# SDRA.64.exe infected - unable to remove



## hornabythanger (Aug 16, 2009)

Hi
Could someone please help, I have noticed the above file appearing after a virus was placed on my pc. After running various programs such as sdfix,etc and googling solutions, I am still unable to remove.

Thanks for your help in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:18:12, on 12/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,userinit.exe
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKLM\..\Run: [net] "C:\WINDOWS\system32\net.net"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Nokia Nseries PC Suite.lnk.disabled
O4 - Global Startup: Orbit.lnk.disabled
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - AutorunsDisabled - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246548717046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246548705078
O17 - HKLM\System\CCS\Services\Tcpip\..\{E052D21B-CA4A-40F4-BFB4-8687E47BB74F}: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222 
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TwonkyMedia - PacketVideo - C:\Program Files\Nokia\Nokia Home Media Server\Media Server\TwonkyMedia.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 11124 bytes


----------



## cybertech (Apr 16, 2002)

Hi Welcome to TSG!!

Download ComboFix from one of these locations:

*Link 1*
*Link 2*

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System










Download the file & save it as it's originally named.

*Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.*

_Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. _











Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.










At the next prompt, click 'Yes' to run the full ComboFix scan.

When the tool is finished, it will produce a report for you.
Please post the *C:\ComboFix.txt* in your next reply.


----------



## hornabythanger (Aug 16, 2009)

Thanks for your help with this cybertech.

Here is my combofix log

ComboFix 09-08-21.02 - craig 2 22/08/2009 15:36.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.641 [GMT 1:00]
Running from: c:\documents and settings\craig 2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\craig 2\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: avast! antivirus 4.8.1229 [VPS 090821-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\install.exe
c:\windows\Fonts\TL Transcription.ttf
c:\windows\Installer\11c06fd.msi
c:\windows\Installer\362583.msp
c:\windows\Installer\362584.msp
c:\windows\Installer\362585.msp
c:\windows\Installer\362586.msp
c:\windows\Installer\362587.msp
c:\windows\Installer\362588.msp
c:\windows\Installer\362589.msp
c:\windows\Installer\36258a.msp
c:\windows\Installer\36258b.msp
c:\windows\Installer\88c74ef.msi
c:\windows\Installer\88c74f0.msp
c:\windows\Installer\88c74f1.msp
c:\windows\Installer\88c74f2.msp
c:\windows\Installer\88c74f3.msp
c:\windows\Installer\88c74f4.msp
c:\windows\Installer\88c74f5.msp
c:\windows\Installer\88c74f6.msp
c:\windows\Installer\88c74f7.msp
c:\windows\Installer\88c74f8.msp
c:\windows\Installer\e33e07.msi
c:\windows\Installer\f65e9.msi
c:\windows\run.log
c:\windows\struct~.ini
c:\windows\system32\1.txt
c:\windows\system32\3.txt
c:\windows\system32\drivers\SKYNETnrwkfxmq.sys
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\mfc45.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETesrqpttp.dat
c:\windows\system32\SKYNETjkllwkxo.dat
c:\windows\system32\SKYNETpucxiscd.dll
c:\windows\system32\uacinit.dll
c:\windows\UA000019.DLL
c:\windows\UA000106.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SKYNETXVKDQXRL
-------\Legacy_UACD.SYS
-------\Service_SKYNETxvkdqxrl
-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-16 11:10 . 2009-08-16 11:10 -------- d-----w- c:\documents and settings\craig 2\Local Settings\Application Data\IsolatedStorage
2009-08-11 23:31 . 2009-08-11 23:31 -------- d-----w- c:\windows\ERUNT
2009-08-11 23:26 . 2009-08-12 00:08 -------- d-----w- C:\SDFix
2009-08-11 23:21 . 2009-08-11 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-11 23:12 . 2009-08-11 23:12 -------- d-----w- c:\program files\Common Files\iS3
2009-08-11 23:12 . 2009-08-16 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-10 20:30 . 2009-08-10 20:30 -------- d-----w- c:\documents and settings\Carrie\Local Settings\Application Data\Nokia
2009-08-09 10:21 . 2009-08-09 10:23 -------- d-sh--w- c:\documents and settings\craig 2\Application Data\lowsec
2009-08-09 00:17 . 2009-08-09 00:17 310 ----a-w- c:\windows\system32\UACymhrpdkvmp.dat
2009-08-09 00:17 . 2009-08-09 10:20 74240 ----a-w- c:\windows\system32\UACvxweppbavj.dll
2009-08-08 21:25 . 2009-08-08 21:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Nokia
2009-08-08 18:38 . 2009-08-08 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2009-08-08 18:14 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-08-08 17:54 . 2009-08-16 09:35 -------- d-----w- c:\program files\FlashGet
2009-08-08 17:26 . 2009-02-09 07:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-08-08 17:25 . 2009-02-09 07:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-08-08 17:25 . 2009-02-09 07:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-08-08 17:25 . 2009-02-09 07:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-08-08 17:25 . 2009-02-09 07:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-08-08 17:25 . 2009-02-09 07:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-08-03 00:57 . 2009-08-08 22:02 -------- d-----w- c:\documents and settings\craig 2\Application Data\Nokia
2009-07-26 22:43 . 2009-07-26 22:43 -------- d-----w- c:\documents and settings\craig 2\Application Data\PC Suite
2009-07-26 22:43 . 2009-08-08 21:13 -------- d-----w- c:\documents and settings\craig 2\Local Settings\Application Data\Nokia
2009-07-26 10:28 . 2009-07-26 10:28 -------- d-----w- c:\documents and settings\craig 2\Application Data\skypePM
2009-07-26 10:26 . 2009-07-26 10:28 -------- d-----w- c:\documents and settings\craig 2\Application Data\Skype
2009-07-26 10:14 . 2009-07-26 10:14 -------- d-sh--w- c:\documents and settings\craig 2\UserData
2009-07-25 11:24 . 2009-07-25 11:24 -------- d-----w- c:\documents and settings\craig 2\Application Data\Propellerhead Software
2009-07-25 11:20 . 2009-08-08 21:12 -------- d-----w- c:\documents and settings\craig 2\Application Data\uTorrent
2009-07-25 11:01 . 2009-07-25 12:26 -------- d-----w- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 14:28 . 2009-08-22 14:28 79053 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_08_22_14_57_54_small.dmp.zip
2009-08-22 13:25 . 2008-11-20 01:41 8543728 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-22 13:10 . 2009-07-13 01:46 -------- d-----w- c:\documents and settings\craig 2\Application Data\Free Download Manager
2009-08-17 01:52 . 2009-07-23 00:15 -------- d-----w- c:\documents and settings\craig 2\Application Data\Orbit
2009-08-16 09:33 . 2009-04-18 23:35 -------- d-----w- c:\program files\Transparent
