6 replies to this topic

[sam_online]

Hello All.
I hope you can help. I'll outline my issue and then post the HJT log. Thanks so much for your attention.

Platform: Dell Optiplex GX620 Desktop running Win XP Pro SP3.

Problem: As soon as I log in, I get a pop-up titled System Shutdown, with a message (which has a 60 second countdown on it) which displays Windows needs to restart as the DCOM Server Process Launcher Service terminated unexpectedly. In Normal Boot mode, I enter 'shutdown -a' into the run dialog and it seems to cancel but after a minute or two everything freezes. In Safe Boot mode, however, I can enter 'shutdown -a' and it cancels the message. THe browser when activated closes immediately without message so I have no internet connection on that machine, though I have access on one near by. I've also (recently) unplugged the network cable. The system is considerably slower.

A recent development on this issue (in Normal Boot mode) is that I also get another message titled "Data Execution Prevention" reporting that the Spooler Subsystem App program has been closed to protect my computer (though the DCOM pop-up has been around for longer than this and seems more serious).

I've cleaned temp files with ATF, used Malwarebytes Anti-Malware and installed and ran avast anti-virus in boot mode ... without joy unfortunately. I've also disable System Restore (as I've read, the backups can store malware).

This HJT log was generated in Safe Boot mode. I hope and pray you can help. Thanks again for your consideration.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:23, on 08/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\js\My Documents\security_software-renamed\HiJck.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-293373357-3080907669-3134386944-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\lsphsx.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\lspcvv.dll
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = cdri.ucl.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = cdri.ucl.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{61F37987-1C85-471C-BAC6-74833FE117A7}: NameServer = 144.82.100.41,144.82.100.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = cdri.ucl.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{61F37987-1C85-471C-BAC6-74833FE117A7}: NameServer = 144.82.100.41,144.82.100.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = cdri.ucl.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{61F37987-1C85-471C-BAC6-74833FE117A7}: NameServer = 144.82.100.41,144.82.100.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{61F37987-1C85-471C-BAC6-74833FE117A7}: NameServer = 144.82.100.41,144.82.100.1
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = cdri.ucl.ac.uk
O17 - HKLM\System\CS4\Services\Tcpip\..\{61F37987-1C85-471C-BAC6-74833FE117A7}: NameServer = 144.82.100.41,144.82.100.1
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6944 bytes

[Rorschach112]

hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

[sam_online]

Hello Rorschach112. Thank you so much for your response and attention. I'm carrying out your instructions though I've hit a slight problem so I haven't any logs to post just yet but I wanted to keep you updated. I ran SDFix in Safe Mode (after entering the "shutdown -a" command to disable the DCOM pop-up) and SDFix's bat file worked as per your description and restarted. It then booted into Normal Boot mode and began the final phase though about 5 minutes into the operation, the DCOM pop-up began its countdown and restarted the machine (no other icons, windows or controls were visible at this time). I then booted into Safe Mode again, disabled the DCOM pop-up (via 'shutdown -a') and accessed the SDFix's RunThis.bat file and entered F to complete the final phase. I'm just waiting for the results right now (its been around 10 mins now). Hope to make contact again soon. Thank you again. Sam

[Rorschach112]

ok cool

[sam_online]

Hello Rorschach
SDFix completed it's scan and I've pasted the log file below.
I ran ComboFix straight after (still in Safe Mode) though please note the following:
- I didn't install Recovery Console because of the faulty internet connection,
- ComboFIx restarted the machine but I bypassed its (presumed) return to Normal Boot and went into Safe Boot again,
- When ComboFix resumed upon reboot, it asked me to disable the real-time anitvirus scan which I couldn't do as there were no icons in the system tray and seemingly no process which controlled the real-time scan providers. ComboFix continued creating its log file regardless and I've pasted that after the SDFix log below.

Thanks for your continuing attention on this.
Sam.


