intel® Pentium® 4 CPU 2.00GHz | Socket 478 | 1993/400mhz.==== Disk Partitions =========================.A: is RemovableC: is FIXED (NTFS) - 28 GiB total, 22.303 GiB free.D: is CDROM (CDFS)E: is CDROM ()F: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP1: 25/10/2011 22:53:29 - System CheckpointRP2: 26/10/2011 23:24:50 - System Checkpoint.==== Installed Programs ======================.Adobe Download Manager 2.0 (Remove Only)Adobe Reader 6.0.1AOL UKBACSBroadcom Advanced Control SuiteCanon PhotoRecordCanon PowerShot A200 WIA DriverCanon Utilities PhotoStitch 3.1Canon Utilities RemoteCapture 2.5Canon Utilities ZoomBrowser EXConexant SmartHSFi V92 56K DF PCI ModemDell Picture Studio - Dell Image ExpertDell Solution CenterDigital Line DetectDVDSentryEasy CD Creator 5 BasicFreeserve Search toolbarHelp and Support CustomizationIntel® Extreme Graphics DriverLexmark Supplies MonitorLexmark Z25-Z35LiveReg (Symantec Corporation)LiveUpdate 1.80 (Symantec Corporation)Malwarebytes' Anti-Malware version 1.51.2.1300Microsoft Works 7.0Modem HelperMozilla Firefox 7.0.1 (x86 en-GB)NetWaitingNorton AntiVirus 2003Orange Search ToolbarPaint Shop Pro 7PowerDVDRealPlayer BasicSearch RelevancySecurity Update for Step By Step Interactive Training (KB898458)SelectRebatesSUPERAntiSpywareTiscali 10.0Tiscali Messenger 2.0Viewpoint Media Player (Remove Only)WebFldrs XPWindows Genuine Advantage Validation Tool (KB892130).==== Event Viewer Messages From Past Week ========.26/10/2011 22:00:57, error: Service Control Manager [7034] - The WinTools for IE service service terminated unexpectedly. It has done this 1 time(s).25/10/2011 23:58:41, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ZESOFT service to connect.25/10/2011 23:58:41, error: Service Control Manager [7000] - The ZESOFT service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.25/10/2011 23:49:02, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.25/10/2011 23:43:57, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}.==== End Of File ===========================Hope you can help.RegardsDavid Link to post Share on other sites More sharing options...
Staff screen317 Posted October 31, 2011 Staff ID:490662 Share Posted October 31, 2011 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix When the tool is finished, it will produce a report for you.Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
Fordy Posted November 1, 2011 Author ID:491086 Share Posted November 1, 2011 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.Next, please visit this webpage for instructions for running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixWhen the tool is finished, it will produce a report for you.Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.Really appreciate your support with this thanks.MBAM log, combofix log and 2 DDS logs follow below:-Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 8064Windows 5.1.2600 Service Pack 1Internet Explorer 6.0.2800.110601/11/2011 21:50:43mbam-log-2011-11-01 (21-50-43).txtScan type: Quick scanObjects scanned: 167696Time elapsed: 8 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Combofix LogComboFix 11-11-01.04 - Geoffery 01/11/2011 22:09:11.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.125 [GMT 0:00]Running from: c:\documents and settings\Geoffery\Desktop\ComboFix.exe * Created a new restore point..