 |  |  |  |  |  |  |  |
Virus has disabled antivirus programs/updates/site access (HT log )
 |
Hi,
I seem to have picked up a weird virus that appears to just stop anything antiviral from running. It has turned off Windows updates, stopped sophos contacting the server for updates, and stops XoftSpySE and MBAM from loading/reinstalling. It has also disabled access to antivirus sites and has hijacked google.
Bizarrely, I can still run a Sophos scan, and it has flagged 'RegCure.exe' as a trojan--I do have RegCure, but this thing is in some weird directory. The scan won't finish tho--says it can't access some places on my c drive--one of them mentions not being able to do a boot scan. then it won't let me clean up the trojan, cos it didn't finish the scan.
HT is still working though! Here's a log from my scan. If anyone can help at all, I'd be so grateful!
Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:24:26, on 21/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Documents and Settings\Suzie\Application Data\gadcom\gadcom.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://forums.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Suzie\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221866206078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C3454.dat,C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL eggrur.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\xunejejyj.html
--
End of file - 10256 bytes
I seem to have picked up a weird virus that appears to just stop anything antiviral from running. It has turned off Windows updates, stopped sophos contacting the server for updates, and stops XoftSpySE and MBAM from loading/reinstalling. It has also disabled access to antivirus sites and has hijacked google.
Bizarrely, I can still run a Sophos scan, and it has flagged 'RegCure.exe' as a trojan--I do have RegCure, but this thing is in some weird directory. The scan won't finish tho--says it can't access some places on my c drive--one of them mentions not being able to do a boot scan. then it won't let me clean up the trojan, cos it didn't finish the scan.
HT is still working though! Here's a log from my scan. If anyone can help at all, I'd be so grateful!
Thanks!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:24:26, on 21/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Documents and Settings\Suzie\Application Data\gadcom\gadcom.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://forums.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Suzie\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221866206078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C3454.dat,C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL eggrur.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\xunejejyj.html
--
End of file - 10256 bytes
•
•
Join Date: Nov 2008
Posts: 816
Reputation: 
Solved Threads: 42
Practically a Posting Shark
Alright, let's do a few things
================
Please download ComboFix by sUBs from HERE or HERE
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
============
Go into Control Panel > Add / Remove Programs, and remove all Java Components.
Then go to www.java.com and install the latest Java.
============
Thanks,
Cohen
================
Please download ComboFix by sUBs from HERE or HERE
- You must download it to and run it from your Desktop
- Physically disconnect from the internet.
- Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
- Double click combofix.exe & follow the prompts.
- When finished, it will produce a log. Please save that log to post in your next reply
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
============
Go into Control Panel > Add / Remove Programs, and remove all Java Components.
Then go to www.java.com and install the latest Java.
============
Thanks,
Cohen
•
•
Join Date: Jul 2008
Posts: 2,999
Reputation: 
Solved Threads: 170
I would advise the java update be delayed until the combofix program is run and the log is posted here and interpreted and commented on.
Judy
Judy
Last edited by jholland1964; Dec 21st, 2008 at 12:49 am.
Hey,
Oops... I didn't notice the last post until after I'd done the java thing...
The Java's updated anyway.
I managed to download the file by accessing the site through a remote desktop connection to my department (I can't access them on this computer). But having downloaded it to my desktop, I can't get it to run. It does the same thing as XoftSpySE and MBAM--my cursor tell me my computer is doing something, but then it just stops and no program window appears. I looked at my task manager and the program shows up in the 'processes' tab, but not in the 'programs' tab. I tried renaming the executable, and the same thing happened. I wasn't able to run XoftSpySE or MBAM in safe mode either. What should I do?
Thanks for your help!!
Oops... I didn't notice the last post until after I'd done the java thing...
The Java's updated anyway.
I managed to download the file by accessing the site through a remote desktop connection to my department (I can't access them on this computer). But having downloaded it to my desktop, I can't get it to run. It does the same thing as XoftSpySE and MBAM--my cursor tell me my computer is doing something, but then it just stops and no program window appears. I looked at my task manager and the program shows up in the 'processes' tab, but not in the 'programs' tab. I tried renaming the executable, and the same thing happened. I wasn't able to run XoftSpySE or MBAM in safe mode either. What should I do?
Thanks for your help!!