SDFix log:


SDFix: Version 1.240
Run by js on 08/03/2009 at 13:15

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 14:35:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:da,27,bd,fc,f9,e0,59,d0,03,bc,bf,c9,e0,ad,b7,f1,90,75,b2,9f,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:da,27,bd,fc,f9,e0,59,d0,03,bc,bf,c9,e0,ad,b7,f1,90,75,b2,9f,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:da,27,bd,fc,f9,e0,59,d0,03,bc,bf,c9,e0,ad,b7,f1,90,75,b2,9f,ed,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:da,27,bd,fc,f9,e0,59,d0,03,bc,bf,c9,e0,ad,b7,f1,90,75,b2,9f,ed,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe"="C:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe:*:Enabled:HP Jetdirect Wireless Setup Wizard"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Alibre Design\\alibre.exe"="C:\\Program Files\\Alibre Design\\alibre.exe:*:Enabled:Alibre Design"
"C:\\Temp\\em\\emule.exe"="C:\\Temp\\em\\emule.exe:*:Enabled:eMule"
"C:\\WINDOWS\\system32\\dlbucoms.exe"="C:\\WINDOWS\\system32\\dlbucoms.exe:*:Enabled:Photo AIO Printer 942 Server"
"C:\\Program Files\\SopCast\\SopCast.exe"="C:\\Program Files\\SopCast\\SopCast.exe:*:Enabled:SopCast Main Application"
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"="C:\\Program Files\\SopCast\\adv\\SopAdver.exe:*:Enabled:SopCast Adver"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"="C:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe:*:Disabled:SPSS Basic Script Editor (1033)"
"C:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"="C:\\Program Files\\SPSSInc\\SPSS16\\spss.exe:*:Disabled:SPSS 16.0 for Windows (1033:exe)"
"C:\\Program Files\\SPSSInc\\SPSS16\\spss.com"="C:\\Program Files\\SPSSInc\\SPSS16\\spss.com:*:Disabled:SPSS 16.0 for Windows (1033:com)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\misc\\uTorrent\\uTorrent.exe"="C:\\Program Files\\misc\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\drivers\\svchost.exe"="%windir%\\system32\\drivers\\svchost.exe:*:Enabled:svchost"

Remaining Files :



Files with Hidden Attributes :