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Start Menu\Programs\Zangoc:\documents and settings\All Users\Start Menu\Programs\Zango\Reset Cursor.lnkc:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Customer Support Center.lnkc:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Games!.lnkc:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Library.lnkc:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Screensavers!.lnkc:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Uninstall Instructions.lnkc:\documents and settings\All Users\Start Menu\Programs\Zango\Zango Videos!.lnkc:\documents and settings\Geoffery\Start Menu\Programs\Windows XP Repairc:\documents and settings\Geoffery\Start Menu\Programs\Windows XP Repair\Uninstall Windows XP Repair.lnkc:\documents and settings\Geoffery\Start Menu\Programs\Windows XP Repair\Windows XP Repair.lnkc:\documents and settings\Geoffery\WINDOWSc:\program files\Toolbarc:\program files\Toolbar\common.dllc:\program files\Toolbar\CT5Upd.exec:\program files\Toolbar\ctupgd.exec:\program files\Toolbar\ctupgrd.dllc:\program files\Toolbar\Cursors\cursors.xmlc:\program files\Toolbar\gykhxlmu.rmrc:\program files\Toolbar\nzqlihv.wzgc:\program files\Toolbar\rw.wzgc:\program files\Toolbar\TBPS.datc:\program files\Toolbar\Update\tb3.cabc:\program files\Toolbar\Update\zwipvbh.wzgc:\program files\Toolbar\xlmurin.wzgc:\program files\Toolbar\xzxsv.wzgc:\program files\Toolbar\yildhvi.oltc:\program files\Toolbar\yywr.wzgc:\program files\Toolbar\yywsv.wzgc:\program files\Toolbar\zwipvbh.wzgc:\windows\system32\0cfvmd4p.datc:\windows\system32\9mjuabbh.datc:\windows\system32\adxldkmm.inic:\windows\system32\aifvjvox.inic:\windows\system32\bdmthdgx.inic:\windows\system32\biribykr.inic:\windows\system32\btkrxayd.inic:\windows\system32\cjmjedke.inic:\windows\system32\cvyjgycj.inic:\windows\system32\dayqoqsb.inic:\windows\system32\dpjosfqh.inic:\windows\system32\dwwtekcf.inic:\windows\system32\ecaerssl.exec:\windows\system32\elkhmoeu.inic:\windows\system32\extpbdaj.inic:\windows\system32\fauhmkjl.inic:\windows\system32\feewthmy.inic:\windows\system32\fejkqawt.inic:\windows\system32\ffohqpug.inic:\windows\system32\fgcqnxnp.inic:\windows\system32\fxpafpfq.inic:\windows\system32\fxqliivf.inic:\windows\system32\gpgrytrd.inic:\windows\system32\griiodkw.inic:\windows\system32\grpipmki.inic:\windows\system32\gtqdjsaf.inic:\windows\system32\hddkuerr.inic:\windows\system32\hflbgnva.inic:\windows\system32\hxkkpnce.inic:\windows\system32\hyhxstoj.inic:\windows\system32\ikgdjldy.inic:\windows\system32\ilytlsxn.inic:\windows\system32\ithmmoff.inic:\windows\system32\iypgujxq.inic:\windows\system32\iytgsedv.inic:\windows\system32\jiixffih.inic:\windows\system32\jkfosxxq.inic:\windows\system32\jtjrokjt.inic:\windows\system32\jvukktcg.inic:\windows\system32\kcavemxg.inic:\windows\system32\kmpacjsf.inic:\windows\system32\kovimgyg.inic:\windows\system32\kuyfnelu.inic:\windows\system32\kvdtwyti.inic:\windows\system32\lklinhao.inic:\windows\system32\lnunxymw.inic:\windows\system32\lxfnffog.inic:\windows\system32\mbohqopc.inic:\windows\system32\mkuiytpo.inic:\windows\system32\mvjdanda.inic:\windows\system32\nawkyfgv.inic:\windows\system32\nnydayra.inic:\windows\system32\nsucpxlg.inic:\windows\system32\ntgvirvo.inic:\windows\system32\nvfewfpb.inic:\windows\system32\octrixue.inic:\windows\system32\ojvfucfm.inic:\windows\system32\oltalenh.inic:\windows\system32\opuowxll.inic:\windows\system32\otevbgsq.inic:\windows\system32\oxorvamx.exec:\windows\system32\oyqdvqin.inic:\windows\system32\pgnmlygs.inic:\windows\system32\phhcwipv.inic:\windows\system32\phobcjxr.inic:\windows\system32\phrwtslf.inic:\windows\system32\popfiesu.inic:\windows\system32\psuqaipu.inic:\windows\system32\qkixthnr.inic:\windows\system32\rdgtfbqb.inic:\windows\system32\rjekemeb.inic:\windows\system32\rtbvcdra.inic:\windows\system32\sdexgpmr.inic:\windows\system32\sibmpwka.inic:\windows\system32\tboryjoq.inic:\windows\system32\tdxhfuas.inic:\windows\system32\tosvrnbx.exec:\windows\system32\tslfkvfb.inic:\windows\system32\twqcphmi.inic:\windows\system32\uaolboax.inic:\windows\system32\uccttyeb.inic:\windows\system32\ujwmrwpc.inic:\windows\system32\umocxykp.exec:\windows\system32\uwqyqhjb.exec:\windows\system32\uyscxkos.inic:\windows\system32\vbxjqcpw.inic:\windows\system32\veqbjtld.inic:\windows\system32\vuxoebxe.inic:\windows\system32\xakbnltv.inic:\windows\system32\xixhuuuf.inic:\windows\system32\xluccjcg.inic:\windows\system32\yidkhvsl.inic:\windows\system32\yopphctd.exec:\windows\SYSTEM32\ywrppbpt.inic:\windows\SYSTEM32\ywrppbpt.ini2c:\windows\SYSTEM32\ywrppbpt.tmpc:\windows\TSOC.LOG.Infected copy of c:\windows\system32\qmgr.dll was found and disinfected Restored copy from - c:\i386\QMGR.DLL ..