2009-08-16 09:33 . 2006-02-27 13:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 01:21 . 2007-11-23 01:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-10 23:20 . 2006-08-13 18:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-09 03:17 . 2009-08-09 10:20 3402752 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-08-09 03:17 . 2008-10-01 09:44 1094584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-08 21:38 . 2007-01-14 17:52  1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 21:22 . 2007-05-01 19:50 -------- d-----w- c:\program files\Nokia
2009-08-08 21:08 . 2007-05-01 19:51 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-08 18:15 . 2008-10-01 09:46 -------- d-----w- c:\program files\DIFX
2009-07-26 19:27 . 2009-07-12 01:13 -------- d-----w- c:\documents and settings\craig 2\Application Data\Ahead
2009-07-25 11:22 . 2008-10-24 12:06 -------- d-----w- c:\program files\NSS
2009-07-25 10:57 . 2009-07-05 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-25 10:50 . 2008-10-01 09:44 -------- d-----w- c:\program files\MSBuild
2009-07-23 00:16 . 2008-11-28 00:41 -------- d-----w- c:\program files\Orbitdownloader
2009-07-23 00:16 . 2009-07-23 00:16 -------- d-----w- c:\documents and settings\craig 2\Application Data\GrabPro
2009-07-23 00:10 . 2007-03-12 02:42 -------- d-----w- c:\program files\Free Download Manager
2009-07-23 00:09 . 2009-07-23 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-07-19 10:46 . 2009-07-19 10:46 -------- d-----w- c:\documents and settings\craig 2\Application Data\Creative
2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\documents and settings\craig 2\Application Data\vlc
2009-07-18 17:29 . 2009-07-18 17:29 -------- d-----w- c:\documents and settings\craig 2\Application Data\DivX
2009-07-14 20:23 . 2009-07-14 20:23 -------- d-----w- c:\documents and settings\craig 2\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-07-14 20:23 . 2009-07-14 20:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-14 20:21 . 2009-07-14 20:23 38208 ----a-w- c:\documents and settings\craig 2\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-12 11:43 . 2009-07-12 11:43 -------- d-----w- c:\documents and settings\craig 2\Application Data\Apple Computer
2009-07-11 01:26 . 2009-07-11 01:26 -------- d-----w- c:\documents and settings\craig 2\Application Data\TuneUp Software
2009-07-11 01:14 . 2009-07-11 01:14 -------- d-----w- c:\documents and settings\craig 2\Application Data\Camfrog
2009-07-10 23:05 . 2009-07-10 23:05 144368 ----a-w- c:\documents and settings\craig 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 01:39 . 2008-01-10 17:09 -------- d-----w- c:\program files\TuneUp Utilities 2008
2009-06-27 14:17 . 2009-06-27 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\hps
2009-06-27 12:59 . 2009-06-27 12:59 -------- d-----w- c:\program files\CeWe Color
2009-06-25 23:43 . 2009-06-25 23:43 125812 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_06_26_00_40_30_small.dmp.zip
2009-06-25 23:40 . 2009-06-25 23:43 3157504 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-06-17 11:01 . 2006-04-17 00:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-10 21:57 . 2009-03-03 12:33 319 ----a-w- C:\drmHeader.bin
2009-06-06 11:17 . 2009-06-06 11:19 27648 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-06-06 01:29 . 2009-06-06 11:10 2190336 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2008-08-13 14:48 . 2008-08-13 14:48 80 --sh--r- c:\windows\CT5STET.BIN
2006-03-06 04:35 . 2006-03-06 04:35 56 --sh--r- c:\windows\system32\07BB5FD09F.sys
2006-03-06 04:35 . 2006-03-06 04:35 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 23:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-04-17 12:46 359808 6AF91CE5BAA449EB9A72F17DA063720C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2008-01-19 21:33 360064 482AB7F9CD41702E8F856C11CFEFB02D c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-01-19 21:33 360064 482AB7F9CD41702E8F856C11CFEFB02D c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( [email protected]_13.48.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-22 14:28 . 2009-08-22 14:28 16384 c:\windows\Temp\Perflib_Perfdata_720.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Loaris Trojan Remover"="c:\program files\Loaris Trojan Remover\TrojanRemover.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-07 935936]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"NokiaMusic FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-02 2327840]
"net"="c:\windows\system32\net.net" [BU]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-17 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nokia Nseries PC Suite.lnk.disabled [2009-1-18 1842]
Orbit.lnk.disabled [2009-3-5 1554]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"EPSON Stylus Photo R200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"CTRegRun"=c:\windows\CTRegRun.EXE
"Eraser"=c:\program files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"EPSON Stylus Photo R200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"CTCheck"=c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
"Epac Center"="c:\documents and settings\All Users\Application Data\Epac\EpacDownloadServiceClient.exe" -h -w

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\KService\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\UUSee\\UUSeePlayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil_.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/04/2008 09:21 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/04/2008 09:21 20560]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [29/10/2006 22:21 14095]
S4 Epac Center;Epac Center;c:\documents and settings\All Users\Application Data\Epac\Epacdownloadmanagerservice.exe [28/12/2008 14:23 442368]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 13:31]

2009-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]

2008-12-13 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 08:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bt.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mWindow Title = Internet Explorer provided by BT Openworld
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E052D21B-CA4A-40F4-BFB4-8687E47BB74F} = 208.67.220.220,208.67.222.222 
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\craig 2\Application Data\Mozilla\Firefox\Profiles\w3f4laid.default\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\component.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 15:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\craig 2\Application Data\vlc\cache
c:\documents and settings\craig 2\Application Data\vlc\cache\CACHEDIR.TAG 193 bytes
c:\documents and settings\craig 2\Application Data\vlc\cache\plugins-04041e.dat 311951 bytes
c:\documents and settings\craig 2\Application Data\vlc\vlcrc 46505 bytes

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-299502267-682003330-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,d1,4e,ab,46,1b,4e,6c,d8,19,07,f9,25,54,81,b5,f1,69,51,1e,58,b8,08,
c8,29,90,be,cd,95,43,f3,25,c3,c0,cb,b3,e6,74,1d,71,1d,92,0b,b2,87,a6,ac,4e,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2484)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-22 15:50
ComboFix-quarantined-files.txt 2009-08-22 14:50

Pre-Run: 40,271,400,960 bytes free
Post-Run: 40,211,910,656 bytes free

305 --- E O F --- 2008-06-21 02:03


----------



## cybertech (Apr 16, 2002)

Open Notepad and copy and paste the text in the code box below into it:

```
KILLALL::
File::
c:\windows\system32\UACymhrpdkvmp.dat
c:\windows\system32\UACvxweppbavj.dll
c:\windows\system32\net.net

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"net"=-
```
Save this as *CFScript.txt*, in the same location as ComboFix.exe










Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. It may ask to reboot. Post the contents of c:\Combofix.txt in your next reply.

Download *ATF Cleaner* by Atribune.


Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 

Click *Exit* on the Main menu to close the program.








Download Malwarebytes' Anti-Malware from *Here*.

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware*, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "*Perform Quick Scan*", then click *Scan*.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that *everything is checked*, and click *Remove Selected*.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.*


----------



## hornabythanger (Aug 16, 2009)

*Combofix log*

ComboFix 09-08-21.02 - craig 2 23/08/2009 0:30.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.269 [GMT 1:00]
Running from: c:\documents and settings\craig 2\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\craig 2\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1229 [VPS 090822-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point

FILE ::
"c:\windows\system32\net.net"
"c:\windows\system32\UACvxweppbavj.dll"
"c:\windows\system32\UACymhrpdkvmp.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\UACvxweppbavj.dll
c:\windows\system32\UACymhrpdkvmp.dat

.
((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 19:09 . 2009-08-22 19:09 -------- d-----w- c:\documents and settings\craig 2\Local Settings\Application Data\Apple
2009-08-16 11:10 . 2009-08-16 11:10 -------- d-----w- c:\documents and settings\craig 2\Local Settings\Application Data\IsolatedStorage
2009-08-11 23:31 . 2009-08-11 23:31 -------- d-----w- c:\windows\ERUNT
2009-08-11 23:26 . 2009-08-12 00:08 -------- d-----w- C:\SDFix
2009-08-11 23:21 . 2009-08-11 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-08-11 23:12 . 2009-08-11 23:12 -------- d-----w- c:\program files\Common Files\iS3
2009-08-11 23:12 . 2009-08-16 09:38 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-08-10 20:30 . 2009-08-10 20:30 -------- d-----w- c:\documents and settings\Carrie\Local Settings\Application Data\Nokia
2009-08-09 10:21 . 2009-08-09 10:23 -------- d-sh--w- c:\documents and settings\craig 2\Application Data\lowsec
2009-08-08 21:25 . 2009-08-08 21:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Nokia
2009-08-08 18:38 . 2009-08-08 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\NokiaMusic
2009-08-08 18:14 . 2008-08-26 09:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-08-08 17:54 . 2009-08-16 09:35 -------- d-----w- c:\program files\FlashGet
2009-08-08 17:26 . 2009-03-19 13:48 136704 ----a-w- c:\windows\system32\drivers\nmwcdnsu.sys
2009-08-08 17:26 . 2009-02-09 07:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-08-08 17:25 . 2009-02-09 07:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-08-08 17:25 . 2009-02-09 07:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-08-08 17:25 . 2009-02-09 07:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-08-08 17:25 . 2009-02-09 07:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-08-08 17:25 . 2009-02-09 07:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-08-03 00:57 . 2009-08-08 22:02 -------- d-----w- c:\documents and settings\craig 2\Application Data\Nokia
2009-07-26 22:43 . 2009-07-26 22:43 -------- d-----w- c:\documents and settings\craig 2\Application Data\PC Suite
2009-07-26 22:43 . 2009-08-08 21:13 -------- d-----w- c:\documents and settings\craig 2\Local Settings\Application Data\Nokia
2009-07-26 10:28 . 2009-07-26 10:28 -------- d-----w- c:\documents and settings\craig 2\Application Data\skypePM
2009-07-26 10:26 . 2009-07-26 10:28 -------- d-----w- c:\documents and settings\craig 2\Application Data\Skype
2009-07-26 10:14 . 2009-07-26 10:14 -------- d-sh--w- c:\documents and settings\craig 2\UserData
2009-07-25 11:24 . 2009-07-25 11:24 -------- d-----w- c:\documents and settings\craig 2\Application Data\Propellerhead Software
2009-07-25 11:20 . 2009-08-08 21:12 -------- d-----w- c:\documents and settings\craig 2\Application Data\uTorrent
2009-07-25 11:01 . 2009-07-25 12:26 -------- d-----w- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 23:28 . 2009-07-13 01:46 -------- d-----w- c:\documents and settings\craig 2\Application Data\Free Download Manager
2009-08-22 14:28 . 2009-08-22 14:28 79053 ----a-w- c:\windows\Internet Logs\zlclient_2nd_2009_08_22_14_57_54_small.dmp.zip
2009-08-22 13:25 . 2008-11-20 01:41 8543728 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-08-17 01:52 . 2009-07-23 00:15 -------- d-----w- c:\documents and settings\craig 2\Application Data\Orbit
2009-08-16 09:33 . 2009-04-18 23:35 -------- d-----w- c:\program files\Transparent
2009-08-16 09:33 . 2006-02-27 13:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-12 01:21 . 2007-11-23 01:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-10 23:20 . 2006-08-13 18:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-09 03:17 . 2009-08-09 10:20 3402752 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2009-08-09 03:17 . 2008-10-01 09:44 1094584 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-08 21:38 . 2007-01-14 17:52 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 21:22 . 2007-05-01 19:50 -------- d-----w- c:\program files\Nokia
2009-08-08 21:08 . 2007-05-01 19:51 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-08 18:15 . 2008-10-01 09:46 -------- d-----w- c:\program files\DIFX
2009-07-26 19:27 . 2009-07-12 01:13 -------- d-----w- c:\documents and settings\craig 2\Application Data\Ahead
2009-07-25 11:22 . 2008-10-24 12:06 -------- d-----w- c:\program files\NSS
2009-07-25 10:57 . 2009-07-05 14:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-25 10:50 . 2008-10-01 09:44 -------- d-----w- c:\program files\MSBuild
2009-07-23 00:16 . 2008-11-28 00:41 -------- d-----w- c:\program files\Orbitdownloader
2009-07-23 00:16 . 2009-07-23 00:16 -------- d-----w- c:\documents and settings\craig 2\Application Data\GrabPro
2009-07-23 00:10 . 2007-03-12 02:42 -------- d-----w- c:\program files\Free Download Manager
2009-07-23 00:09 . 2009-07-23 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeDownloadManager.ORG
2009-07-19 10:46 . 2009-07-19 10:46 -------- d-----w- c:\documents and settings\craig 2\Application Data\Creative
2009-07-18 17:31 . 2009-07-18 17:31 -------- d-----w- c:\documents and settings\craig 2\Application Data\vlc
2009-07-18 17:29 . 2009-07-18 17:29 -------- d-----w- c:\documents and settings\craig 2\Application Data\DivX
2009-07-14 20:23 . 2009-07-14 20:23 -------- d-----w- c:\documents and settings\craig 2\Application Data\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-07-14 20:23 . 2009-07-14 20:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-14 20:21 . 2009-07-14 20:23 38208 ----a-w- c:\documents and settings\craig 2\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-12 11:43 . 2009-07-12 11:43 -------- d-----w- c:\documents and settings\craig 2\Application Data\Apple Computer
2009-07-11 01:26 . 2009-07-11 01:26 -------- d-----w- c:\documents and settings\craig 2\Application Data\TuneUp Software
2009-07-11 01:14 . 2009-07-11 01:14 -------- d-----w- c:\documents and settings\craig 2\Application Data\Camfrog
2009-07-10 23:05 . 2009-07-10 23:05 144368 ----a-w- c:\documents and settings\craig 2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 01:39 . 2008-01-10 17:09 -------- d-----w- c:\program files\TuneUp Utilities 2008
2009-06-27 14:17 . 2009-06-27 14:17 -------- d-----w- c:\documents and settings\All Users\Application Data\hps
2009-06-27 12:59 . 2009-06-27 12:59 -------- d-----w- c:\program files\CeWe Color
2009-06-25 23:43 . 2009-06-25 23:43 125812 ----a-w- c:\windows\Internet Logs\vsmon_2nd_2009_06_26_00_40_30_small.dmp.zip
2009-06-25 23:40 . 2009-06-25 23:43 3157504 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2009-06-17 11:01 . 2006-04-17 00:52 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-10 21:57 . 2009-03-03 12:33 319 ----a-w- C:\drmHeader.bin
2009-06-06 11:17 . 2009-06-06 11:19 27648 ----a-w- c:\windows\Internet Logs\xDBF.tmp
2009-06-06 01:29 . 2009-06-06 11:10 2190336 ----a-w- c:\windows\Internet Logs\xDBE.tmp
2008-08-13 14:48 . 2008-08-13 14:48 80 --sh--r- c:\windows\CT5STET.BIN
2006-03-06 04:35 . 2006-03-06 04:35 56 --sh--r- c:\windows\system32\07BB5FD09F.sys
2006-03-06 04:35 . 2006-03-06 04:35 1682 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 23:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB913446$\tcpip.sys
[-] 2006-04-17 12:46 359808 6AF91CE5BAA449EB9A72F17DA063720C c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2008-01-19 21:33 360064 482AB7F9CD41702E8F856C11CFEFB02D c:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-01-19 21:33 360064 482AB7F9CD41702E8F856C11CFEFB02D c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( [email protected]_13.48.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-22 23:47 . 2009-08-22 23:47 16384 c:\windows\Temp\Perflib_Perfdata_760.dat
+ 2009-08-22 14:28 . 2009-08-22 14:28 16384 c:\windows\Temp\Perflib_Perfdata_720.dat
+ 2009-03-29 11:46 . 2009-03-05 22:59 36864 c:\windows\system32\drivers\usbaapl.sys
+ 2009-03-29 11:46 . 2009-03-05 22:59 1900544 c:\windows\system32\usbaaplrc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Loaris Trojan Remover"="c:\program files\Loaris Trojan Remover\TrojanRemover.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-07 935936]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-10-09 981904]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"NokiaMusic FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2009-07-02 2327840]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-09-17 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nokia Nseries PC Suite.lnk.disabled [2009-1-18 1842]
Orbit.lnk.disabled [2009-3-5 1554]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"EPSON Stylus Photo R200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"CTRegRun"=c:\windows\CTRegRun.EXE
"Eraser"=c:\program files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"EPSON Stylus Photo R200 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
"YBrowser"=c:\progra~1\Yahoo!\browser\ybrwicon.exe
"CTCheck"=c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
"Epac Center"="c:\documents and settings\All Users\Application Data\Epac\EpacDownloadServiceClient.exe" -h -w

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\KService\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009\\fm.exe"=
"c:\\Program Files\\UUSee\\UUSeePlayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil_.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [03/04/2008 09:21 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [03/04/2008 09:21 20560]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCCFLTR.SYS [29/10/2006 22:21 14095]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [08/08/2009 18:26 136704]
S4 Epac Center;Epac Center;c:\documents and settings\All Users\Application Data\Epac\Epacdownloadmanagerservice.exe [28/12/2008 14:23 442368]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2007-12-21 13:31]

2009-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 12:34]

2008-12-13 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-07 08:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bt.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mWindow Title = Internet Explorer provided by BT Openworld
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {E052D21B-CA4A-40F4-BFB4-8687E47BB74F} = 208.67.220.220,208.67.222.222 
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\craig 2\Application Data\Mozilla\Firefox\Profiles\w3f4laid.default\
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\component.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\Craig\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 00:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\craig 2\Application Data\vlc\cache
c:\documents and settings\craig 2\Application Data\vlc\cache\CACHEDIR.TAG 193 bytes
c:\documents and settings\craig 2\Application Data\vlc\cache\plugins-04041e.dat 311951 bytes
c:\documents and settings\craig 2\Application Data\vlc\vlcrc 46505 bytes

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-299502267-682003330-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b2,d1,4e,ab,46,1b,4e,6c,d8,19,07,f9,25,54,81,b5,f1,69,51,1e,58,b8,08,
c8,29,90,be,cd,95,43,f3,25,c3,c0,cb,b3,e6,74,1d,71,1d,92,0b,b2,87,a6,ac,4e,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-22 1:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-23 00:05
ComboFix2.txt 2009-08-22 14:50

Pre-Run: 34,771,496,960 bytes free
Post-Run: 34,691,293,184 bytes free

277 --- E O F --- 2008-06-21 02:03

*MBAM log*

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

23/08/2009 01:30:11
mbam-log-2009-08-23 (01-30-11).txt

Scan type: Quick Scan
Objects scanned: 117574
Time elapsed: 11 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Craig\Application Data\Microsoft\Internet Explorer\Quick Launch.lnk (Rogue.Multiple) -> Delete on reboot.
C:\Documents and Settings\Craig\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntiVirus) -> Delete on reboot.
C:\Documents and Settings\Craig\Local Settings\Application Data\Microsoft\Windows\pg32.exe (Rogue.InternetAntiVirus) -> Delete on reboot.
C:\Documents and Settings\Craig\Application Data\Microsoft\Internet Explorer\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Craig\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Craig\Local Settings\Application Data\Microsoft\sessmgr.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Craig\Local Settings\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Craig\Local Settings\Application Data\Microsoft\Windows\sav.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\Craig\Local Settings\Application Data\Microsoft\Windows\Services.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Craig\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Craig\Application Data\Microsoft\Internet Explorer\DLLs\moduleie.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Craig\Application Data\Microsoft\Internet Explorer\olesys.dll (Rogue.SpywareGuard) -> Delete on reboot.
C:\Documents and Settings\Bethany\Start Menu\Programs\Startup\AntiSpy Protector.lnk (Rogue.AntiSpyProtector) -> Delete on reboot.
C:\Documents and Settings\Bethany\Start Menu\Programs\Startup\AntiSpyware Protector.lnk (Rogue.AntiSpyware) -> Delete on reboot.


----------



## cybertech (Apr 16, 2002)

Post your hijackthis log again and let me know if you are still having problems.


----------



## hornabythanger (Aug 16, 2009)

Hi Cybertech
Here is the latest HJT log, thank you for all your help as I was getting quite concerned and thinking about formatting the drive.

Cheers
HT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:21, on 23/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Octh Class - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles
O4 - HKLM\..\Run: [NokiaMusic FastStart] "C:\Program Files\Nokia\Nokia Music\NokiaMusic.exe" /command:faststart
O4 - HKCU\..\Run: [Loaris Trojan Remover] "C:\Program Files\Loaris Trojan Remover\TrojanRemover.exe" 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Nokia Nseries PC Suite.lnk.disabled
O4 - Global Startup: Orbit.lnk.disabled
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - AutorunsDisabled - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246548717046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246548705078
O17 - HKLM\System\CCS\Services\Tcpip\..\{E052D21B-CA4A-40F4-BFB4-8687E47BB74F}: NameServer = 208.67.220.220,208.67.222.222 
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 8838 bytes


----------



## cybertech (Apr 16, 2002)

You're welcome!

*Run HJT again and put a check in the following:*

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

*Close all applications and browser windows before you click "fix checked".*








Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

*Upgrading Java*:

Download the latest version of *Java SE Runtime Environment (JRE) 6 Update 16*.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 6 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u16-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with Java Runtime Environment *(JRE or J2SE)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version. *(Vista users, right click on the jre-6u16windows-i586-p.exe and select "Run as an Administrator.")*

ow is it running now? Any problems?


----------



## hornabythanger (Aug 16, 2009)

Thanks Cyber, everything seems to running great now. Cheers for your time and help.


----------



## cybertech (Apr 16, 2002)

*Follow these steps to uninstall Combofix and tools used in the removal of malware*

 Click *START* then *RUN*
 Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Now you should Clean up your PC

You're welcome!


----------

