Virus cannot use spybot or access the website "Generic Host Process for Win32"

[limegreen]

Virus cannot use spybot or access the website "Generic Host Process for Win32"

Firstly thank you in advance for reading about my problem.

I will try to give as much information as possible I guess some may be surplus to requirement but better too much? but I'm not very computer literate so please excuse any ommitions/ineptitudes.

I have a packard bell laptop running windows XP Professional version 2002

First I noticed my volume controller did not work.
Then I got an error "Generic Host Process for Win32 Services encountered a problem"

The error reports content details listed "svchost.exe.mdmp" and appcompat.txt in my C:\DOCUME~1\m\LOCALS~1\Temp\WER7e8b.dir.dir00\ folder

My mozilla browser then would not connect to the internet.

I tried accessing through internet explorer which worked (then)

Looked up the problem and saw that some people were associating this error with a virus.

So went to run Spybot and it wouldn't work.
Task manager would also not work.

I then tried to access you website and the browser would not let me- other websites were fine.

I have also had a pop up error:
svchost.exe-application error
"The instruction at "0x7c90100b" referenced by memory at "0xc00001ac". The memory could not be "read"

I tried the suggestions to run spybot from the scr file and by renaming it. this didn't work.

I then tried re-starting in safe mode. this would run spybot from the scr program but it only showed up some cookies.

restarted computer, the problem was not solved and now the internet does not work with internet explorer either (friend now kindly letting me have access to his lap top)

The task manager still does not work.


I really really appreciate this. In true bad-timing style this is the last few weeks of my 3 yr thesis aaagh :-/

DDS.TXT


DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 19:45:43.89 on 19/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.354 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRunOnce: [SpybotDeletingB3731] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [SpybotDeletingA1613] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingC9969] cmd /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingA7987] command /c del "c:\windows\fonts\'\007 - A View To A Kill.zip"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194513854203
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
TCP: NameServer = 93.188.164.126,93.188.160.206
TCP: {21AD7C4F-245D-4BE1-91BC-54C6FE250CEC} = 93.188.164.126,93.188.160.206
TCP: {464EA590-EC69-4EB5-ABD0-F03AE59843AE} = 93.188.164.126,93.188.160.206
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: impetuousities: {0ba3e00d-b660-46e6-a2db-2672ee82dc98} - c:\windows\system32\oanlvs.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-11-8 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-11-8 38528]
R2 NBSPortDriver;NBSPortDriver;c:\windows\system32\drivers\NBSPortDriver.sys [2007-5-21 17912]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [2009-2-11 27200]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-8-12 172032]
R3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [2007-11-7 7168]
R3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [2007-11-7 11776]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================


==================== Find3M ====================

2010-10-05 22:21:02 205 ----a-w- c:\windows\system32\lsprst7.dll
2010-08-23 14:47:30 0 ----a-w- c:\windows\system32\ssprs.dll

============= FINISH: 19:47:30.31 ===============

 

[Blade81]

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus
LimeWire


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab, uncheck files option and then click scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply. Post fresh dds log too.

 

[limegreen]

Dear Blade 81,

thanks very very much for replying to my problem. i have attached the GMER log and the new DDS as you requested. I look forward to hearing from you

thanks

Limegreen

GMER:
GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-24 19:30:35
Windows 5.1.2600 Service Pack 2
Running: kb1hqxiw.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwdoapog.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7CAC814]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA7581400, 0x7960C, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA7623420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA7623420]
.protectÿÿÿÿhardlockunknown last code section [0xA7623200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA7623200, 0x5049, 0xE0000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 84ADDAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 84ADDAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 84ADDAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 84ADDAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-10 84ADDAEA

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST980811AS______________________________3.ALC___#5&76b7fb6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----




DDS:

DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 19:32:16.37 on 24/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.314 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRunOnce: [SpybotDeletingB3731] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [SpybotDeletingA1613] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingC9969] cmd /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingA7987] command /c del "c:\windows\fonts\'\007 - A View To A Kill.zip"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194513854203
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
TCP: NameServer = 93.188.164.126,93.188.160.206
TCP: {21AD7C4F-245D-4BE1-91BC-54C6FE250CEC} = 93.188.164.126,93.188.160.206
TCP: {464EA590-EC69-4EB5-ABD0-F03AE59843AE} = 93.188.164.126,93.188.160.206
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: impetuousities: {0ba3e00d-b660-46e6-a2db-2672ee82dc98} - c:\windows\system32\oanlvs.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-11-8 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-11-8 38528]
R2 NBSPortDriver;NBSPortDriver;c:\windows\system32\drivers\NBSPortDriver.sys [2007-5-21 17912]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [2009-2-11 27200]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-8-12 172032]
R3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [2007-11-7 7168]
R3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [2007-11-7 11776]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================


==================== Find3M ====================

2010-10-05 22:21:02 205 ----a-w- c:\windows\system32\lsprst7.dll
2010-08-23 14:47:30 0 ----a-w- c:\windows\system32\ssprs.dll

============= FINISH: 19:34:03.28 ===============

 

[Blade81]

Thanks for the logs

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[limegreen]

Hi, I followed the instructions to disable the anti virus programs and firewall. Unfortunately when I tried to run combofix.exe It wouldn't run. I tried in safe mode it wouldn't run either but in the end I changed it's name to something random and it ran in safe mode.

Just for information as it ran it threw up a lots of :
svchost.exe application error. the instruction at "0x001a16b0" referenced memory at "0x00000000". the memory could not be written. type messages.

at first on instruction not to touch the keyboard I did nothing for ten minutes but the program didn't get beyond the " preparing to run" so eventually I clicked to get rid of the msg. But a lot came up during the process.

Also part way through combi fix came up with the message rootkit activity and asked to reboot the laptop, so I did.

Anyway here are the logs

and continuing thanks for yout patience in helping me

limegreen

ComboFix 10-10-24.06 - Administrator 25/10/2010 19:53:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.479 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Random.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
c:\documents and settings\Administrator\My Documents\Internet Explorer.lnk
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\system32\dmlconf.dat
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-09-25 to 2010-10-25 )))))))))))))))))))))))))))))))
.

2010-10-24 19:27 . 2010-10-25 19:02 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-07 935936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-9-14 95744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-8-12 245760]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-3-24 1719496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2007-08-22 13:34 936960 ------w- c:\program files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 13:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 20:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 15:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42 267064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 12:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2008-06-17 15:00 1249280 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-06-18 13:31 1122816 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 06:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-07-21 15:56 16261632 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-09-13 13:31 22880040 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 17:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-04-28 14:13 766041 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-27 23:46 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [08/11/2007 11:55 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [08/11/2007 11:55 38528]
R2 NBSPortDriver;NBSPortDriver;c:\windows\system32\drivers\NBSPortDriver.sys [21/05/2007 10:48 17912]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [11/02/2009 15:41 27200]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [28/05/2009 12:36 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [30/09/2008 18:10 98304]
R3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [07/11/2007 17:38 7168]
R3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [07/11/2007 17:38 11776]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [30/09/2008 18:12 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-10-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Motive SmartBridge - c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
MSConfigStartUp-YBrowser - c:\progra~1\Yahoo!\browser\ybrwicon.exe
MSConfigStartUp-YOP - c:\progra~1\Yahoo!\YOP\yop.exe
AddRemove-RealTimeWindowsTarget - c:\windows\rtwintgt -uninstall



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-25 20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\MATLAB71\webserver\bin\win32\matlabserver.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MATLAB71\bin\win32\MATLAB.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\windows\system32\wscntfy.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
.
**************************************************************************
.
Completion time: 2010-10-25 20:16:13 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-25 19:16

Pre-Run: 11,835,342,848 bytes free
Post-Run: 14,747,570,176 bytes free

- - End Of File - - 0189BEC4B64F96E53E0A2AB0E4C97372



DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 20:18:05.71 on 25/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.370 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194513854203
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-11-8 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-11-8 38528]
R2 NBSPortDriver;NBSPortDriver;c:\windows\system32\drivers\NBSPortDriver.sys [2007-5-21 17912]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [2009-2-11 27200]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-8-12 172032]
R3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [2007-11-7 7168]
R3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [2007-11-7 11776]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================

2010-10-25 18:33:36 98816 ----a-w- c:\windows\sed.exe
2010-10-25 18:33:36 79872 ----a-w- c:\windows\MBR.exe
2010-10-25 18:33:36 256512 ----a-w- c:\windows\PEV.exe
2010-10-25 18:33:36 161792 ----a-w- c:\windows\SWREG.exe
2010-10-24 19:27:21 -------- d-----w- c:\program files\Microsoft

==================== Find3M ====================


============= FINISH: 20:18:18.25 ===============

 

[Blade81]

Hi,

Please run ComboFix again (after disabling protection) and let it install recovery console. Post back the report.

 

[limegreen]

Hi again

I let combifix install the recovery console this time-here is the report plus another dds in case you need that too,

thanks very much

lime green

ComboFix 10-10-24.06 - Administrator 26/10/2010 19:28:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.289 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Random.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((( Files Created from 2010-09-26 to 2010-10-26 )))))))))))))))))))))))))))))))
.

2010-10-24 19:27 . 2010-10-25 19:02 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-07 935936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-9-14 95744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-8-12 245760]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-3-24 1719496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2007-08-22 13:34 936960 ------w- c:\program files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 13:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 20:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 15:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42 267064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 12:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2008-06-17 15:00 1249280 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-06-18 13:31 1122816 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 06:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-07-21 15:56 16261632 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-09-13 13:31 22880040 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 17:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-04-28 14:13 766041 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-27 23:46 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [08/11/2007 11:55 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [08/11/2007 11:55 38528]
R2 NBSPortDriver;NBSPortDriver;c:\windows\system32\drivers\NBSPortDriver.sys [21/05/2007 10:48 17912]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [11/02/2009 15:41 27200]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [28/05/2009 12:36 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [30/09/2008 18:10 98304]
R3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [07/11/2007 17:38 7168]
R3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [07/11/2007 17:38 11776]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [30/09/2008 18:12 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-10-26 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-26 19:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3268)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-26 19:38:11
ComboFix-quarantined-files.txt 2010-10-26 18:38
ComboFix2.txt 2010-10-25 19:16

Pre-Run: 14,788,272,128 bytes free
Post-Run: 14,771,347,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1879232A720D0D049C837BD9A39AF630



DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 19:39:19.40 on 26/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.397 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194513854203
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-11-8 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-11-8 38528]
R2 NBSPortDriver;NBSPortDriver;c:\windows\system32\drivers\NBSPortDriver.sys [2007-5-21 17912]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [2009-2-11 27200]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-5-28 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-9-30 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-8-12 172032]
R3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [2007-11-7 7168]
R3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [2007-11-7 11776]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================

2010-10-26 18:24:14 -------- d-sha-r- C:\cmdcons
2010-10-25 18:33:36 98816 ----a-w- c:\windows\sed.exe
2010-10-25 18:33:36 79872 ----a-w- c:\windows\MBR.exe
2010-10-25 18:33:36 256512 ----a-w- c:\windows\PEV.exe
2010-10-25 18:33:36 161792 ----a-w- c:\windows\SWREG.exe
2010-10-24 19:27:21 -------- d-----w- c:\program files\Microsoft

==================== Find3M ====================


============= FINISH: 19:39:31.68 ===============

 

[Blade81]

Hi again,

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\windows\pss\LimeWire On Startup.lnkStartup
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
DDS::
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (9.4) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 22.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

 

[limegreen]

Hi, first of all apologies for the delay in replying. I have attached the three reports. The Kaspersky took 10 hours!

I have one other point, i don't know if it is important. I have had spybot running for over a year now and every time I start my computer I get four boxes pop up (see the details below) of things that are being tried to changed but get denied by spybot. Because I have had problems in the past when something is trying to unexpectedly change my registry or something I generally block it. Perhaps I was too over-enthusiastic and have blocked something that I am supposed to allow or perhaps these changes that keep trying to be made are malicious. I don't know. I was wondering if you knew what they were and if I should allow them?

Thank yous so much for helping me out!

kind regards

Limegreen

27/06/2009 16:34:20 Denied (based on user blacklist) value "SpybotDeletingA1613" (new data: "") deleted in System Startup global entry!
27/06/2009 16:34:21 Denied (based on user blacklist) value "SpybotDeletingC9969" (new data: "") deleted in System Startup global entry!
27/06/2009 16:34:21 Denied (based on user blacklist) value "SpybotDeletingA7987" (new data: "") deleted in System Startup global entry!
27/06/2009 16:34:15 Denied (based on user blacklist) value "SpybotDeletingB3731" (new data: "") deleted in System Startup user entry!



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 29, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 28, 2010 16:23:46
Records in database: 4187924
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 157400
Threats found: 4
Infected objects found: 18
Suspicious objects found: 0
Scan duration: 09:59:52


File name / Threat / Threats count
C:\Documents and Settings\Administrator\.jogl_ext\tomgerhardt_com_itp_VIZ_FINAL_applet_37d3333572933b260281ed73eab5585\1.1.1\gluegen-rt.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\Administrator\.jogl_ext\tomgerhardt_com_itp_VIZ_FINAL_applet_37d3333572933b260281ed73eab5585\1.1.1\jogl.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\Administrator\Application Data\HP\ScLogs\SolutionCenter.htm Infected: Trojan-Dropper.VBS.Exe2Vbs.b 1
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p0iq9f93.default\bookmarks.html Infected: Trojan-Dropper.VBS.Exe2Vbs.b 1
C:\Documents and Settings\Administrator\Application Data\Real\Msg\104_1232502492\ipm_movies012309.html Infected: Trojan-Dropper.VBS.Exe2Vbs.b 1
C:\Documents and Settings\Administrator\Application Data\Real\Msg\104_1232674987\ipm_movies012609.html Infected: Trojan-Dropper.VBS.Exe2Vbs.b 1
C:\Documents and Settings\Administrator\Application Data\Real\Msg\4155_1231547881\20090121Newmusic_7links.html Infected: Trojan-Dropper.VBS.Exe2Vbs.b 1
C:\Documents and Settings\Administrator\Application Data\Real\Msg\4155_1232509655\20090127Newmusic_7links.html Infected: Trojan-Dropper.VBS.Exe2Vbs.b 1
C:\Documents and Settings\Administrator\Application Data\Real\Msg\4155_1232592892\20090125Newmusic_7links.html Infected: Trojan-Dropper.VBS.Exe2Vbs.b 1
C:\Documents and Settings\Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11GOLD.exe Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\Administrator\Application Data\Spotify\Gracenote\gnsdk_dsp.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\Administrator\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\Administrator\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\2\63ff10c2-47a82a9e Infected: Trojan-Downloader.Java.Agent.hx 1
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\40\3daa5e68-51d61cc5 Infected: Trojan-Downloader.Java.Agent.hx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir Infected: Virus.Win32.TDSS.b 1
C:\System Volume Information\_restore{677A6E91-16F1-4630-9FE7-00E6C503459D}\RP779\A0380571.sys Infected: Virus.Win32.TDSS.b 1

Selected area has been scanned.



DDS (Ver_10-10-10.03) - NTFSx86
Run by Administrator at 12:00:15.01 on 29/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.543 [GMT 1:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page =
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [SpybotDeletingB3731] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [btbb_wcm_McciTrayApp] c:\program files\btbb_wcm\McciTrayApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [SpybotDeletingA1613] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingC9969] cmd /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingA7987] command /c del "c:\windows\fonts\'\007 - A View To A Kill.zip"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\imtoo\download youtube video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - hxxp://www.streamplug.com/StreamPlug/beta/SP.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194513854203
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\administrator\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-10-28 23:43:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-28 23:43:25 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-28 23:43:25 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-10-26 18:24:14 -------- d-sha-r- C:\cmdcons
2010-10-25 18:33:36 98816 ----a-w- c:\windows\sed.exe
2010-10-25 18:33:36 79872 ----a-w- c:\windows\MBR.exe
2010-10-25 18:33:36 256512 ----a-w- c:\windows\PEV.exe
2010-10-25 18:33:36 161792 ----a-w- c:\windows\SWREG.exe
2010-10-24 19:27:21 -------- d-----w- c:\program files\Microsoft

==================== Find3M ====================


============= FINISH: 12:01:48.42 ===============




ComboFix 10-10-24.06 - Administrator 28/10/2010 23:19:47.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.894.560 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Random.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

FILE ::
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk"
"c:\windows\pss\LimeWire On Startup.lnkStartup"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\pss\LimeWire On Startup.lnkStartup

.
((((((((((((((((((((((((( Files Created from 2010-09-28 to 2010-10-28 )))))))))))))))))))))))))))))))
.

2010-10-24 19:27 . 2010-10-25 19:02 -------- d-----w- c:\program files\Microsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-06-18 1122816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-11 344064]
"btbb_wcm_McciTrayApp"="c:\program files\btbb_wcm\McciTrayApp.exe" [2006-12-07 935936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
BBC iPlayer Desktop.lnk - c:\program files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe [2009-9-14 95744]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-8-12 245760]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2009-3-24 1719496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 17:43 69632 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
2007-08-22 13:34 936960 ------w- c:\program files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2004-08-04 13:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-14 20:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 15:31 80896 ----a-w- c:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-09-26 14:42 267064 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2007-01-19 12:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
2008-06-17 15:00 1249280 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2008-06-18 13:31 1122816 ----a-w- c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 06:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-07-21 15:56 16261632 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2007-09-13 13:31 22880040 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-16 17:04 2879488 ----a-w- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-04-28 14:13 766041 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-27 23:46 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [08/11/2007 11:55 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [08/11/2007 11:55 38528]
R2 NBSPortDriver;NBSPortDriver;c:\windows\system32\drivers\NBSPortDriver.sys [21/05/2007 10:48 17912]
R2 RTWTKRNL;Real-Time Windows Target;c:\windows\system32\drivers\RTWTKRNL.sys [11/02/2009 15:41 27200]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [28/05/2009 12:36 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [30/09/2008 18:10 98304]
R3 PortDRv;PST Port I/O Driver;c:\windows\system32\drivers\PortDRv.sys [07/11/2007 17:38 7168]
R3 SRBoxDRv;PST Serial Response Box Driver;c:\windows\system32\drivers\SRBoxDRv.sys [07/11/2007 17:38 11776]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [30/09/2008 18:12 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-10-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-22 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download with ImTOO Download YouTube Video - c:\program files\ImTOO\Download YouTube Video\upod_link.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {C92FAE80-87D0-431D-BA75-3E7A64F5069F} - hxxps://media.blinkbox.com/Licensing/Blinkbox.Licensing.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p0iq9f93.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.orbitdownloader.com
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-28 23:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-10-28 23:31:23
ComboFix-quarantined-files.txt 2010-10-28 22:31
ComboFix2.txt 2010-10-26 18:38
ComboFix3.txt 2010-10-25 19:16

Pre-Run: 14,733,619,200 bytes free
Post-Run: 14,724,751,360 bytes free

- - End Of File - - 34F06DC53D8AE41675D50CAD77773D0F

 

[Blade81]

Hi,

Is your Sophos Anti-Virus license still valid? If not you won't get any updates leaving your system non protected.

I have had spybot running for over a year now and every time I start my computer I get four boxes pop up (see the details below) of things that are being tried to changed but get denied by spybot. Because I have had problems in the past when something is trying to unexpectedly change my registry or something I generally block it. Perhaps I was too over-enthusiastic and have blocked something that I am supposed to allow or perhaps these changes that keep trying to be made are malicious. I don't know. I was wondering if you knew what they were and if I should allow them?

Those four examples you listed seem to be four months old. Anyway, not all modifications are bad. Those must be checked case by case (that's why I don't recommend using TeaTimer if one isn't advanced user).


Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
uRunOnce: [SpybotDeletingB3731] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingA1613] command /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingC9969] cmd /c del "c:\windows\fonts\'\.45 (2006) DVDRiP XviD.zip"
mRunOnce: [SpybotDeletingA7987] command /c del "c:\windows\fonts\'\007 - A View To A Kill.zip"

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe. If you get any alerts about registry modifications during ComboFix run or after it allow those.
Then post the resultant log + fresh dds.txt log.



Upload these files to http://www.virustotal.com and post back the results for each of them:
C:\Documents and Settings\Administrator\.jogl_ext\tomgerhardt_com_itp_VIZ_FINAL_applet_37d3333572933b260281ed73eab5585\1.1.1\jogl.dll
C:\Documents and Settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
C:\Documents and Settings\Administrator\Application Data\HP\ScLogs\SolutionCenter.htm
C:\Documents and Settings\Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11GOLD.exe
C:\Documents and Settings\Administrator\Application Data\Spotify\Gracenote\gnsdk_dsp.dll

 

[Blade81]

Are you still there?

 

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.