((((((((((((((((((((((((( Files Created from 2011-10-01 to 2011-11-01 )))))))))))))))))))))))))))))))..2011-10-26 21:52 . 2011-10-26 21:52 -------- d-----w- c:\documents and settings\Monica\Application Data\SUPERAntiSpyware.com2011-10-26 21:51 . 2011-10-26 21:52 -------- d-----w- c:\program files\SUPERAntiSpyware2011-10-26 21:51 . 2011-10-26 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2011-10-26 21:37 . 2011-10-26 21:37 -------- d-s---w- c:\documents and settings\Monica\UserData2011-10-26 21:20 . 2011-10-26 21:20 -------- d-----w- c:\documents and settings\Monica\Local Settings\Application Data\Mozilla2011-10-26 21:10 . 2011-10-26 21:10 -------- d-----w- c:\documents and settings\Geoffery\Local Settings\Application Data\Mozilla2011-10-26 21:00 . 2011-10-26 21:07 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-10-26 20:53 . 2011-10-26 21:08 -------- d-----w- c:\documents and settings\Geoffery\Local Settings\Application Data\Google2011-10-26 19:10 . 2011-10-26 19:10 -------- d--h--w- c:\documents and settings\Geoffery\Application Data\Malwarebytes2011-10-26 19:07 . 2011-10-26 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2011-10-26 19:07 . 2011-08-31 17:00 20552 ----a-w- c:\windows\system32\drivers\mbam.sys2011-10-26 19:07 . 2011-11-01 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-10-26 19:03 . 2002-08-29 00:32 21760 -c--a-w- c:\windows\system32\dllcache\usbstor.sys2011-10-25 21:57 . 2003-01-13 12:50 151552 ----a-w- c:\windows\system32\igfxres.dll2011-10-25 21:48 . 2002-09-03 17:11 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll2011-10-25 21:48 . 2002-09-03 17:11 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys2011-10-25 21:48 . 2002-09-03 17:10 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll2011-10-25 21:48 . 2002-09-03 16:26 86074 -c--a-w- c:\windows\system32\dllcache\voicesub.dll2011-10-25 21:48 . 2002-09-03 16:26 426042 -c--a-w- c:\windows\system32\dllcache\voicepad.dll2011-10-25 21:48 . 2002-09-03 16:26 72192 -c--a-w- c:\windows\system32\dllcache\uniime.dll2011-10-25 21:46 . 2002-09-03 16:41 6656 -c--a-w- c:\windows\system32\dllcache\migregdb.exe2011-10-25 21:45 . 2002-09-03 16:29 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe2011-10-25 21:42 . 2002-09-03 17:10 27648 -c--a-w- c:\windows\system32\dllcache\wabmig.exe2011-10-25 21:40 . 2002-09-03 16:46 83968 -c--a-w- c:\windows\system32\dllcache\mtxoci.dll2011-10-25 21:30 . 2002-09-03 17:16 7046 ----a-r- c:\windows\SET72.tmp2011-10-25 21:30 . 2002-09-03 16:35 13608 ----a-r- c:\windows\SET54.tmp2011-10-25 21:30 . 2002-09-03 16:50 1086182 ----a-r- c:\windows\SET3F.tmp2011-10-25 20:57 . 2002-08-29 02:40 20480 ----a-w- c:\windows\system32\hidserv.dll2011-10-25 20:57 . 2001-08-17 12:48 13952 ----a-w- c:\windows\system32\drivers\kbdhid.sys2011-10-25 20:57 . 2001-08-17 12:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2011-10-25 20:54 . 2002-09-03 17:16 7046 ----a-r- c:\windows\SET71.tmp2011-10-25 20:54 . 2002-09-03 16:35 13608 ----a-r- c:\windows\SET53.tmp2011-10-25 20:54 . 2002-09-03 16:50 1086182 ----a-r- c:\windows\SET3E.tmp2011-10-25 19:47 . 2002-09-03 17:04 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll2011-10-25 19:47 . 2002-09-03 17:04 24661 ----a-w- c:\windows\system32\spxcoins.dll2011-10-25 19:47 . 