|
| ||
| Virus has disabled antivirus programs/updates/site access (HT log ) Hi, I seem to have picked up a weird virus that appears to just stop anything antiviral from running. It has turned off Windows updates, stopped sophos contacting the server for updates, and stops XoftSpySE and MBAM from loading/reinstalling. It has also disabled access to antivirus sites and has hijacked google. Bizarrely, I can still run a Sophos scan, and it has flagged 'RegCure.exe' as a trojan--I do have RegCure, but this thing is in some weird directory. The scan won't finish tho--says it can't access some places on my c drive--one of them mentions not being able to do a boot scan. then it won't let me clean up the trojan, cos it didn't finish the scan. HT is still working though! Here's a log from my scan. If anyone can help at all, I'd be so grateful! Thanks! :) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 01:24:26, on 21/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\XoftSpySE\XoftSpy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Digidesign\Drivers\MMERefresh.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\M-AudioTaskBarIcon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Kontiki\KHost.exe C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe C:\Documents and Settings\Suzie\Application Data\gadcom\gadcom.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://forums.somethingawful.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe" O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe" O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Suzie\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139 O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader2.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221866206078 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00C3454.dat,C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL eggrur.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\xunejejyj.html -- End of file - 10256 bytes |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) Alright, let's do a few things ================ Please download ComboFix by sUBs from HERE or HERE
Note: Do not mouse-click combofix's window while it is running. That may cause it to stall. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. ============ Go into Control Panel > Add / Remove Programs, and remove all Java Components. Then go to www.java.com and install the latest Java. ============ Thanks, Cohen |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) I would advise the java update be delayed until the combofix program is run and the log is posted here and interpreted and commented on. Judy |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) Hey, Oops... I didn't notice the last post until after I'd done the java thing... The Java's updated anyway. I managed to download the file by accessing the site through a remote desktop connection to my department (I can't access them on this computer). But having downloaded it to my desktop, I can't get it to run. It does the same thing as XoftSpySE and MBAM--my cursor tell me my computer is doing something, but then it just stops and no program window appears. I looked at my task manager and the program shows up in the 'processes' tab, but not in the 'programs' tab. I tried renaming the executable, and the same thing happened. I wasn't able to run XoftSpySE or MBAM in safe mode either. What should I do? Thanks for your help!! |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) In case it's useful... I was just reading through inx's thread, and tried the same trick of renaming MBAM--it worked, and I'm running a scan right now. Still can't get combofix running tho. Shall I post a new HT log once I've done the MBAM scan and cleaned up what it has found (21 infected items and counting...)? |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) yap post them here , let us have a look... by the way have u tried using combofix in safe mood ? or rename exe to .pif file ? like combofix.pif ? is msconfig/regedit/taskmanager r running fine ? |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) Hey, So after I got MBAM running, I cleaned out a load of bad files and managed to run combofix. I've got a log file: ComboFix 08-12-20.03 - Suzie 2008-12-21 14:10:47.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.769 [GMT 0:00] Running from: c:\documents and settings\Suzie\Desktop\Program.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Start Menu\Live Safety Center.lnk c:\documents and settings\Suzie\Application Data\gadcom c:\documents and settings\Suzie\Application Data\gadcom\gadcom.exe c:\documents and settings\Suzie\Desktop\Live Safety Center.lnk c:\documents and settings\Suzie\Favorites\Online Security Guide.lnk c:\documents and settings\Suzie\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Suzie\My Documents\PPATCH~1 c:\documents and settings\Suzie\My Documents\RACLE~1 c:\documents and settings\Suzie\My Documents\SMBOLS~1 c:\program files\Common Files\dobe~1 c:\program files\Common Files\fnts~1 c:\program files\Common Files\sembly~1 c:\program files\MSN\xunejejyj.html c:\temp\1cb c:\temp\1cb\syscheck.log c:\temp\bkR11 c:\temp\bkR11\ftCa.log c:\windows\dobe~1 c:\windows\msettings.ini c:\windows\smbols~1 c:\windows\system32\cbsesjrn.dll c:\windows\system32\dmucjv.dll c:\windows\system32\drivers\TDSSmqlt.sys c:\windows\system32\drivers\TDSSserv.sys c:\windows\system32\eggrur.dll c:\windows\system32\fNXbaGgh.ini2 c:\windows\system32\GiOoonpo.ini2 c:\windows\system32\gjxsigpx.dll c:\windows\system32\juyhvkju.dll c:\windows\system32\n2 c:\windows\system32\nnnmp.ini c:\windows\system32\nnnmp.ini2 c:\windows\system32\prunnet.exe c:\windows\system32\qmkwojbl.dll c:\windows\system32\TDSShrxm.dll c:\windows\system32\TDSSkkai.log c:\windows\system32\TDSSlxwp.dll c:\windows\system32\TDSSmtvd.dat c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSoiqt.dll c:\windows\system32\TDSSrhyp.log c:\windows\system32\TDSSsahc.dll c:\windows\system32\TDSSvkql.dll c:\windows\system32\TDSSxfum.dll c:\windows\system32\vudqtwim.ini c:\windows\system32\wnstsicomsv.exe c:\windows\system32\x3 c:\windows\system32\ympeeo.dll c:\windows\system32\ystem~1 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV -------\Legacy_TDSSSERV -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS -------\Legacy_DOMAINSERVICE ((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 ))))))))))))))))))))))))))))))) . 2008-12-21 11:28 . 2008-12-21 11:28 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-21 11:28 . 2008-12-21 11:28 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-21 11:12 . 2008-12-21 11:12 <DIR> d--h----- c:\windows\PIF 2008-12-20 23:40 . 2008-12-20 23:40 57,856 --a------ c:\windows\system32\khfEVPfd.dll 2008-12-20 23:33 . 2008-12-20 23:33 57,856 --a------ c:\windows\system32\ddcaaASI.dll 2008-12-20 01:53 . 2008-12-20 01:54 <DIR> d-------- c:\documents and settings\Suzie\oldphp 2008-12-17 22:33 . 2008-12-17 22:33 <DIR> d-------- c:\program files\Musicnotes 2008-12-16 13:18 . 2008-12-16 13:18 <DIR> d-------- c:\program files\Veoh Networks . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-21 14:12 --------- d---a-w c:\documents and settings\All Users\Application Data\Kontiki 2008-12-21 14:01 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-21 11:28 --------- d-----w c:\program files\Java 2008-12-10 01:33 --------- d-----w c:\documents and settings\Suzie\Application Data\Digidesign 2008-11-06 18:53 --------- d-----w c:\documents and settings\Suzie\Application Data\uTorrent 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2007-11-14 17:51 604 ---ha-w c:\program files\STLL Notifier 2005-03-31 22:17 40,960 ----a-w c:\program files\Uninstall_CDS.exe 2008-09-07 13:55 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat 2008-09-19 23:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\perfoi] @="{B055254E-F6EB-7B09-4584-9DFDE057C136}" [HKEY_CLASSES_ROOT\CLSID\{B055254E-F6EB-7B09-4584-9DFDE057C136}] 2004-08-04 12:00 41472 --a------ c:\windows\system32\perfoi.dIl [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TClockEx"="c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888] "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2008-11-03 3522296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-10 7311360] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-10 86016] "RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2007-12-07 163840] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2007-12-07 90112] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-12-07 57344] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024] "M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2007-12-07 99328] "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 77824] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-25 185896] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600] "nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe] "SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-08-15 245760] Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2006-02-05 1445904] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-11 73728] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKLM\~\startupfolder\C:^Documents and Settings^Suzie^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk] path=c:\documents and settings\Suzie\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aera HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\StubInstaller.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\utorrent\\utorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-03-18 16384] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2008-09-20 104704] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2008-09-20 35584] R2 MobilePreInstallerService;MobilePre Installer;c:\program files\M-Audio\MobilePre\Install\MPInst.exe [2007-06-21 49152] R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [2008-09-22 69632] R2 SAVService;Sophos Anti-Virus;"c:\program files\Sophos\Sophos Anti-Virus\SavService.exe" [2008-08-21 98304] R3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys [2007-06-21 32000] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-09-30 14976] . Contents of the 'Scheduled Tasks' folder 2008-12-20 c:\windows\Tasks\At1.job - c:\windows\system32\w2O201yJ.exe [] 2008-11-02 c:\windows\Tasks\At10.job - c:\windows\system32\w2O201yJ.exe [] 2008-11-30 c:\windows\Tasks\At11.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-21 c:\windows\Tasks\At12.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-21 c:\windows\Tasks\At13.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-21 c:\windows\Tasks\At14.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-21 c:\windows\Tasks\At15.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-14 c:\windows\Tasks\At16.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-14 c:\windows\Tasks\At17.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-17 c:\windows\Tasks\At18.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-16 c:\windows\Tasks\At19.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-21 c:\windows\Tasks\At2.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-19 c:\windows\Tasks\At20.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-19 c:\windows\Tasks\At21.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-19 c:\windows\Tasks\At22.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-19 c:\windows\Tasks\At23.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-20 c:\windows\Tasks\At24.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-21 c:\windows\Tasks\At3.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-20 c:\windows\Tasks\At4.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-19 c:\windows\Tasks\At5.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-19 c:\windows\Tasks\At6.job - c:\windows\system32\w2O201yJ.exe [] 2008-11-28 c:\windows\Tasks\At7.job - c:\windows\system32\w2O201yJ.exe [] 2008-11-24 c:\windows\Tasks\At8.job - c:\windows\system32\w2O201yJ.exe [] 2008-11-24 c:\windows\Tasks\At9.job - c:\windows\system32\w2O201yJ.exe [] 2008-12-21 c:\windows\Tasks\lcocpvac.job - c:\windows\system32\rundll32.exe [2008-04-14 00:12] 2008-12-21 c:\windows\Tasks\RegCure Program Check.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] 2008-12-18 c:\windows\Tasks\RegCure.job - c:\program files\RegCure\RegCure.exe [2008-04-21 21:21] 2008-12-16 c:\windows\Tasks\WebReg psc 1500 series.job - c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2005-05-11 23:21] 2008-12-17 c:\windows\Tasks\Wednesday 9pm Scan.job - c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-05-12 15:43] 2008-12-21 c:\windows\Tasks\XoftSpySE 2.job - c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 15:43] 2008-12-20 c:\windows\Tasks\XoftSpySE.job - c:\program files\XoftSpySE\XoftSpy.exe [2007-07-13 15:43] . - - - - ORPHANS REMOVED - - - - BHO-{e129c441-b627-49e0-97c8-a609e0a3cab0} - c:\windows\system32\dmucjv.dll HKCU-Run-prunnet - c:\windows\system32\prunnet.exe HKLM-Run-prunnet - c:\windows\system32\prunnet.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://forums.somethingawful.com/ mStart Page = hxxp://forums.somethingawful.com/ uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\Suzie\Application Data\Mozilla\Firefox\Profiles\lhhlxl1s.default\ FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-21 14:14:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Kontiki\KService.exe c:\windows\system32\nvsvc32.exe c:\program files\Sophos\AutoUpdate\ALsvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe c:\program files\iPod\bin\iPodService.exe c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\HP\Digital Imaging\bin\hpqste08.exe c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe . ************************************************************************** . Completion time: 2008-12-21 14:16:52 - machine was rebooted [Suzie] ComboFix-quarantined-files.txt 2008-12-21 14:16:39 Pre-Run: 6,798,622,720 bytes free Post-Run: 7,034,961,920 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 294 --- E O F --- 2008-12-18 10:35:44 And also the HT log, in case that's useful... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:23:33, on 21/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\Program Files\Digidesign\Drivers\MMERefresh.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\M-AudioTaskBarIcon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVMain.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.somethingawful.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader2.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1221866206078 O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- End of file - 10391 bytes How does it look? :) |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) Quote:
Judy |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) Suzie24, looks MUCH better. Both MBA-M and combofix did their work. One thing noted in the combofix log is a huge listing of items in the scheduled tasks folder, especially the ones which read like this; c:\windows\Tasks\At1.job When you see At1.job in scheduled tasks this often means the infection has placed a scheduled job to be run at a certain time or certain times each day to actually reinfect. The file it is pointing to is c:\windows\system32\w2O201yJ.exe I would like you to do a search for this file by going to your "C" drive, the Windows\system32 and see if you see this listing in there w2O201yJ.exe. IF you do see that file let's check this out ok? May not be required but it cannot hurt. What I want you to do is go to this site, http://virscan.org/ (there is another site I usually recommend but it appears to be down at the moment), this one will do what we need. When you get to the site you will see a window there copy/paste this into the window, c:\windows\system32\w2O201yJ.exe and click upload. The site will scan your computer and upload this file for texting at multiple anti-virus sites. Once that is complete it will generate a report for you on this file. Come back here with that report. As for the Java update, that is ok, don't worry about it. It just generally best to wait until a computer is deemed clean before installing or updating something. The one exception of course would be installing an anti-virus program or anti-malware program and updating those programs. Judy |
| ||
| Re: Virus has disabled antivirus programs/updates/site access (HT log ) Suzie24 - Can you also post your MBA-M log. It will be located under the log tab. Thanks, Cohen |
| All times are GMT -4. The time now is 3:28 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC