What's Disabling Anti-Virus Software From Running?

**kikojames** · 10-21-2009, 12:25 AM

Hi there,

I found this site when trying to figure out what's going on with my laptop, and I'm glad I did. I'll try to be as detailed as I can about what has been happening but I might not know all the technical wording, thanks for your patience in advance!

The main problem is something I noticed over the past week or two. I started getting annoyed that I couldn't seem to download and install the Windows malicious software removal update released recently (Oct. 13, I think). I didn't really think too much about it until I tried to scan the computer with Avira today. It looked like the scan had completed and had found something it wanted to get rid of, but before I could see what it was, the program quit without taking any action. I tried to restart the scan but the scanner program didn't respond.

I then tried to download/install other antivir programs (one by one, deactivating others before activating another), three in all, and no luck. I'd get an error saying something about not having the right permissions or the file was gone. I did try renaming the exe files and starting them but none of the simple ideas I had got any of the programs to start. Not even trying to run the programs after starting up in safe mode worked, I still got all the same errors.

Not sure if this has any connection but I've noticed the start up/restart time for the laptop has slowed considerably.

I did read the sticky on what to do before posting for help but I wasn't able to run any of the copies of the DDS file. I would double-click and the black box would pop up for half a second and then shut back down. I was able to run the GEMR program though and it's attached.

Thanks in advance for any help that you might have for me! Of course I'll be subscribing to this thread and should be able to respond fairly quickly - I'm on Pacific time (California), FYI.

**Glaswegian** · 10-23-2009, 03:03 PM

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.

Combofix
Download ComboFix from one of these locations:

Link 1
Link 2

and rename it to pacific.exe before saving it to your desktop.

Double click on the renamed ComboFix.exe & follow the prompts.

When finished it will produce a log at C:\ComboFix.txt for you
Please include the log in your next reply.

**kikojames** · 10-23-2009, 11:57 PM

Hello Iain,

Thanks so much for helping me with this! Sorry for the delay in responding, I just got notification of your reply not long ago...

Before running Combofix, it asked me to disable Norton real time scanner, and another I can't remember the name of, but I didn't think either of these was installed and/or I couldn't find them. In any case, the results will be posted below.

I'll check in on the thread more frequently (and realized I hadn't set reply notification to "instant" - oops. I've corrected that) for the next steps. Thanks again for your help!

James

ComboFix 09-10-22.01 - James 10/23/2009 22:33.1.2 - NTFSx86
Running from: c:\users\James\Desktop\pacific.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Sunbelt VIPRE *disabled* (Updated) {9817B764-AE4E-4B29-AEE7-725B7A50BD48}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1151296623-595955053-1122244240-1006
c:\$recycle.bin\S-1-5-21-1291577776-2453569235-1791947287-500
c:\$recycle.bin\S-1-5-21-1302017585-2087028640-3495130007-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\windows\system32\AutoRun.inf
c:\windows\system32\clrviddc.dll

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-24 05:39 . 2009-10-24 05:42 -------- d-----w- c:\users\James\AppData\Local\temp
2009-10-24 05:39 . 2009-10-24 05:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-21 04:29 . 2009-10-24 05:32 -------- d--h--w- c:\windows\PIF
2009-10-21 03:32 . 2009-10-21 05:43 -------- d-----w- c:\programdata\Lavasoft
2009-10-21 02:37 . 2009-10-21 02:37 117760 ----a-w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-21 02:37 . 2009-10-21 02:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-21 02:36 . 2009-10-24 05:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-21 02:36 . 2009-10-21 02:36 -------- d-----w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com
2009-10-21 02:22 . 2009-10-21 02:22 -------- d-----w- c:\users\James\AppData\Roaming\Malwarebytes
2009-10-21 02:22 . 2009-10-21 02:22 -------- d-----w- c:\programdata\Malwarebytes
2009-10-21 01:58 . 2009-10-21 02:01 -------- d-----w- c:\users\James\.housecall6.6
2009-10-21 01:43 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-07 14:59 . 2009-10-07 14:59 -------- d-----w- c:\programdata\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 04:45 . 2008-09-09 17:53 -------- d-----w- c:\programdata\Google Updater
2009-10-23 18:00 . 2007-06-18 02:08 -------- d-----w- c:\users\James\AppData\Roaming\uTorrent
2009-10-20 14:53 . 2007-06-25 02:29 -------- d-----w- c:\program files\Google
2009-10-15 05:49 . 2007-07-14 18:16 -------- d-----w- c:\programdata\Microsoft Help
2009-10-15 05:48 . 2007-07-14 18:01 -------- d-----w- c:\program files\Microsoft Works
2009-10-14 18:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-25 04:45 . 2008-11-12 19:07 -------- d-----w- c:\program files\IObit
2009-09-15 15:01 . 2007-04-02 18:36 -------- d-----w- c:\program files\Java
2009-09-14 09:44 . 2009-10-14 17:32 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-14 17:32 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 15:07 . 2008-08-11 15:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-04 12:24 . 2009-10-14 17:32 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 23:27 . 2009-09-01 23:27 0 ----a-w- c:\windows\system32\SBRC.dat
2009-09-01 20:12 . 2009-09-01 20:12 -------- d-----w- c:\program files\Sunbelt Software
2009-09-01 19:58 . 2009-08-29 00:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-01 19:58 . 2009-08-29 00:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-31 13:55 . 2009-10-14 17:32 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 13:55 . 2009-10-14 17:32 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 22:08 . 2008-12-26 07:32 -------- d-----w- c:\users\James\AppData\Roaming\LimeWire
2009-08-28 12:39 . 2009-09-03 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-03 00:14 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-14 17:32 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-14 17:32 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-14 17:32 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-23 06:37 . 2009-08-23 06:37 245760 ------w- c:\windows\Setup1.exe
2009-08-23 06:37 . 2009-08-23 06:37 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-10 02:46 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-10 02:46 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-10 02:46 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-10 02:46 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-10 02:46 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-10 02:46 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-10 02:46 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-10 02:46 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-10 02:46 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-10 02:46 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-07 03:19 . 2009-04-29 04:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 14:22 . 2009-10-14 17:32 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:22 . 2009-10-14 17:32 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-03 22:07 . 2009-08-03 22:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 22:07 . 2009-08-03 22:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 22:07 . 2009-08-03 22:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2007-06-19 23:11 . 2007-06-19 23:14 267776 ----a-w- c:\program files\mp3Trim PRO.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-10-22 36864]
"Google Update"="c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-01-23 321656]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-03 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-26 137752]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-23 198160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-10-21 196608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-02-13 22:19 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\Image Converter 3\ICScsiSV.exe [2007-01-26 75952]
R3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\Image Converter 3\IcVzMonLauncher.exe [2007-01-26 67760]
R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-01-09 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-01-16 1089536]
S1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-10-09 202928]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-06-01 34064]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-01-03 11032]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-03-15 74240]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-03-15 43904]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2007-03-19 30976]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-04-23 812544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-10-20 16:55]

2009-10-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-19 22:29]

2009-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1151296623-595955053-1122244240-1005Core.job
- c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 04:16]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1151296623-595955053-1122244240-1005UA.job
- c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 04:16]

2009-10-19 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-27 16:22]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\irknb10v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\users\James\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-23 22:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe
c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\VAIO Power Management\SPMgr.exe
c:\pacific\CF2948.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\users\James\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\pacific\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-24 22:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-24 05:47

Pre-Run: 28,338,319,360 bytes free
Post-Run: 27,969,843,200 bytes free

- - End Of File - - 4BCC8E945B1529DF1C54D52678F139B7

**Glaswegian** · 10-24-2009, 10:44 AM

Hi James

How is your system running now?

It looks like you have more than one AV running – Norton and Sunbelt (plus evidence of Avira). This is not recommended – both programmes will be trying to look at files at the same time and this could cause conflicts, a slow down in your system and even BSODs. I suggest you choose only one and uninstall the other. Remember to reboot after the uninstall.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Online Scan

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

**Note**

To optimise scanning time and produce a more sensible report for review:

Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

Please post back with the Kaspersky Log.

**kikojames** · 10-24-2009, 01:55 PM

Iain,

I think I finally managed to get rid of the Norton and Sunbelt scanners and have the results from the Kaspersky scan posted below. It took more than a few hours but it did find a few infections.

Thanks again and let me know what other information you'll need!
James

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, October 24, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, October 24, 2009 19:02:58
Records in database: 3060976
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 129226
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:05:20

File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir Infected: Backdoor.Win32.Agent.akmn 1
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\d1ed7d6-1e1071e8 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7bfbd51c-44ba398d Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\59af077c-277adbd1 Infected: Trojan-Downloader.Java.OpenConnection.at 1

Selected area has been scanned.

**Glaswegian** · 10-24-2009, 02:47 PM

Hi James

Kaspersky only found items held in quarantine by combofix. We do need to clear out your Java cache though.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
  Trace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

Other than that your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Referring to the image below

Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK:

ComboFix /Uninstall

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

General Protection
Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Chrome
Maxthon
Safari

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

Web of Trust
WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

Green to go
Yellow for caution
Red to stop

WOT has an addon available for both Firefox and IE.

ERUNT & NTREGOPT
ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash.
NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system.

Additional Reading
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.
Think Prevention!

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

**kikojames** · 10-24-2009, 02:59 PM

Thanks for checking back in again so quickly Iain.

So what was the diagnosis and how bad or not is it? Was my laptop infected or were there quarantined infected files still able to operate?

Thank you for the suggestions on how to keep things safe/clean but could I ask a favor? Can you please keep an eye on this thread for a bit longer? I am going to run an Avira scan and see if it can complete and run normally. I'll be doing that now and will hopefully be able to post soon if it worked ok. Also, I'll be checking to see if I can finally download the MS malicious software tool.

Crossing my fingers that all is well! Thanks again for all your help!
James

**Glaswegian** · 10-24-2009, 03:19 PM

Hi James

You had a rather nasty rootkit that patches a system file - but our specialised tools took care of it. It tends to block security programmes and access to security related sites.

Avira should now run fine, but you can post back here and I'll keep a look out - probably be tomorrow though.

**kikojames** · 10-24-2009, 04:36 PM

Hello again Iain,

It seems as though my computer is running great now - I was able to update MS security tools and run a successful antivir scan! Thanks SO much for helping me with this problem, obviously I couldn't have solved it without you :D

I'll be looking at the suggestions you gave for keeping my computer safe as well as making a donation to the site because of your efforts. Thank you!

All the best,
James L.

10-23-2009, 03:03 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,621 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: What's Disabling Anti-Virus Software From Running? Hi and welcome to TSF. My name is Iain and I will be helping you clean your system. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Please do not install or uninstall any programmes, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments. Combofix Download ComboFix from one of these locations: Link 1 Link 2 and rename it to pacific.exe before saving it to your desktop. Double click on the renamed ComboFix.exe & follow the prompts. When finished it will produce a log at C:\ComboFix.txt for you Please include the log in your next reply. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

10-23-2009, 11:57 PM	#3 (permalink)
kikojames I helped the forums. Join Date: Oct 2009 Posts: 5 OS: Vista Home Premium	Re: What's Disabling Anti-Virus Software From Running? Hello Iain, Thanks so much for helping me with this! Sorry for the delay in responding, I just got notification of your reply not long ago... Before running Combofix, it asked me to disable Norton real time scanner, and another I can't remember the name of, but I didn't think either of these was installed and/or I couldn't find them. In any case, the results will be posted below. I'll check in on the thread more frequently (and realized I hadn't set reply notification to "instant" - oops. I've corrected that) for the next steps. Thanks again for your help! James ComboFix 09-10-22.01 - James 10/23/2009 22:33.1.2 - NTFSx86 Running from: c:\users\James\Desktop\pacific.exe AV: Norton Internet Security On-access scanning enabled (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8} AV: Sunbelt VIPRE On-access scanning disabled (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C} FW: Norton Internet Security disabled {7C21A4C9-F61F-4AC4-B722-A6E19C16F220} SP: Norton Internet Security enabled (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} SP: Spybot - Search and Destroy disabled (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Sunbelt VIPRE disabled (Updated) {9817B764-AE4E-4B29-AEE7-725B7A50BD48} SP: SUPERAntiSpyware enabled (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7} SP: Windows Defender enabled (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-1151296623-595955053-1122244240-1006 c:\$recycle.bin\S-1-5-21-1291577776-2453569235-1791947287-500 c:\$recycle.bin\S-1-5-21-1302017585-2087028640-3495130007-500 c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500 c:\windows\system32\AutoRun.inf c:\windows\system32\clrviddc.dll Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED} -------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE} ((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 ))))))))))))))))))))))))))))))) . 2009-10-24 05:39 . 2009-10-24 05:42 -------- d-----w- c:\users\James\AppData\Local\temp 2009-10-24 05:39 . 2009-10-24 05:39 -------- d-----w- c:\users\Default\AppData\Local\temp 2009-10-21 04:29 . 2009-10-24 05:32 -------- d--h--w- c:\windows\PIF 2009-10-21 03:32 . 2009-10-21 05:43 -------- d-----w- c:\programdata\Lavasoft 2009-10-21 02:37 . 2009-10-21 02:37 117760 ----a-w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-10-21 02:37 . 2009-10-21 02:37 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2009-10-21 02:36 . 2009-10-24 05:37 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-10-21 02:36 . 2009-10-21 02:36 -------- d-----w- c:\users\James\AppData\Roaming\SUPERAntiSpyware.com 2009-10-21 02:22 . 2009-10-21 02:22 -------- d-----w- c:\users\James\AppData\Roaming\Malwarebytes 2009-10-21 02:22 . 2009-10-21 02:22 -------- d-----w- c:\programdata\Malwarebytes 2009-10-21 01:58 . 2009-10-21 02:01 -------- d-----w- c:\users\James\.housecall6.6 2009-10-21 01:43 . 2009-10-01 17:29 195440 ------w- c:\windows\system32\MpSigStub.exe 2009-10-07 14:59 . 2009-10-07 14:59 -------- d-----w- c:\programdata\Office Genuine Advantage . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-24 04:45 . 2008-09-09 17:53 -------- d-----w- c:\programdata\Google Updater 2009-10-23 18:00 . 2007-06-18 02:08 -------- d-----w- c:\users\James\AppData\Roaming\uTorrent 2009-10-20 14:53 . 2007-06-25 02:29 -------- d-----w- c:\program files\Google 2009-10-15 05:49 . 2007-07-14 18:16 -------- d-----w- c:\programdata\Microsoft Help 2009-10-15 05:48 . 2007-07-14 18:01 -------- d-----w- c:\program files\Microsoft Works 2009-10-14 18:54 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2009-09-25 04:45 . 2008-11-12 19:07 -------- d-----w- c:\program files\IObit 2009-09-15 15:01 . 2007-04-02 18:36 -------- d-----w- c:\program files\Java 2009-09-14 09:44 . 2009-10-14 17:32 144896 ----a-w- c:\windows\system32\drivers\srv2.sys 2009-09-10 17:30 . 2009-10-14 17:32 213504 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-10 15:07 . 2008-08-11 15:51 -------- d-----w- c:\program files\Microsoft Silverlight 2009-09-04 12:24 . 2009-10-14 17:32 61440 ----a-w- c:\windows\system32\msasn1.dll 2009-09-01 23:27 . 2009-09-01 23:27 0 ----a-w- c:\windows\system32\SBRC.dat 2009-09-01 20:12 . 2009-09-01 20:12 -------- d-----w- c:\program files\Sunbelt Software 2009-09-01 19:58 . 2009-08-29 00:23 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-01 19:58 . 2009-08-29 00:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2009-08-31 13:55 . 2009-10-14 17:32 293376 ----a-w- c:\windows\system32\psisdecd.dll 2009-08-31 13:55 . 2009-10-14 17:32 428544 ----a-w- c:\windows\system32\EncDec.dll 2009-08-28 22:08 . 2008-12-26 07:32 -------- d-----w- c:\users\James\AppData\Roaming\LimeWire 2009-08-28 12:39 . 2009-09-03 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll 2009-08-28 10:15 . 2009-09-03 00:14 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-27 13:32 . 2009-10-14 17:32 833024 ----a-w- c:\windows\system32\wininet.dll 2009-08-27 13:29 . 2009-10-14 17:32 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-08-27 10:58 . 2009-10-14 17:32 26624 ----a-w- c:\windows\system32\ieUnatt.exe 2009-08-23 06:37 . 2009-08-23 06:37 245760 ------w- c:\windows\Setup1.exe 2009-08-23 06:37 . 2009-08-23 06:37 73216 ----a-w- c:\windows\ST6UNST.EXE 2009-08-18 06:33 . 2009-08-18 06:33 1193832 ----a-w- c:\windows\system32\FM20.DLL 2009-08-14 17:07 . 2009-09-10 02:46 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys 2009-08-14 16:29 . 2009-09-10 02:46 104960 ----a-w- c:\windows\system32\netiohlp.dll 2009-08-14 16:29 . 2009-09-10 02:46 17920 ----a-w- c:\windows\system32\netevent.dll 2009-08-14 14:16 . 2009-09-10 02:46 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE 2009-08-14 14:16 . 2009-09-10 02:46 17920 ----a-w- c:\windows\system32\ROUTE.EXE 2009-08-14 14:16 . 2009-09-10 02:46 11264 ----a-w- c:\windows\system32\MRINFO.EXE 2009-08-14 14:16 . 2009-09-10 02:46 27136 ----a-w- c:\windows\system32\NETSTAT.EXE 2009-08-14 14:16 . 2009-09-10 02:46 19968 ----a-w- c:\windows\system32\ARP.EXE 2009-08-14 14:16 . 2009-09-10 02:46 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE 2009-08-14 14:16 . 2009-09-10 02:46 10240 ----a-w- c:\windows\system32\finger.exe 2009-08-07 03:19 . 2009-04-29 04:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-05 14:22 . 2009-10-14 17:32 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe 2009-08-05 14:22 . 2009-10-14 17:32 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-03 22:07 . 2009-08-03 22:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll 2009-08-03 22:07 . 2009-08-03 22:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll 2009-08-03 22:07 . 2009-08-03 22:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe 2007-06-19 23:11 . 2007-06-19 23:14 267776 ----a-w- c:\program files\mp3Trim PRO.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-10-22 36864] "Google Update"="c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184] "Apoint"="c:\program files\Apoint\Apoint.exe" [2006-11-13 118784] "ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-01-23 321656] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-03 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-03 154136] "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-26 137752] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-23 198160] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-08-21 443968] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-10-21 196608] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon] 2007-02-13 22:19 98304 ----a-w- c:\windows\System32\VESWinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "mixer"=wdmaud.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0SsiEfr.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [x] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x] R3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\Image Converter 3\ICScsiSV.exe [2007-01-26 75952] R3 IcVzMonLauncher;IcVzMonLauncher;c:\program files\Sony\Image Converter 3\IcVzMonLauncher.exe [2007-01-26 67760] R3 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x] R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472] R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-01-09 397312] R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-01-16 1089536] S1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2008-10-09 202928] S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289] S2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712] S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-06-01 34064] S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-01-03 11032] S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-03-15 74240] S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-03-15 43904] S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\DRIVERS\SonyImgF.sys [2007-03-19 30976] S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-04-23 812544] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder 2009-10-23 c:\windows\Tasks\AWC Startup.job - c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-10-20 16:55] 2009-10-24 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-19 22:29] 2009-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1151296623-595955053-1122244240-1005Core.job - c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 04:16] 2009-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1151296623-595955053-1122244240-1005UA.job - c:\users\James\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 04:16] 2009-10-19 c:\windows\Tasks\SmartDefrag.job - c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-07-27 16:22] . . ------- Supplementary Scan ------- . uDefault_Search_URL = hxxp://www.google.com/ie uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = .local uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab FF - ProfilePath - c:\users\James\AppData\Roaming\Mozilla\Firefox\Profiles\irknb10v.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll FF - plugin: c:\program files\Picasa2\npPicasa2.dll FF - plugin: c:\program files\Picasa2\npPicasa3.dll FF - plugin: c:\users\James\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: browser.cache.memory.capacity - 65536 FF - user.js: browser.chrome.favicons - fales FF - user.js: browser.display.show_image_placeholders - true FF - user.js: browser.turbo.enabled - true FF - user.js: browser.urlbar.autocomplete.enabled - true FF - user.js: browser.urlbar.autofill - true FF - user.js: content.interrupt.parsing - true FF - user.js: content.max.tokenizing.time - 2250000 FF - user.js: content.notify.backoffcount - 5 FF - user.js: content.notify.interval - 750000 FF - user.js: content.notify.ontimer - true FF - user.js: content.switch.threshold - 750000 FF - user.js: network.http.max-connections - 48 FF - user.js: network.http.max-connections-per-server - 16 FF - user.js: network.http.max-persistent-connections-per-proxy - 16 FF - user.js: network.http.max-persistent-connections-per-server - 8 FF - user.js: network.http.pipelining - true FF - user.js: network.http.pipelining.firstrequest - true FF - user.js: network.http.pipelining.maxrequests - 8 FF - user.js: network.http.proxy.pipelining - true FF - user.js: network.http.request.max-start-delay - 0 FF - user.js: nglayout.initialpaint.delay - 0 FF - user.js: plugin.expose_full_path - true FF - user.js: ui.submenuDelay - 0 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-23 22:42 Windows 6.0.6001 Service Pack 1 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe c:\program files\Sony\VAIO Update 3\VAIOUpdt.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\program files\Sony\VAIO Event Service\VESMgr.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\Sony\VAIO Event Service\VESMgrSub.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe c:\program files\Sony\VAIO Power Management\SPMgr.exe c:\pacific\CF2948.exe c:\windows\system32\igfxsrvc.exe c:\windows\ehome\ehmsas.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\iPod\bin\iPodService.exe c:\users\James\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\pacific\PEV.cfxxe . ************************************************************************ . Completion time: 2009-10-24 22:48 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-24 05:47 Pre-Run: 28,338,319,360 bytes free Post-Run: 27,969,843,200 bytes free - - End Of File - - 4BCC8E945B1529DF1C54D52678F139B7 Last edited by kikojames; 10-24-2009 at 12:08 AM.

10-24-2009, 10:44 AM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,621 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: What's Disabling Anti-Virus Software From Running? Hi James How is your system running now? It looks like you have more than one AV running – Norton and Sunbelt (plus evidence of Avira). This is not recommended – both programmes will be trying to look at files at the same time and this could cause conflicts, a slow down in your system and even BSODs. I suggest you choose only one and uninstall the other. Remember to reboot after the uninstall. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. This animation will guide you through the process: Note To optimise scanning time and produce a more sensible report for review: Close any open programs. Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan. Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. Please post back with the Kaspersky Log. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

10-24-2009, 01:55 PM	#5 (permalink)
kikojames I helped the forums. Join Date: Oct 2009 Posts: 5 OS: Vista Home Premium	Re: What's Disabling Anti-Virus Software From Running? Iain, I think I finally managed to get rid of the Norton and Sunbelt scanners and have the results from the Kaspersky scan posted below. It took more than a few hours but it did find a few infections. Thanks again and let me know what other information you'll need! James -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Saturday, October 24, 2009 Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, October 24, 2009 19:02:58 Records in database: 3060976 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Objects scanned: 129226 Threats found: 2 Infected objects found: 4 Suspicious objects found: 0 Scan duration: 02:05:20 File name / Threat / Threats count C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir Infected: Backdoor.Win32.Agent.akmn 1 C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22\d1ed7d6-1e1071e8 Infected: Trojan-Downloader.Java.OpenConnection.at 1 C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7bfbd51c-44ba398d Infected: Trojan-Downloader.Java.OpenConnection.at 1 C:\Users\James\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\60\59af077c-277adbd1 Infected: Trojan-Downloader.Java.OpenConnection.at 1 Selected area has been scanned.

10-24-2009, 02:47 PM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,621 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: What's Disabling Anti-Virus Software From Running? Hi James Kaspersky only found items held in quarantine by combofix. We do need to clear out your Java cache though. Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. Other than that your logs are clean. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Referring to the image below Click Start > Run and copy/paste, or type the following bold text into the Run box and click OK: ComboFix /Uninstall Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: General Protection Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. SnoopFree SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. MVPS Hosts File The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Firefox Opera Chrome Maxthon Safari Other Protection Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. Web of Trust WOT warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: Green to go Yellow for caution Red to stop WOT has an addon available for both Firefox and IE. ERUNT & NTREGOPT ERUNT is a programme that will create automatic backups of your Registry. These backups can be used to help restore your system in the event of a serious crash. NTREGOPT will compact and optimise your Registry, to assist the smooth running of your system. Additional Reading In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Think Prevention! Have a look here if your PC is still running a bit slow Is your PC running slow...? Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

10-24-2009, 02:59 PM	#7 (permalink)
kikojames I helped the forums. Join Date: Oct 2009 Posts: 5 OS: Vista Home Premium	Re: What's Disabling Anti-Virus Software From Running? Thanks for checking back in again so quickly Iain. So what was the diagnosis and how bad or not is it? Was my laptop infected or were there quarantined infected files still able to operate? Thank you for the suggestions on how to keep things safe/clean but could I ask a favor? Can you please keep an eye on this thread for a bit longer? I am going to run an Avira scan and see if it can complete and run normally. I'll be doing that now and will hopefully be able to post soon if it worked ok. Also, I'll be checking to see if I can finally download the MS malicious software tool. Crossing my fingers that all is well! Thanks again for all your help! James

10-24-2009, 03:19 PM	#8 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,621 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: What's Disabling Anti-Virus Software From Running? Hi James You had a rather nasty rootkit that patches a system file - but our specialised tools took care of it. It tends to block security programmes and access to security related sites. Avira should now run fine, but you can post back here and I'll keep a look out - probably be tomorrow though. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

10-24-2009, 04:36 PM	#9 (permalink)
kikojames I helped the forums. Join Date: Oct 2009 Posts: 5 OS: Vista Home Premium	Re: What's Disabling Anti-Virus Software From Running? Hello again Iain, It seems as though my computer is running great now - I was able to update MS security tools and run a successful antivir scan! Thanks SO much for helping me with this problem, obviously I couldn't have solved it without you :D I'll be looking at the suggestions you gave for keeping my computer safe as well as making a donation to the site because of your efforts. Thank you! All the best, James L.