2002-09-03 16:35 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll2011-10-25 19:47 . 2002-09-03 16:35 13312 ----a-w- c:\windows\system32\irclass.dll2011-10-25 19:47 . 2002-09-03 17:16 7046 ----a-r- c:\windows\SETB1.tmp2011-10-25 19:47 . 2002-09-03 16:35 13608 ----a-r- c:\windows\SET93.tmp2011-10-25 19:47 . 2002-09-03 16:50 1086182 ----a-r- c:\windows\SET7E.tmp...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-09-29 07:09 . 2011-10-26 21:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll..------- Sigcheck -------Note: Unsigned files aren't necessarily malware..[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wscntfy.exe.[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\xmlprov.dll.c:\windows\System32\wscntfy.exe ... is missing !!c:\windows\System32\xmlprov.dll ... is missing !!.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2003-05-16 26112]"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 50880]"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 34504]"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]"LXSUPMON"="c:\windows\System32\LXSUPMON.EXE" [2002-01-28 885760].[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-09-03 13312].c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk - c:\program files\AOL 7.0\aoltray.exe [2003-5-16 32839]Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-5-16 24576].[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL.[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]@="".R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 16:27 12880]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 21:55 67664]R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 23:38 116608].Contents of the 'Scheduled Tasks' folder.2003-06-14 c:\windows\Tasks\ISP signup reminder 1.job- c:\windows\System32\OOBE\OOBEBALN.EXE [2002-08-29 04:00].2011-01-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job- c:\progra~1\NORTON~1\NAVW32.exe [2002-08-19 21:24].2003-06-14 c:\windows\Tasks\Symantec NetDetect.job- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-05-16 08:04]..------- Supplementary Scan -------.uStart Page = hxxp://www.freeserve.com/uInternet Settings,ProxyOverride = <local>IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htmIE: Search with Freeserve - c:\progra~1\FREESE~1\FSBar\FSBar.dll/VSearch.htmIE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htmTCP: DhcpNameServer = 192.168.1.254FF - ProfilePath - c:\documents and settings\Geoffery\Application Data\Mozilla\Firefox\Profiles\w34bwcdg.default\FF - prefs.js: network.proxy.type - 0.- - - - ORPHANS REMOVED - - - -.ShellExecuteHooks-{9914B4D2-F63E-48C1-ABA6-635153835DAC} - (no file)AddRemove-8sk24fbg - c:\windows\8sk24fbg.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-11-01 22:21Windows 5.1.2600 Service Pack 1 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------.[HKEY_LOCAL_MACHINE\software\Toolbar]@DACL=(02 0000)"TB_ID"="50245""CFG_VER"="\02.+-+-+-""CHECK_DAYS"="\02.""CAPTION"="\02Pb^o`e\1dQlli_^o""AUTOHIGHLIGHT"="\02-""AUTOSEARCH"="\02.""AUTOSESEARCH"="\02.""AUTOCOMPLETE"="\02.""USECTRLENTER"="\02.""USEALTENTER"="\02.""USESHIFTENTER"="\02.""ALLOWUPDATE"="\02.""KEEPHISTORY"="\02.""PRESERVEHISTORY"="\02.""NARROWSEARCH"="\02.""AUTOSHOW"="\02.""TAKEADSUPPORTSETTINGS"="\02.""DISABLEADSUPPORTSEARCH"="\02.""DIALOG_PAUSE"="\020-""REGISTRATION_PAUSE"="\02.""URL_FOLDER_NAME"="\02Tb_\1dPb^o`e\1dQllip""URL_ITEMS_1"="\02Eljbyeqqm7,,ttt+tb_pb^o`e+`lj,""URL_ITEMS_2"="\02Cobnrbkqiv\1d>phba\1dNrbpqflkpyeqqm7,,ttt+tb_pb^o`e+`lj,Ebim,Ebim\\Qlli_^o+^pmu""URL_ITEMS_3"="\02Qbojp\1dlc\1dRpbyeqqm7,,ttt+tb_pb^o`e+`lj,ibd^i,qbojp+^pmu""URL_ITEMS_4"="\02Mofs^`v\1dMlif`vyeqqm7,,ttt+tb_pb^o`e+`lj,ibd^i,mofs^`v+^pmu""INSTALL_CONFIRM_1"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_Pq^qFkpqIld+^pju,PbqPq^qrp<Q