Last edited by Suzie24; Dec 21st, 2008 at 7:37 am.
In case it's useful... I was just reading through inx's thread, and tried the same trick of renaming MBAM--it worked, and I'm running a scan right now.
Still can't get combofix running tho.
Shall I post a new HT log once I've done the MBAM scan and cleaned up what it has found (21 infected items and counting...)?
Still can't get combofix running tho.
Shall I post a new HT log once I've done the MBAM scan and cleaned up what it has found (21 infected items and counting...)?
yap post them here , let us have a look... by the way have u tried using combofix in safe mood ? or rename exe to .pif file ? like combofix.pif ? is msconfig/regedit/taskmanager r running fine ?
Hey,
So after I got MBAM running, I cleaned out a load of bad files and managed to run combofix. I've got a log file:
ComboFix 08-12-20.03 - Suzie 2008-12-21 14:10:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.769 [GMT 0:00]
Running from: c:\documents and settings\Suzie\Desktop\Program.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
c:\documents and settings\Suzie\Application Data\gadcom
c:\documents and settings\Suzie\Application Data\gadcom\gadcom.exe
c:\documents and settings\Suzie\Desktop\Live Safety Center.lnk
c:\documents and settings\Suzie\Favorites\Online Security Guide.lnk
c:\documents and settings\Suzie\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Suzie\My Documents\PPATCH~1
c:\documents and settings\Suzie\My Documents\RACLE~1
c:\documents and settings\Suzie\My Documents\SMBOLS~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\fnts~1
c:\program files\Common Files\sembly~1
c:\program files\MSN\xunejejyj.html
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\bkR11
c:\temp\bkR11\ftCa.log
c:\windows\dobe~1
c:\windows\msettings.ini
c:\windows\smbols~1
c:\windows\system32\cbsesjrn.dll
c:\windows\system32\dmucjv.dll
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\drivers\TDSSserv.sys
c:\windows\system32\eggrur.dll
c:\windows\system32\fNXbaGgh.ini2
c:\windows\system32\GiOoonpo.ini2
c:\windows\system32\gjxsigpx.dll
c:\windows\system32\juyhvkju.dll
c:\windows\system32\n2
c:\windows\system32\nnnmp.ini
c:\windows\system32\nnnmp.ini2
c:\windows\system32\prunnet.exe
c:\windows\system32\qmkwojbl.dll
c:\windows\system32\TDSShrxm.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\vudqtwim.ini
c:\windows\system32\wnstsicomsv.exe
c:\windows\system32\x3
c:\windows\system32\ympeeo.dll
c:\windows\system32\ystem~1
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV
-------\Legacy_TDSSSERV
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-21 11:28 . 2008-12-21 11:28 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 11:28 . 2008-12-21 11:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-21 11:12 . 2008-12-21 11:12 <DIR> d--h----- c:\windows\PIF
2008-12-20 23:40 . 2008-12-20 23:40 57,856 --a------ c:\windows\system32\khfEVPfd.dll
2008-12-20 23:33 . 2008-12-20 23:33 57,856 --a------ c:\windows\system32\ddcaaASI.dll
2008-12-20 01:53 . 2008-12-20 01:54 <DIR> d-------- c:\documents and settings\Suzie\oldphp
2008-12-17 22:33 . 2008-12-17 22:33 <DIR> d-------- c:\program files\Musicnotes
2008-12-16 13:18 . 2008-12-16 13:18 <DIR> d-------- c:\program files\Veoh Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 14:12 --------- d---a-w c:\documents and settings\All Users\Application Data\Kontiki
2008-12-21 14:01 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-21 11:28 --------- d-----w c:\program files\Java
2008-12-10 01:33 --------- d-----w c:\documents and settings\Suzie\Application Data\Digidesign
2008-11-06 18:53 --------- d-----w c:\documents and settings\Suzie\Application Data\uTorrent
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-11-14 17:51 604 ---ha-w c:\program files\STLL Notifier
2005-03-31 22:17 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2008-09-07 13:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
2008-09-19 23:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\perfoi]
@="{B055254E-F6EB-7B09-4584-9DFDE057C136}"
[HKEY_CLASSES_ROOT\CLSID\{B055254E-F6EB-7B09-4584-9DFDE057C136}]
2004-08-04 12:00 41472 --a------ c:\windows\system32\perfoi.dIl
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-11-03 3522296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2007-12-07 163840]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-12-07 90112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-07 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2007-12-07 99328]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-25 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-08-15 245760]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-02-05 1445904]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKLM\~\startupfolder\C:^Documents and Settings^Suzie^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Suzie\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aera
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-03-18 16384]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2008-09-20 104704]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2008-09-20 35584]
R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio\MobilePre\Install\MPInst.exe [2007-06-21 49152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [2008-09-22 69632]
R2 SAVService;Sophos Anti-Virus;"c:\program files\Sophos\Sophos Anti-Virus\SavService.exe" [2008-08-21 98304]
R3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2007-06-21 32000]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-09-30 14976]
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 c:\windows\Tasks\At1.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-02 c:\windows\Tasks\At10.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-30 c:\windows\Tasks\At11.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At12.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At13.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At14.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At15.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-14 c:\windows\Tasks\At16.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-14 c:\windows\Tasks\At17.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-17 c:\windows\Tasks\At18.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-16 c:\windows\Tasks\At19.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At2.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At20.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At21.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At22.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At23.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-20 c:\windows\Tasks\At24.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At3.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-20 c:\windows\Tasks\At4.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At5.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At6.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-28 c:\windows\Tasks\At7.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-24 c:\windows\Tasks\At8.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-24 c:\windows\Tasks\At9.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\lcocpvac.job
- c:\windows\system32\rundll32.exe [2008-04-14 00:12]
2008-12-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-12-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-12-16 c:\windows\Tasks\WebReg psc 1500 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-11 23:21]
2008-12-17 c:\windows\Tasks\Wednesday 9pm Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-05-12 15:43]
2008-12-21 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 15:43]
2008-12-20 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 15:43]
.
- - - - ORPHANS REMOVED - - - -
BHO-{e129c441-b627-49e0-97c8-a609e0a3cab0} - c:\windows\system32\dmucjv.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.somethingawful.com/
mStart Page = hxxp://forums.somethingawful.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Suzie\Application Data\Mozilla\Firefox\Profiles\lhhlxl1s.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:14:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-12-21 14:16:52 - machine was rebooted [Suzie]
ComboFix-quarantined-files.txt 2008-12-21 14:16:39
Pre-Run: 6,798,622,720 bytes free
Post-Run: 7,034,961,920 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
294 --- E O F --- 2008-12-18 10:35:44
And also the HT log, in case that's useful...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:23:33, on 21/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221866206078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 10391 bytes
How does it look?
So after I got MBAM running, I cleaned out a load of bad files and managed to run combofix. I've got a log file:
ComboFix 08-12-20.03 - Suzie 2008-12-21 14:10:47.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.769 [GMT 0:00]
Running from: c:\documents and settings\Suzie\Desktop\Program.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk
c:\documents and settings\Suzie\Application Data\gadcom
c:\documents and settings\Suzie\Application Data\gadcom\gadcom.exe
c:\documents and settings\Suzie\Desktop\Live Safety Center.lnk
c:\documents and settings\Suzie\Favorites\Online Security Guide.lnk
c:\documents and settings\Suzie\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Suzie\My Documents\PPATCH~1
c:\documents and settings\Suzie\My Documents\RACLE~1
c:\documents and settings\Suzie\My Documents\SMBOLS~1
c:\program files\Common Files\dobe~1
c:\program files\Common Files\fnts~1
c:\program files\Common Files\sembly~1
c:\program files\MSN\xunejejyj.html
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\bkR11
c:\temp\bkR11\ftCa.log
c:\windows\dobe~1
c:\windows\msettings.ini
c:\windows\smbols~1
c:\windows\system32\cbsesjrn.dll
c:\windows\system32\dmucjv.dll
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\drivers\TDSSserv.sys
c:\windows\system32\eggrur.dll
c:\windows\system32\fNXbaGgh.ini2
c:\windows\system32\GiOoonpo.ini2
c:\windows\system32\gjxsigpx.dll
c:\windows\system32\juyhvkju.dll
c:\windows\system32\n2
c:\windows\system32\nnnmp.ini
c:\windows\system32\nnnmp.ini2
c:\windows\system32\prunnet.exe
c:\windows\system32\qmkwojbl.dll
c:\windows\system32\TDSShrxm.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSrhyp.log
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\vudqtwim.ini
c:\windows\system32\wnstsicomsv.exe
c:\windows\system32\x3
c:\windows\system32\ympeeo.dll
c:\windows\system32\ystem~1
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_TDSSSERV
-------\Legacy_TDSSSERV
-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-21 11:28 . 2008-12-21 11:28 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 11:28 . 2008-12-21 11:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-21 11:12 . 2008-12-21 11:12 <DIR> d--h----- c:\windows\PIF
2008-12-20 23:40 . 2008-12-20 23:40 57,856 --a------ c:\windows\system32\khfEVPfd.dll
2008-12-20 23:33 . 2008-12-20 23:33 57,856 --a------ c:\windows\system32\ddcaaASI.dll
2008-12-20 01:53 . 2008-12-20 01:54 <DIR> d-------- c:\documents and settings\Suzie\oldphp
2008-12-17 22:33 . 2008-12-17 22:33 <DIR> d-------- c:\program files\Musicnotes
2008-12-16 13:18 . 2008-12-16 13:18 <DIR> d-------- c:\program files\Veoh Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 14:12 --------- d---a-w c:\documents and settings\All Users\Application Data\Kontiki
2008-12-21 14:01 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-21 11:28 --------- d-----w c:\program files\Java
2008-12-10 01:33 --------- d-----w c:\documents and settings\Suzie\Application Data\Digidesign
2008-11-06 18:53 --------- d-----w c:\documents and settings\Suzie\Application Data\uTorrent
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2007-11-14 17:51 604 ---ha-w c:\program files\STLL Notifier
2005-03-31 22:17 40,960 ----a-w c:\program files\Uninstall_CDS.exe
2008-09-07 13:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
2008-09-19 23:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\perfoi]
@="{B055254E-F6EB-7B09-4584-9DFDE057C136}"
[HKEY_CLASSES_ROOT\CLSID\{B055254E-F6EB-7B09-4584-9DFDE057C136}]
2004-08-04 12:00 41472 --a------ c:\windows\system32\perfoi.dIl
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-11-03 3522296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2007-12-07 163840]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-12-07 90112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-07 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2007-12-07 99328]
"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-25 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-08-15 245760]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-02-05 1445904]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKLM\~\startupfolder\C:^Documents and Settings^Suzie^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Suzie\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aera
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-03-18 16384]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2008-09-20 104704]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2008-09-20 35584]
R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio\MobilePre\Install\MPInst.exe [2007-06-21 49152]
R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [2008-09-22 69632]
R2 SAVService;Sophos Anti-Virus;"c:\program files\Sophos\Sophos Anti-Virus\SavService.exe" [2008-08-21 98304]
R3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2007-06-21 32000]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-09-30 14976]
.
Contents of the 'Scheduled Tasks' folder
2008-12-20 c:\windows\Tasks\At1.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-02 c:\windows\Tasks\At10.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-30 c:\windows\Tasks\At11.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At12.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At13.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At14.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At15.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-14 c:\windows\Tasks\At16.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-14 c:\windows\Tasks\At17.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-17 c:\windows\Tasks\At18.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-16 c:\windows\Tasks\At19.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At2.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At20.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At21.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At22.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At23.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-20 c:\windows\Tasks\At24.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\At3.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-20 c:\windows\Tasks\At4.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At5.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-19 c:\windows\Tasks\At6.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-28 c:\windows\Tasks\At7.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-24 c:\windows\Tasks\At8.job
- c:\windows\system32\w2O201yJ.exe []
2008-11-24 c:\windows\Tasks\At9.job
- c:\windows\system32\w2O201yJ.exe []
2008-12-21 c:\windows\Tasks\lcocpvac.job
- c:\windows\system32\rundll32.exe [2008-04-14 00:12]
2008-12-21 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-12-18 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]
2008-12-16 c:\windows\Tasks\WebReg psc 1500 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-11 23:21]
2008-12-17 c:\windows\Tasks\Wednesday 9pm Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-05-12 15:43]
2008-12-21 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 15:43]
2008-12-20 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 15:43]
.
- - - - ORPHANS REMOVED - - - -
BHO-{e129c441-b627-49e0-97c8-a609e0a3cab0} - c:\windows\system32\dmucjv.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.somethingawful.com/
mStart Page = hxxp://forums.somethingawful.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Suzie\Application Data\Mozilla\Firefox\Profiles\lhhlxl1s.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:14:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-12-21 14:16:52 - machine was rebooted [Suzie]
ComboFix-quarantined-files.txt 2008-12-21 14:16:39
Pre-Run: 6,798,622,720 bytes free
Post-Run: 7,034,961,920 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
294 --- E O F --- 2008-12-18 10:35:44
And also the HT log, in case that's useful...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:23:33, on 21/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221866206078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 10391 bytes
How does it look?
•
•
Join Date: Jul 2008
Posts: 2,999
Reputation:
Solved Threads: 170
•
•
•
•
Originally Posted by maanu 
yap post them here , let us have a look... by the way have u tried using combofix in safe mood ? or rename exe to .pif file ? like combofix.pif ? is msconfig/regedit/taskmanager r running fine ?
Judy
Last edited by jholland1964; Dec 21st, 2008 at 11:44 am.
•
•
Join Date: Jul 2008
Posts: 2,999
Reputation:
Solved Threads: 170
Suzie24, looks MUCH better. Both MBA-M and combofix did their work.
One thing noted in the combofix log is a huge listing of items in the scheduled tasks folder, especially the ones which read like this;
c:\windows\Tasks\At1.job
When you see At1.job in scheduled tasks this often means the infection has placed a scheduled job to be run at a certain time or certain times each day to actually reinfect.
The file it is pointing to is c:\windows\system32\w2O201yJ.exe
I would like you to do a search for this file by going to your "C" drive, the Windows\system32 and see if you see this listing in there w2O201yJ.exe.
IF you do see that file let's check this out ok? May not be required but it cannot hurt.
What I want you to do is go to this site, http://virscan.org/ (there is another site I usually recommend but it appears to be down at the moment), this one will do what we need.
When you get to the site you will see a window there copy/paste this into the window, c:\windows\system32\w2O201yJ.exe and click upload. The site will scan your computer and upload this file for texting at multiple anti-virus sites. Once that is complete it will generate a report for you on this file. Come back here with that report.
As for the Java update, that is ok, don't worry about it. It just generally best to wait until a computer is deemed clean before installing or updating something. The one exception of course would be installing an anti-virus program or anti-malware program and updating those programs.
Judy
One thing noted in the combofix log is a huge listing of items in the scheduled tasks folder, especially the ones which read like this;
c:\windows\Tasks\At1.job
When you see At1.job in scheduled tasks this often means the infection has placed a scheduled job to be run at a certain time or certain times each day to actually reinfect.
The file it is pointing to is c:\windows\system32\w2O201yJ.exe
I would like you to do a search for this file by going to your "C" drive, the Windows\system32 and see if you see this listing in there w2O201yJ.exe.
IF you do see that file let's check this out ok? May not be required but it cannot hurt.
What I want you to do is go to this site, http://virscan.org/ (there is another site I usually recommend but it appears to be down at the moment), this one will do what we need.
When you get to the site you will see a window there copy/paste this into the window, c:\windows\system32\w2O201yJ.exe and click upload. The site will scan your computer and upload this file for texting at multiple anti-virus sites. Once that is complete it will generate a report for you on this file. Come back here with that report.
As for the Java update, that is ok, don't worry about it. It just generally best to wait until a computer is deemed clean before installing or updating something. The one exception of course would be installing an anti-virus program or anti-malware program and updating those programs.
Judy
Last edited by jholland1964; Dec 21st, 2008 at 1:20 pm.
|
Similar Threads
- SpeedUp Your Window XP Never Than Before (Windows tips 'n' tweaks)
- Google Redirecting (Viruses, Spyware and other Nasties)
- Help with automatic update problem and more (Viruses, Spyware and other Nasties)
- pop ups are back (Viruses, Spyware and other Nasties)
- more "home search assistent" fun... (Viruses, Spyware and other Nasties)
- Homepage has been changed to about:blank (Viruses, Spyware and other Nasties)
- My HiJackThis Log (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Cleaning up a virus/infection mess??
- Next Thread: I am having the same problem as inxs did
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos e-mafia education email europe exam exploit fake fancheckvirus gaming gtaiv gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war windows worm yahoo zeroday