Mon 30 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 17 Mar 2006 35,840 A..H. --- "C:\Sarah Tilt\SARAH\graham\~WRL0350.tmp"
Fri 17 Mar 2006 34,816 A..H. --- "C:\Sarah Tilt\SARAH\graham\~WRL0587.tmp"
Fri 17 Mar 2006 33,280 A..H. --- "C:\Sarah Tilt\SARAH\graham\~WRL3024.tmp"
Tue 2 Oct 2007 275,456 ...H. --- "C:\Documents and Settings\ACDS\Application Data\Microsoft\Word\~WRL1706.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\ACDS\Application Data\U3\temp\Launchpad Removal.exe"
Mon 30 Jun 2008 4,348 ...H. --- "C:\Documents and Settings\ACDS\My Documents\My Music\License Backup\drmv1key.bak"
Mon 30 Jun 2008 20 A..H. --- "C:\Documents and Settings\ACDS\My Documents\My Music\License Backup\drmv1lic.bak"
Mon 30 Jun 2008 400 ...H. --- "C:\Documents and Settings\ACDS\My Documents\My Music\License Backup\drmv2key.bak"
Mon 30 Jun 2008 1,536 A..H. --- "C:\Documents and Settings\ACDS\My Documents\My Music\License Backup\drmv2lic.bak"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ajaiv51.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\aknz0gv.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\c8sxeph.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\df3gwfr.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\dm6i1j0.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\dsp02r8.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\dtd9xa2.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e460rl2.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\emo95fg.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\eqme9tt.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\flf8quv.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\g8qgupe.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\gtt8zil.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\hdqo2k0.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\hi8vbhl.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\i4vgicg.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\iuqhtcl.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\k0f1xud.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\kdegvo3.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\mt76chi.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\n7sjqct.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\qhsvaro.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\rats7v1.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\rqcxi7e.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\rry7nqr.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\sovprpl.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\tiudfem.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\uc4stun.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\ueonv1o.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\vcqk1jj.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\vdrd7dk.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\vstf2zi.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\vwwd6jx.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\w0y0ev2.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\w1306ma.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\waodkfo.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\wcpy6sn.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\wh3gtkf.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\xnrkwpf.dll"
Mon 14 Jul 2008 16 ...H. --- "C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\yojwk47.dll"
Thu 30 Aug 2001 20,992 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\carol 1.11.02\assistive technology\~WRL0002.tmp"
Thu 21 Dec 2000 19,456 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\carol 1.11.02\assistive technology\~WRL2000.tmp"
Sat 24 Aug 1996 129,078 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Patrick backup\Files on C Drive\logo.sys"
Tue 16 Oct 2001 19,456 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\mandy_archive\SCAMP\colloquium\~WRL0001.tmp"
Fri 14 Sep 2001 26,112 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\mandy_archive\SCAMP\stakeholder\~WRL0003.tmp"
Sat 24 Aug 1996 32,256 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Patrick backup\Program Files\Accessories\mspcx32.dll"
Mon 11 Feb 2002 19,456 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Patrick backup\WINDOWS\TEMP\~WRL0003.tmp"
Sat 14 Aug 2004 142,336 A..H. --- "C:\Documents and Settings\ACDS\My Documents\IR folders\Zillah 17.11.04\Zillah Extra\Zillah\MSc Vibration\Article and notes\~WRL1088.tmp"
Wed 2 Oct 2002 26,624 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\ASPIRE\prof chair steering\~WRL0001.tmp"
Mon 27 May 2002 25,600 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\ASPIRE\prof chair steering\~WRL1147.tmp"
Thu 9 May 2002 69,120 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\PROJECTS\ibot\~WRL0583.tmp"
Fri 17 May 2002 42,496 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\PROJECTS\ibot\~WRL1847.tmp"
Fri 17 May 2002 45,056 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\PROJECTS\ibot\~WRL3426.tmp"
Wed 29 May 2002 26,624 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\PROJECTS\mda\~WRL3634.tmp"
Wed 17 Oct 2001 81,408 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\mandy_archive\SCAMP\colloquium\badges\~WRL3535.tmp"
Wed 17 Oct 2001 99,840 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\mandy_archive\SCAMP\colloquium\bio_abstr\~WRL1931.tmp"
Wed 17 Oct 2001 71,680 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\mandy_archive\SCAMP\colloquium\bio_abstr\~WRL3292.tmp"
Thu 18 Oct 2001 100,864 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\mandy_archive\SCAMP\colloquium\bio_abstr\~WRL3962.tmp"
Wed 15 Dec 1999 47,104 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Patrick backup\Desktop\moved TVI documents from desktop\Whittington Info\~WRL3649.tmp"
Sat 24 Aug 1996 20,480 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Patrick backup\Program Files\Accessories\HyperTerminal\hticons.dll"
Sat 24 Aug 1996 326,144 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Patrick backup\Program Files\Accessories\HyperTerminal\hypertrm.dll"
Wed 1 Sep 2004 3,075,584 A..H. --- "C:\Documents and Settings\ACDS\My Documents\IR folders\IR Desktop folders\Bandula\Bandu\2nd reading on zil\THESIS final\final\~WRL0005.tmp"
Thu 2 Sep 2004 3,036,672 A..H. --- "C:\Documents and Settings\ACDS\My Documents\IR folders\IR Desktop folders\Bandula\Bandu\2nd reading on zil\THESIS final\final\~WRL0051.tmp"
Thu 2 Sep 2004 19,968 A..H. --- "C:\Documents and Settings\ACDS\My Documents\IR folders\IR Desktop folders\Bandula\Bandu\2nd reading on zil\THESIS final\final\~WRL3261.tmp"
Wed 1 Sep 2004 3,075,584 A..H. --- "C:\Documents and Settings\ACDS\My Documents\IR folders\IR Desktop folders\Bandula\Bandu\thesis rewrite\THESIS final\final\~WRL0005.tmp"
Thu 2 Sep 2004 3,036,672 A..H. --- "C:\Documents and Settings\ACDS\My Documents\IR folders\IR Desktop folders\Bandula\Bandu\thesis rewrite\THESIS final\final\~WRL0051.tmp"
Thu 2 Sep 2004 19,968 A..H. --- "C:\Documents and Settings\ACDS\My Documents\IR folders\IR Desktop folders\Bandula\Bandu\thesis rewrite\THESIS final\final\~WRL3261.tmp"
Tue 9 Jul 2002 115,200 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\PROJECTS\NK\funding\~WRL3362.tmp"
Wed 17 Oct 2001 71,680 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\mandy_archive\SCAMP\colloquium\colloquium\bio_abstr\~WRL3292.tmp"
Wed 15 Dec 1999 47,104 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Patrick backup\WINDOWS\DESKTOP\moved TVI documents from desktop\Whittington Info\~WRL3649.tmp"
Fri 7 Sep 2001 22,528 A..H. --- "C:\Documents and Settings\All Users\Documents\Gemima Backup\General\Mandy 31.10.02\My Documents\CDRI\Meetings\proj_mana\dunc\~WRL0001.tmp"

Finished!





ComboFix log:

ComboFix 09-03-06.02 - js 2009-03-08 14:49:55.1 - NTFSx86 NETWORK
Running from: c:\documents and settings\js\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\js\Application Data\Google\mccklrp32.dll
c:\program files\StormII
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

2009-03-08 13:14 . 2009-03-08 13:14 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-03-08 13:11 . 2009-03-08 13:11 <DIR> d-------- c:\windows\ERUNT
2009-03-08 13:07 . 2009-03-08 14:37 <DIR> d-------- C:\SDFix
2009-03-08 12:59 . 2009-03-08 12:59 <DIR> d--hs---- c:\documents and settings\NetworkService\Application Data\lowsec
2009-03-08 10:15 . 2009-03-08 10:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-07 16:52 . 2009-03-07 18:31 <DIR> d-------- c:\program files\a-squared Free
2009-03-07 16:47 . 2009-03-07 16:52 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-07 16:47 . 2009-03-07 16:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-07 16:45 . 2009-03-07 16:45 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-07 12:27 . 2009-03-07 12:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-07 12:27 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-07 12:27 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-07 12:03 . 2009-03-07 12:03 <DIR> d-------- C:\spoolerlogs
2009-03-07 10:46 . 2009-03-07 10:46 5,375 --a------ c:\windows\system32\06d8c026bb.ax
2009-03-07 10:44 . 2009-03-07 10:44 27,136 --a------ c:\windows\system32\lsphsx.dll
2009-03-07 10:44 . 2009-03-07 12:04 27,136 --a------ c:\windows\system32\lspcvv.dll
2009-03-01 12:30 . 2009-03-01 12:30 <DIR> d-------- c:\windows\Internet Logs
2009-03-01 12:30 . 2009-03-01 12:30 <DIR> d-------- c:\program files\Zone Labs
2009-03-01 12:13 . 2009-03-01 12:13 <DIR> d-------- c:\documents and settings\ACDS\Application Data\Malwarebytes
2009-03-01 11:00 . 2009-03-01 11:00 <DIR> d-------- c:\documents and settings\js\Application Data\Malwarebytes
2009-03-01 10:59 . 2009-03-01 10:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-28 14:39 . 2009-02-28 14:39 <DIR> d-------- c:\program files\Alwil Software
2009-02-28 14:18 . 2009-02-28 14:18 28,673 --a------ c:\documents and settings\js\Application Data\upd.exe
2009-02-24 15:42 . 2009-02-24 15:42 4,749 --a------ c:\windows\CODA MA5.46-RNOH.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 10:44 --------- d-----w c:\documents and settings\js\Application Data\uTorrent
2009-02-28 14:18 --------- d-----w c:\documents and settings\js\Application Data\F-Secure
2009-02-28 14:18 --------- d-----w c:\documents and settings\js\Application Data\AdobeUM
2009-01-17 10:53 --------- d-----w c:\program files\misc
2009-01-16 19:34 --------- d-----w c:\program files\Java
2004-10-12 18:34 20,752 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2004-10-12 18:34 69,904 ----a-w c:\program files\mozilla firefox\plugins\cgpcore.dll
2004-10-12 18:34 45,328 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2004-10-12 18:34 24,848 -c--a-w c:\program files\mozilla firefox\plugins\pscript.dll
2004-10-12 18:34 57,616 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2004-10-12 18:34 24,848 ----a-w c:\program files\mozilla firefox\plugins\tcppserv.dll
2008-08-11 14:00 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-11 14:00 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-11 14:00 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-11 14:00 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-11 14:00 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-09-26 13:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2008-06-19 182936]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2008-06-19 895584]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Alibre Design\\alibre.exe"=
"c:\\WINDOWS\\system32\\dlbucoms.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\SPSSWinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.exe"=
"c:\\Program Files\\SPSSInc\\SPSS16\\spss.com"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\misc\\uTorrent\\uTorrent.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 aswSP;avast! Self Protection; [x]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\F-Secure\HIPS\fshs.sys [2008-06-19 70752]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2008-06-19 72288]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-02-11 38496]
R4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2008-06-19 39776]
R4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2008-06-19 25184]
S0 FSFW;F-Secure Firewall Driver;c:\windows\System32\drivers\fsdfw.sys [2008-06-19 59808]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - aswTdi
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - Fastfat
*Deregistered* - FltMgr
*Deregistered* - FSFW
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - i2omgmt
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - Kbdclass
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - omci
*Deregistered* - PartMgr
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RpcSs
*Deregistered* - SharedAccess
*Deregistered* - sptd
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - winmgmt
*Deregistered* - WS2IFSL
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\Scheduled scanning task.job
- c:\progra~1\F-Secure\ANTI-V~1\fsav.exe [2008-06-19 09:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
LSP: c:\program files\F-Secure\FSPS\program\FSLSP.DLL
TCP: {61F37987-1C85-471C-BAC6-74833FE117A7} = 144.82.100.41,144.82.100.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\js\Application Data\Mozilla\Firefox\Profiles\2v4xr2f1.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 14:55:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-08 15:00:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-08 15:00:09

Pre-Run: 18,140,975,104 bytes free
Post-Run: 18,099,597,312 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
205 --- E O F --- 2009-02-27 17:23:19

[sam_online]

Update:
Hello Rorschach. I had to leave the infected machine and won't be able to get back to it until Saturday but I tried logging in again and the good news is that the DCOM pop-up is no longer showing itself and the machine doesn't restart. Thank you for your help removing that.
There's some bad news, however. This includes the following: the system is running very slowly; the Internet Explorer windows doesn't show itself when I run it; the "Data Execution Prevention" popup is still present showing a problem with the 'Spooler Subsystem App program' and it being closed by the OS; an additional "Data Execution Prevention" popup telling me it's closing the Generic Win32 Host Process (I think...typing from memory here); and finally, I've been trying to uninstall Avast anti-virus (which I used for a boot scan) but the uninstallation window closes as soon as I call it from Add/Remove Programs (I want to remove it so that only the F-Secure security app remains... though if necessary, perhaps we could remove that instead?).

I'll keep checking this post and will try any recommendations on Saturday. Hope further assistance can be provided. Let me know if I should open a new thread then or keep adding to this one.

Incase we don't make contact again, I just wanted to thank you, Rorschach, you've been great.
All the best.
Sam.

[Rorschach112]

Since you are already being helped here, I will let them finish it

http://www.security-...c8ccb3e4cf528e6


Please don't waste our time by posting at multiple forums