_Fa:\"q_\\fa#Jlari:PQ0\\AII\\FK#QRFa:\"qrfa#fkcl:pb^o`efkpq^ii#pa^qb:\"fa^qb#pqfjb:\"fqfjb""UNINSTALL_CONFIRM"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_Pq^qFkpqIld+^pju,PbqPq^qrp<Q_Fa:\"q_\\fa#Jlari:PQ0\\AII\\RK#QRFa:\"qrfa#fkcl:pb^o`eobjls^i#pa^qb:\"fa^qb#pqfjb:\"fqfjb""INSTALL_CONFIRM_SYS"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_FkpqIld+^pju,DbqUJI<Q_Fa:\"q_\\fa#Q^phFa:\"q^ph\\fa#Jlari:@LKCFOJ#Bsbkq\\fa:PQ0\\PVP#Mltbo\\r:\"rpbop#fkcl:\"ob^plk#QRFA:\"qrfa""INSTALL_CONFIRM_SYSEX"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,Q_FkpqIld+^pju,DbqUJI<Q_Fa:\"q_\\fa#Q^phFa:\"q^ph\\fa#Jlari:@LKCFOJ#Bsbkq\\fa:PQ0\\PVPBU#Mltbo\\r:\"rpbop#fkcl:\"ob^plk#QRFA:\"qrfa""RECOVERY_URL"="\02eqqm7,,altkil^a+tb_pb^o`e+`lj,aki,Q\\2-/12,Q?MP+`^_""NONUTF_DOMAINS"="\02fp.+yaf`qflk^ov+yqebp^rorp+y^j^wlk+""KEYWORDS_IMPORT"="\02tb_pb^o`e:eqqm7,,ttt+tb_pb^o`e+`ljypb^o`e:eqqm7,,ttt+tb_pb^o`e+`ljydlldib:eqqm7,,ttt+dlldib+`lj""BB_HELP_URL"="\02eqqm7,,ttt+tb_pb^o`e+`lj,ebim,ebim\\pq+^pmu n\\/54""SEARCH_INST"="\02wawfs)wde)eh_awfseuwjjsf)qowjdwjdoeh_awfskwoj)eh_videt)eh_pcjdsf)eatiudif)eh_awfsvlwedsf)dfinwj\1dqcwftsf)dfinwjpcjdsf)fkbdfnwj)eh_easshsf)aojhwdfil""BBDSERVICE"="\02eqqm7,,^p+^at^sb+`lj,^p+^pju,??A<q_fa:\"q_\\fa#qrfa:\"qrfa#pb^o`e\\nrbov:#bkdfkb\\k^jb:#lia\\alj:#`\\efpq:\"`\\efpq#kbt\\roi:\"kbt\\roi""OBE_FCAP"="\02.-""OVERRIDE_HOMEPAGE_DIALOG"="\02-""USEENTER"="\02-""USEAUTOSEARCH"="\02-""ERROR404"="\02-""OVERRIDE_AUTOSEARCH_DIALOG"="\02-""AUTO_SEARCH"="\02eqqm7,,po+tb_pb^o`e+`lj,^p+^pmu<n:\"pb^o`e#q:2-/12""ERROR_PAGE"="\02eqqm7,,^p+^at^sb+`lj,pb^o`e\\1-1+^pmu<^cc:.#n:\"p#@lab:\"`lab#q_\\fa:\"q_\\fa""USESEARCHASSISTANT"="\02.""OVERRIDE_IESEARCH_DIALOG"="\02.""SEARCH_PAGE"="\02eqqm7,,ttt+tb_pb^o`e+`lj,fb+^pmu<q_\\fa:\"q_\\fa""SEARCH_PAGE_INFO"="\02Tb_Pb^o`e+`lj""USEBB"="\02-""OVERRIDE_BBACTIVATE_DIALOG"="\02-""ACSIZE"="\02-""USEBBENH"="\02-""POPUPBLOCKER"="\02.""OVERRIDE_JSDEBUG_DIALOG"="\02.""DEACTIVATETOOLBARS"="\02.""OVERRIDE_DEACTIVATE_DIALOG"="\02-""ITime"=hex:c5,a0,9c,2f,1c,c4,e2,40"IGU"="\02x4B6164.C*?0@0*1B32*>@36*5AC.6315A@/.z""STUI"="\02S01>/.0>///C/@352-225C/.@.B5?C-B>4-/22041-042621131?1.1@212-260400/?/A/?/C02/A/A/?/B/B/A00""IEC"=dword:00000222"SEC"=dword:00000000"SOC"=dword:00000000"UC"=dword:00000001"AllowUseDefskin"="1""RTime"="38529.8852629398""UCL"="\02dblccbov\0a\07""LastCFG"=dword:00009687"FIT"="\020510/+56.6/50116""LogCount"=dword:00000026"NO_AUTOSEARCH_HOOK"="\02.""IE_RESET"="\02.""IE4"=dword:00000000"IAS"=dword:00000000"GSTC"=dword:00000018"STC"=dword:00000000"AVGSEARCH"="0.07".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'winlogon.exe'(640)c:\windows\System32\ODBC32.dllc:\program files\SUPERAntiSpyware\SASWINLO.DLL.- - - - - - - > 'lsass.exe'(696)c:\windows\System32\dssenh.dll.- - - - - - - > 'explorer.exe'(2496)c:\windows\System32\msi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\LEXBCES.EXEc:\windows\system32\LEXPPS.EXEc:\program files\Common Files\Symantec Shared\ccEvtMgr.exec:\windows\wanmpsvc.exe.**************************************************************************.Completion time: 2011-11-01 22:28:49 - machine was rebootedComboFix-quarantined-files.txt 2011-11-01 22:28.Pre-Run: 23,821,475,840 bytes freePost-Run: 23,756,296,192 bytes free.winxpsp1_en_hom_bf.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect.- - End Of File - - 36BE41720041FF3196C3705F5BACFB3CDDS Files.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 6.0.2800.1106Run by Geoffery at 22:29:37 on 2011-11-01Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.254.85 [GMT 0:00]..============== Running Processes ===============.C:\WINDOWS\system32\svchost.exe -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\WINDOWS\System32\LXSUPMON.EXEC:\WINDOWS\explorer.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.freeserve.com/uInternet Settings,ProxyOverride = <local>uURLSearchHooks: H - No FileBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dllBHO: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dllBHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dllTB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dllTB: Freeserve: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\freese~1\fsbar\FSBar.dllTB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dllEB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dllmRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [DVDSentry] c:\windows\system32\DSentry.exemRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERmRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exemRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exemRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUNdRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol70t~1.lnk - c:\program files\aol 7.0\aoltray.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeIE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htmIE: Search with Freeserve - c:\progra~1\freese~1\fsbar\FSBar.dll/VSearch.htmIE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htmIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXEIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dllDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1284129697171DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabTCP: DhcpNameServer = 192.168.1.254TCP: Interfaces\{3E176829-9D27-47D4-A4CE-0834311C956E} : DhcpNameServer = 192.168.1.254Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLNotify: igfxcui - igfxsrvc.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\geoffery\application data\mozilla\firefox\profiles\w34bwcdg.default\FF - prefs.js: network.proxy.type - 0.============= SERVICES / DRIVERS ===============.R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]R2 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\Savrtpel.sys [2002-7-25 34992]S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]S3 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-8-19 116336]S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVENG.SYS [2003-5-16 61732]S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030227.004\NAVEX15.SYS [2003-5-16 519333]S3 SAVRT;SAVRT;c:\windows\system32\drivers\savrt.sys [2002-7-25 235184].=============== Created Last 30 ================.2011-11-01 21:58:51 -------- d-sha-r- C:\cmdcons2011-11-01 21:56:44 98816 ----a-w- c:\windows\sed.exe2011-11-01 21:56:44 518144 ----a-w- c:\windows\SWREG.exe2011-11-01 21:56:44 256000 ----a-w- c:\windows\PEV.exe2011-11-01 21:56:44 208896 ----a-w- c:\windows\MBR.exe2011-10-26 21:51:45 -------- d-----w- c:\program files\SUPERAntiSpyware2011-10-26 21:51:45 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com2011-10-26 21:10:00 -------- d-----w- c:\documents and settings\geoffery\local settings\application data\Mozilla2011-10-26 21:00:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2011-10-26 20:53:51 -------- d-----w- c:\documents and settings\geoffery\local settings\application data\Google2011-10-26 19:10:57 -------- d-----w- c:\documents and settings\geoffery\application data\Malwarebytes2011-10-26 19:07:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes2011-10-26 19:07:43 20552 ----a-w- c:\windows\system32\drivers\mbam.sys2011-10-26 19:07:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2011-10-26 19:03:39 21760 -c--a-w- c:\windows\system32\dllcache\usbstor.sys2011-10-25 21:57:29 151552 ----a-w- c:\windows\system32\igfxres.dll2011-10-25 21:48:07 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll2011-10-25 21:48:07 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys2011-10-25 21:48:04 86074 -c--a-w- c:\windows\system32\dllcache\voicesub.dll2011-10-25 21:48:04 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll2011-10-25 21:48:04 426042 -c--a-w- c:\windows\system32\dllcache\voicepad.dll2011-10-25 21:48:00 72192 -c--a-w- c:\windows\system32\dllcache\uniime.dll2011-10-25 21:46:49 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys2011-10-25 21:45:46 18944 -c--a-w- c:\windows\system32\dllcache\cprofile.exe2011-10-25 21:42:21 43008 -c--a-w- c:\windows\system32\dllcache\wab.exe2011-10-25 21:40:30 83968 -c--a-w- c:\windows\system32\dllcache\mtxoci.dll2011-10-25 21:30:28 7046 ----a-r- c:\windows\SET72.tmp2011-10-25 21:30:26 13608 ----a-r- c:\windows\SET54.tmp2011-10-25 21:30:24 1086182 ----a-r- c:\windows\SET3F.tmp2011-10-25 20:57:43 20480 ----a-w- c:\windows\system32\hidserv.dll2011-10-25 20:57:41 13952 ----a-w- c:\windows\system32\drivers\kbdhid.sys2011-10-25 20:57:35 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys2011-10-25 20:54:15 7046 ----a-r- c:\windows\SET71.tmp2011-10-25 20:54:13 13608 ----a-r- c:\windows\SET53.tmp2011-10-25 20:54:11 1086182 ----a-r- c:\windows\SET3E.tmp2011-10-25 19:47:42 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll2011-10-25 19:47:42 24661 ----a-w- c:\windows\system32\spxcoins.dll2011-10-25 19:47:42 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll2011-10-25 19:47:42 13312 ----a-w- c:\windows\system32\irclass.dll2011-10-25 19:47:22 7046 ----a-r- c:\windows\SETB1.tmp2011-10-25 19:47:21 13608 ----a-r- c:\windows\SET93.tmp2011-10-25 19:47:16 1086182 ----a-r- c:\windows\SET7E.tmp.==================== Find3M ====================..============= FINISH: 22:30:02.60 ===============.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft Windows XP Home EditionBoot Device: \Device\HarddiskVolume2Install Date: 25/10/2011 23:48:26System Uptime: 01/11/2011 22:20:59 (0 hours ago).Motherboard: Dell Computer Corporation | | 07W080Processor: Intel® Pentium® 4 CPU 2.00GHz | Socket 478 | 1993/400mhz.==== Disk Partitions =========================.A: is RemovableC: is FIXED (NTFS) - 28 GiB total, 22.15 GiB free.D: is CDROM (CDFS)E: is CDROM ()F: is Removable.==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP1: 25/10/2011 22:53:29 - System CheckpointRP2: 26/10/2011 23:24:50 - System CheckpointRP3: 01/11/2011 21:57:02 - ComboFix created restore point.==== Installed Programs ======================.Adobe Download Manager 2.0 (Remove Only)Adobe Reader 6.0.1AOL UKBACSBroadcom Advanced Control SuiteCanon PhotoRecordCanon PowerShot A200 WIA DriverCanon Utilities PhotoStitch 3.1Canon Utilities RemoteCapture 2.5Canon Utilities ZoomBrowser EXConexant SmartHSFi V92 56K DF PCI ModemDell Picture Studio - Dell Image ExpertDell Solution CenterDigital Line DetectDVDSentryEasy CD Creator 5 BasicFreeserve Search toolbarHelp and Support CustomizationIntel® Extreme Graphics DriverLexmark Supplies MonitorLexmark Z25-Z35LiveReg (Symantec Corporation)LiveUpdate 1.80 (Symantec Corporation)Malwarebytes' Anti-Malware version 1.51.2.1300Microsoft Works 7.0Modem HelperMozilla Firefox 7.0.1 (x86 en-GB)NetWaitingNorton AntiVirus 2003Orange Search ToolbarPaint Shop Pro 7PowerDVDRealPlayer BasicSearch RelevancySecurity Update for Step By Step Interactive Training (KB898458)SUPERAntiSpywareTiscali 10.0Tiscali Messenger 2.0Viewpoint Media Player (Remove Only)WebFldrs XPWindows Genuine Advantage Validation Tool (KB892130).==== Event Viewer Messages From Past Week ========.26/10/2011 22:00:57, error: Service Control Manager [7034] - The WinTools for IE service service terminated unexpectedly. It has done this 1 time(s).25/10/2011 23:58:41, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ZESOFT service to connect.25/10/2011 23:58:41, error: Service Control Manager [7000] - The ZESOFT service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.25/10/2011 23:49:02, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.25/10/2011 23:43:57, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}01/11/2011 22:23:04, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Terminal Services service to connect.01/11/2011 22:23:04, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.01/11/2011 22:23:04, error: Service Control Manager [7000] - The wscsvc service failed to start due to the following error: The executable program that this service is configured to run in does not implement the service.01/11/2011 22:23:04, error: Service Control Manager [7000] - The Terminal Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion..==== End Of File ===========================Once again Thanks for your help!RegardsDavid Link to post Share on other sites More sharing options...
Staff screen317 Posted November 7, 2011 Staff ID:492313 Share Posted November 7, 2011 Hi,Navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following program (if present):Orange Search ToolbarRestart your computer.Your antivirus (Norton 2003) is incredibly old. Are you still paying for it?? If not, I highly recommend uninstalling it. All of the following are excellent free antiviruses. Be sure to only install one.Microsoft Security Essentials (what I use)AntiViravast!. Next, it is absolutely essential that you upgrade to Windows XP Service Pack 3. Service Pack 1, which is what you currently have, has vulnerabilities that leave you wide open for re-infection. To upgrade, please visit Windows Update and download all critical updates.Let me know if the update was successful. Link to post Share on other sites More sharing options...
Fordy Posted November 8, 2011 Author ID:492618 Share Posted November 8, 2011 Thanks for all your help.Removed Orange Search and the old Norton and replaced with a new version of Norton which is being kept uptodate now.Updated Windows to service pack 3 and everything seems to be working OK.Thanks again to everyone for their fantastic help on this forum. Link to post Share on other sites More sharing options...
Staff screen317 Posted November 13, 2011 Staff ID:494107 Share Posted November 13, 2011 Great!I want to make sure that everything is actually okay. Please grab a fresh copy of ComboFix, run it, and post its log.Run TFC by OldTimer to clear temporary files:Please download TFC from here and save it to your desktop.Close any open programs and Internet browsers.Double click TFC.exe to run it and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.Please be patient as clearing out temp files may take a while.Once it completes you may be prompted to restart your computer, please do so.Once it's finished you may delete TFC.exe from your Desktop or save it for later use for the cleaning of temporary files.Next, please run a free online scan with the ESET Online ScannerNote: You will need to use Internet Explorer for this scan.Tick the box next to YES, I accept the Terms of Use.Click StartWhen asked, allow the ActiveX control to installClick StartMake sure that the options Remove found threats and the option Scan unwanted applications is checkedClick ScanWait for the scan to finishUse Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txtCopy and paste that log as a reply to this topicNext, download my Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.Let me know how things are running now and what issues remain.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted November 21, 2011 Staff ID:496687 Share Posted November 21, 2011 Are you still with us? This topic will be closed in a few days if we do not hear back from you. Link to post Share on other sites More sharing options...
Staff screen317 Posted December 6, 2011 Staff ID:501836 Share Posted December 6, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts