« previous next »
Pages: [1]

Author Topic: Antimalware Doctor has infected my PC!!  (Read 2092 times)

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« on: May 06, 2010, 02:48:51 AM »
I was a Photoshop tutorial website and as soon as I left the site starting immediately getting pop-ups. Something called "Antimalware Doctor" was installed and was listed in my Programs menu. I tried uninstalling it through the control panel, but whenever I clicked "remove" it only started the program up! It would not remove it! Then I googled "Antimalware Doctor" and found a site with some directions on how to remove it. It recommended I remove a few registry keys, which I did, and then it had me do a search for certain txt or exe files relating to it. Anyway, it's still there! I ran AVG, and it detected 12 problems, which I then removed. I also ran Spybot S&D. This virus has changed my display settings (kind of looks like it's in safe mode) and also has prevented me from now getting online. I am having to use a different computer right now. When I tried to repair my network (which is usually what I do when I get thrown offline), it tells me there is a problem with the DNS.

I ran hijackThis initially, but then when I went to go to this site to post it, that's when my internet connection went down. So, I have no way of posting the log, and right now I'm posting this from another computer. Any help you can provide is greatly appreciated! Thank you in advance!
Logged

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #1 on: May 06, 2010, 01:47:13 PM »
I just wanted to follow up and post that I was able to get this fixed. After trying many things, I finally got on the phone with Microsoft who had me scan my system with VIPRE and it removed the issue.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #2 on: May 07, 2010, 09:20:00 PM »
Viper may have not removed everything, I'm sorry for the delay, do you want to double check and make sure that everything is gone?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #3 on: May 08, 2010, 08:47:55 AM »
You are absolutely right! While most of the obvious problems seemed to be solved, a few things are still happening:

1. Programs (Outlook, Firefox, Photoshop) freezing up and/or crashing
2. Slow PC performance
3. Even though I am using Firefox, IE tries to spontaneously open with multiple blank pop-up windows that says there's a JavaScript error

I have run AVG, VIPRE, and Spybot S&D, all came up clean.

Here is my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:34 AM, on 5/8/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\DOCUME~1\Evelyn\LOCALS~1\Temp\Phf.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Adobe\Photoshop 5.5\Photoshp.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Pzepea.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\Evelyn\LOCALS~1\Temp\Phf.exe
O4 - Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Evelyn\Application Data\3F061CC943DE27FE7096EC0ACAF3F839\gotnewupdate000.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk2/downloads/sysinfo.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://mickapoo.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqnbk2/downloads/msxml4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} (SiteBuilderEditor Class) - http://store02.prostores.com/storeadmin/utilities/pssbedit.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B84D49E5-1410-4485-9B85-9FEAC6649F88}: NameServer = 93.188.163.174,93.188.166.177
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.174,93.188.166.177
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.174,93.188.166.177
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.174,93.188.166.177
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9719 bytes


Thanks so much for your help and your expertise!
« Last Edit: May 08, 2010, 10:08:39 AM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #4 on: May 08, 2010, 08:51:37 AM »
Let's do the following please
Download [color="#FF0000"]OTL.exe[/color][/url] by OldTimer to your Desktop.
  • Close all windows and double click on OTL.exe to run it
  • Under the Custom Scan box paste this in, the contents in Blue
[color="#0000FF"]netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav [/color]


  • Click Run Scan and let the program run uninterrupted.
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

NOTE: If you have trouble, or an error message trying to post the logs
Can you upload it to a reply box
In a Reply, select "Browse..." on the bottom right and then navigate to the file and select it
Then click "Upload"
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #5 on: May 08, 2010, 09:33:39 AM »
Here is the OTL.txt log:
OTL logfile created on: 5/8/2010 10:08:16 AM - Run 1
OTL by OldTimer - Version 3.2.4.1     Folder = C:\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,014.00 Mb Total Physical Memory | 508.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 48.93 Gb Free Space | 52.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: EV
Current User Name: Evelyn
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Processes (SafeList) ==========
 
PRC - [2010/05/08 10:06:31 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Downloads\OTL.exe
PRC - [2010/05/05 13:54:37 | 000,162,304 | ---- | M] () -- C:\Documents and Settings\Evelyn\Local Settings\Temp\Phf.exe
PRC - [2010/05/05 13:54:24 | 000,164,352 | ---- | M] () -- C:\WINDOWS\Pzepea.exe
PRC - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/08/20 09:33:42 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/08/20 09:33:25 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe
PRC - [2009/01/08 07:36:42 | 002,521,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
PRC - [2009/01/07 16:08:27 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/10/03 22:39:54 | 000,554,264 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2008/04/02 15:36:10 | 001,678,536 | ---- | M] (Orbitdownloader.com) -- C:\Program Files\Orbitdownloader\orbitdm.exe
PRC - [2008/03/18 15:34:14 | 000,356,352 | ---- | M] (Orbitdownloader.com) -- C:\Program Files\Orbitdownloader\orbitnet.exe
PRC - [2008/01/28 11:43:40 | 002,097,488 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2007/10/19 13:19:22 | 000,141,848 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2007/10/19 13:17:28 | 000,186,904 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2004/10/14 09:11:10 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
 
 
========== Modules (SafeList) ==========
 
MOD - [2010/05/08 10:06:31 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Downloads\OTL.exe
MOD - [2007/10/19 13:19:10 | 000,109,080 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/04 08:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
 
 
========== Win32 Services (SafeList) ==========
 
SRV - [2010/05/08 05:27:27 | 002,478,640 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3697.dll -- (Akamai)
SRV - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/08/20 09:33:25 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2009/01/15 14:09:16 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/10/03 22:39:54 | 000,554,264 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/10/19 13:21:16 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/10/19 13:19:22 | 000,141,848 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2007/10/19 13:17:28 | 000,186,904 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/01/06 17:41:22 | 000,462,848 | ---- | M] (Lexmark International, Inc.) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxbucoms.exe -- (lxbu_device)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
 
 
========== Driver Services (SafeList) ==========
 
DRV - [2009/08/20 09:33:42 | 000,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2009/08/20 09:33:41 | 000,335,240 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2009/08/05 15:58:40 | 000,093,872 | ---- | M] (Sunbelt Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/04/04 14:42:32 | 000,971,168 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm140.sys -- (tdrpman140) Acronis Try&Decide and Restore Points filter (build 140)
DRV - [2009/04/04 14:42:24 | 000,540,000 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/04/04 14:42:24 | 000,044,704 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2009/04/04 14:42:14 | 000,134,272 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snman380.sys -- (snapman380) Acronis Snapshots Manager (Build 380)
DRV - [2008/11/04 11:37:28 | 000,043,552 | ---- | M] (RapidSolution Software AG) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tbhsd.sys -- (tbhsd)
DRV - [2007/10/19 13:16:30 | 002,109,976 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/10/11 22:00:42 | 000,041,752 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/10/11 21:55:58 | 001,279,000 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LV302V32.SYS -- (PID_PEPI) Logitech QuickCam IM(PID_PEPI)
DRV - [2007/10/11 21:55:58 | 000,013,848 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lv302af.sys -- (pepifilter)
DRV - [2007/10/11 18:59:24 | 000,025,624 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2007/10/11 18:59:02 | 002,142,488 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/07/26 00:44:28 | 002,210,048 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2007/03/22 12:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 12:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2005/03/01 12:01:40 | 000,392,704 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/09/14 12:55:44 | 000,088,960 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 18:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..network.proxy.autoconfig_url: "file:///C:/Documents%20and%20Settings/Evelyn/My%20Documents/My%20Music/Temp/Tunebite/.downloading/profile/rrproxy_ffox_494413fd.pac"
 
FF - HKLM\software\mozilla\Firefox\Extensions\\{B728AB94-9BC7-49b7-B76A-422BB31B2FD0}: C:\Program Files\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox [2009/11/30 21:56:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Firefox\components [2010/05/06 14:01:58 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Firefox\plugins [2010/04/01 19:08:38 | 000,000,000 | ---D | M]
 
[2009/01/07 13:04:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Evelyn\Application Data\Mozilla\Extensions
[2010/05/08 07:47:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Evelyn\Application Data\Mozilla\Firefox\Profiles\vu97i6ae.default\extensions
[2009/08/07 20:20:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Evelyn\Application Data\Mozilla\Firefox\Profiles\vu97i6ae.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/01/29 22:54:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 13:07:12 | 000,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
 
O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Octh Class) - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll (Orbitdownloader.com)
O2 - BHO: (IEPlugin Class) - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\Program Files\ArcSoft\Media Converter for Philips\Internet Video Downloader\ArcURLRecord.dll (ArcSoft, Inc.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [LXBUCATS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.DLL ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [EasyLinkAdvisor] C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe (Linksys, a Division of Cisco Systems, Inc.)
O4 - HKCU..\Run: [M5T8QL3YW3] C:\Documents and Settings\Evelyn\Local Settings\Temp\Phf.exe ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\Antimalware Doctor.lnk = C:\Documents and Settings\Evelyn\Application Data\3F061CC943DE27FE7096EC0ACAF3F839\gotnewupdate000.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoMovingBands = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCloseDragDropBands = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarsOnTaskbar = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClassicShell = 0
O8 - Extra context menu item: &Download by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: &Grab video by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Do&wnload selected by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O8 - Extra context menu item: Down&load all by Orbit - C:\Program Files\Orbitdownloader\orbitmxt.dll (Orbitdownloader.com)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} http://ipgweb.cce.hp.com/rdqnbk2/downloads/sysinfo.cab (SysData Class)
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab (DeviceEnum Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} http://mickapoo.spaces.live.com/PhotoUpload/MsnPUpld.cab (Windows Live Photo Upload Control)
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} http://ipgweb.cce.hp.com/rdqnbk2/downloads/msxml4.cab (XML DOM Document 4.0)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} http://store02.prostores.com/storeadmin/utilities/pssbedit.cab (SiteBuilderEditor Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.32.5.111 65.32.5.112
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.174,93.188.166.177
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Evelyn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Evelyn\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/25 01:01:16 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{c7fedec2-024a-11dd-bcdc-000ae4d008ea}\Shell - "" = AutoRun
O33 - MountPoints2\{c7fedec2-024a-11dd-bcdc-000ae4d008ea}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{c7fedec2-024a-11dd-bcdc-000ae4d008ea}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
 
NetSvcs: 6to4 -  File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/03/25 01:00:44 | 000,000,000 | ---D | M]
NetSvcs: Iprip -  File not found
NetSvcs: Irmon -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
 
MsConfig - StartUpFolder: C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe - (Apache Software Foundation)
MsConfig - StartUpReg: Acronis Scheduler2 Service - hkey= - key= - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
MsConfig - StartUpReg: AcronisTimounterMonitor - hkey= - key= - C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
MsConfig - StartUpReg: Adobe Reader Speed Launcher - hkey= - key= - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe File not found
MsConfig - StartUpReg: AdobeCS4ServiceManager - hkey= - key= - C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
MsConfig - StartUpReg: ArcSoft Connection Service - hkey= - key= - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
MsConfig - StartUpReg: AVG7_CC - hkey= - key= - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe File not found
MsConfig - StartUpReg: ctfmon.exe - hkey= - key= -  File not found
MsConfig - StartUpReg: EzPrint - hkey= - key= - C:\Program Files\Lexmark 6200 Series\ezprint.exe ()
MsConfig - StartUpReg: googletalk - hkey= - key= - C:\Program Files\Google\Google Talk\googletalk.exe File not found
MsConfig - StartUpReg: IgfxTray - hkey= - key= -  File not found
MsConfig - StartUpReg: IMJPMIG8.1 - hkey= - key= - C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
MsConfig - StartUpReg: iTunesHelper - hkey= - key= - C:\Program Files\iTunes\iTunesHelper.exe File not found
MsConfig - StartUpReg: LogitechCommunicationsManager - hkey= - key= - C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()
MsConfig - StartUpReg: LogitechQuickCamRibbon - hkey= - key= - C:\Program Files\Logitech\QuickCam\Quickcam.exe ()
MsConfig - StartUpReg: lxbumon.exe - hkey= - key= - C:\Program Files\Lexmark 6200 Series\lxbumon.exe (Lexmark International, Inc.)
MsConfig - StartUpReg: lxdnmon.exe - hkey= - key= - C:\Program Files\Lexmark 2600 Series\lxdnmon.exe File not found
MsConfig - StartUpReg: MsnMsgr - hkey= - key= - C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
MsConfig - StartUpReg: PHIME2002A - hkey= - key= -  File not found
MsConfig - StartUpReg: PHIME2002ASync - hkey= - key= -  File not found
MsConfig - StartUpReg: QuickTime Task - hkey= - key= - C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe (Sun Microsystems, Inc.)
MsConfig - StartUpReg: TrueImageMonitor.exe - hkey= - key= - C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 2
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16057684423868416)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2010/05/06 15:25:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/05/06 11:57:31 | 000,093,872 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/05/06 11:57:31 | 000,027,944 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\sbbd.exe
[2010/05/06 11:56:58 | 000,000,000 | ---D | C] -- C:\VIPRERESCUE
[2010/05/06 11:55:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/05/05 20:11:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/05/05 17:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2010/05/05 14:59:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/05 14:59:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 13:57:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Evelyn\Application Data\Smart-Ads-Solutions
[2010/05/05 13:57:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Evelyn\Application Data\ezLife
[2010/05/05 13:56:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Evelyn\Local Settings\Application Data\ytnwxmlrn
[2010/05/05 13:56:24 | 000,000,000 | ---D | C] -- C:\spoolerlogs
[2010/05/05 13:55:47 | 000,000,000 | ---D | C] -- C:\Program Files\ezLife
[2010/05/05 13:55:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Evelyn\Application Data\3F061CC943DE27FE7096EC0ACAF3F839
[2010/04/15 11:19:08 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Evelyn\Recent
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2010/05/08 10:11:00 | 000,000,286 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/05/08 09:49:00 | 000,000,248 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/05/08 09:33:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/08 08:33:08 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/08 08:29:45 | 059,724,220 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/05/07 05:57:53 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/06 14:39:49 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/06 14:39:49 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/06 14:39:49 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/06 14:32:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/06 14:32:24 | 000,000,312 | -HS- | M] () -- C:\WINDOWS\tasks\BUHB.job
[2010/05/06 14:32:10 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/06 11:36:33 | 000,072,352 | ---- | M] () -- C:\Documents and Settings\Evelyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/06 11:23:13 | 002,158,808 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/06 11:21:42 | 008,912,896 | -H-- | M] () -- C:\Documents and Settings\Evelyn\NTUSER.DAT
[2010/05/06 11:21:42 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Evelyn\ntuser.ini
[2010/05/05 13:56:38 | 000,001,186 | ---- | M] () -- C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\Antimalware Doctor.lnk
[2010/05/05 13:56:38 | 000,001,174 | ---- | M] () -- C:\Documents and Settings\Evelyn\Desktop\Antimalware Doctor.lnk
[2010/05/05 13:56:02 | 000,050,990 | ---- | M] () -- C:\WINDOWS\System32\fmujojkeivfh.exe
[2010/05/05 13:55:18 | 000,045,568 | RHS- | M] () -- C:\WINDOWS\System32\hpzcon12D.dll
[2010/05/05 13:54:24 | 000,164,352 | ---- | M] () -- C:\WINDOWS\Pzepea.exe
[2010/04/23 08:17:30 | 000,385,536 | ---- | M] () -- C:\WINDOWS\System32\txixruglclwpnfdsk.dll
[2010/04/14 17:39:37 | 000,001,915 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2010/05/05 14:46:10 | 000,000,248 | -H-- | C] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
[2010/05/05 14:31:33 | 000,000,286 | -H-- | C] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/05/05 13:56:38 | 000,001,186 | ---- | C] () -- C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\Antimalware Doctor.lnk
[2010/05/05 13:56:38 | 000,001,174 | ---- | C] () -- C:\Documents and Settings\Evelyn\Desktop\Antimalware Doctor.lnk
[2010/05/05 13:55:59 | 000,050,990 | ---- | C] () -- C:\WINDOWS\System32\fmujojkeivfh.exe
[2010/05/05 13:55:22 | 000,164,352 | ---- | C] () -- C:\WINDOWS\Pzepea.exe
[2010/05/05 13:55:22 | 000,000,312 | -HS- | C] () -- C:\WINDOWS\tasks\BUHB.job
[2010/05/05 13:55:18 | 000,045,568 | RHS- | C] () -- C:\WINDOWS\System32\hpzcon12D.dll
[2010/04/23 08:17:30 | 000,385,536 | ---- | C] () -- C:\WINDOWS\System32\txixruglclwpnfdsk.dll
[2010/04/14 17:39:37 | 000,001,915 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Earth.lnk
[2009/06/18 20:43:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\IsUser11b.dll
[2009/03/04 18:31:38 | 000,508,200 | ---- | C] () -- C:\WINDOWS\System32\ICCProfiles.dll
[2009/02/27 15:27:23 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2009/01/17 10:50:13 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\FoxImager.dll
[2008/06/18 15:59:56 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/10 10:09:52 | 000,000,044 | ---- | C] () -- C:\WINDOWS\SMWizard.INI
[2008/06/06 11:41:26 | 000,000,050 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/27 16:05:15 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/04/28 12:13:33 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2008/04/26 09:07:13 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxbuvs.dll
[2008/04/04 09:28:10 | 000,059,500 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2008/03/27 19:53:00 | 000,000,173 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2008/03/27 19:52:36 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2008/03/27 14:54:59 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/10/11 18:59:24 | 000,025,624 | ---- | C] () -- C:\WINDOWS\System32\drivers\LVPr2Mon.sys
[2003/01/07 19:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.exe >
 
 
< MD5 for: AGP440.SYS  >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
 
< MD5 for: ATAPI.SYS  >
[2004/08/04 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/04 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
 
< MD5 for: EVENTLOG.DLL  >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 08:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
 
< MD5 for: NETLOGON.DLL  >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 14:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll
 
< MD5 for: SCECLI.DLL  >
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 08:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll
 
< %systemroot%\*. /mp /s >
 
< %systemroot%\system32\*.dll /lockedfiles >
[2010/05/05 13:55:18 | 000,045,568 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\hpzcon12D.dll
[2010/02/25 02:24:35 | 000,184,320 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\iepeers.dll
[2010/04/23 08:17:30 | 000,385,536 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\txixruglclwpnfdsk.dll
[6 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]
 
< %systemroot%\Tasks\*.job /lockedfiles >
[2010/05/06 14:32:24 | 000,000,312 | -HS- | M] () Unable to obtain MD5 -- C:\WINDOWS\Tasks\BUHB.job
 
< %systemroot%\system32\drivers\*.sys /lockedfiles >
 
< %systemroot%\System32\config\*.sav >
[2008/03/24 16:11:36 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/03/24 16:11:36 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/03/24 16:11:35 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


Second log to follow in a separate post...
« Last Edit: May 08, 2010, 09:52:50 AM by guestolo »
Logged

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #6 on: May 08, 2010, 09:38:27 AM »
I keep getting an error when trying to post the Extras.txt log, even when I tried to break it down into 2 posts, so I've attached it.

Thanks again for your help![attachment=5176:Extras.Txt]

OTL Extras logfile created on: 5/8/2010 10:08:16 AM - Run 1
OTL by OldTimer - Version 3.2.4.1     Folder = C:\Downloads
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,014.00 Mb Total Physical Memory | 508.00 Mb Available Physical Memory | 50.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 93.15 Gb Total Space | 48.93 Gb Free Space | 52.53% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: EV
Current User Name: Evelyn
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Firefox\firefox.exe (Mozilla Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
http [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" File not found
https [open] -- C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1" File not found
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"80:TCP" = 80:TCP:*:Enabled:apache
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900
"1264:TCP" = 1264:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface
 
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Orbitdownloader\orbitdm.exe" = C:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Orbitdownloader\orbitnet.exe" = C:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit -- (Orbitdownloader.com)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- File not found
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\Program Files\TeamViewer\Version4\TeamViewer.exe" = C:\Program Files\TeamViewer\Version4\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{08C0729E-3E50-11DF-9D81-005056806466}" = Google Earth
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0B33B738-AD79-4E32-90C5-E67BFB10BBFF}" = AiO_Scan
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}" = HP Driver Diagnostics
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18DF995F-2ACC-47E4-A33B-A703F4D39E92}" = CuteFTP 5.0 XP
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{37C8899D-FD70-481F-94AA-1F1B08765E22}" = Acronis True Image Home
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{49FB31C1-26EC-44c6-AB47-73C66E2BC41E}" = HP PSC & OfficeJet 5.3.B
"{4FC19392-E4A5-4CCB-B45A-AB7E8126D3C9}" = Microsoft Easy Assist
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.8
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}" = Apache HTTP Server 2.2.14
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{8EBE1DB0-8687-43A7-8781-6445E62CAFA5}" = Nitro PDF Professional
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91CA0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Small Business Edition 2003
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{945AC98B-3DC8-45BE-BAE0-22CEEE37A103}" = Logitech QuickCam
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A1960A82-DB70-474D-A86B-FA74466103C6}" = Drivers Install For Linksys Easylink Advisor
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}" = PixiePack Codec Pack
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B6EC7388-E277-4A5B-8C8F-71067A41BA64}" = TextPad 5
"{B78823CD-488F-43B4-80D6-FAEADAE40EC4}" = Instant Wireless USB Adapter
"{BAFDD9A5-0E66-41B9-B163-1F217CFA7919}" = VolusionLiveChat
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C506A18C-1469-4678-B094-F4EC9DAE6DB7}" = Scan
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CC8E0363-B20C-4792-8A1C-8DF5E01B68A6}" = GoGear VIBE Device Manager
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E623BB3F-F7ED-4148-BEB5-A0D1DB28B4DE}" = Media Converter for Philips
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EEAA3E5E-1296-45AD-A59E-5D63F604867D}" = Radmin Viewer 3.3
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 5.5" = Adobe Photoshop 5.5
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"Akamai" = Akamai NetSession Interface
"Ashampoo Burning Studio 6 FREE_is1" = Ashampoo Burning Studio 6 FREE
"AVG8Uninstall" = AVG 8.5
"AVS Update Manager_is1" = AVS Update Manager 1.0
"AVS4YOU Software Navigator_is1" = AVS4YOU Software Navigator 1.3
"AVS4YOU Video Converter 6_is1" = AVS Video Converter 6
"BitZipper_is1" = BitZipper 5.0.4
"CCleaner" = CCleaner (remove only)
"Core FTP LE 2.1" = Core FTP LE 2.1
"EasyLinkAdvisor" = Linksys EasyLink Advisor 1.6 (0032)
"ezLife" = ezLife browser enhancer
"fmujojkeivfh" = Performance Solution Hotrevenue
"Free Video to Flash Converter_is1" = Free Video to Flash Converter version 4.1
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Lexmark 6200 Series" = Lexmark 6200 Series
"lvdrivers_11.50" = Logitech QuickCam Driver Package
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Orbit_is1" = Orbit Downloader
"PrimoPDF4.0.2.5" = PrimoPDF
"RealPlayer 6.0" = RealPlayer
"Rhapsody" = Rhapsody
"Smart-Ads-Solutions" = SmartAds browser enhancer
"TeamViewer 4" = TeamViewer 4
"Uninstall_is1" = Uninstall 1.0.0.1
"ViewpointMediaPlayer" = Viewpoint Media Player
"VLC media player" = VideoLAN VLC media player 0.8.6f
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Messenger" = Yahoo! Messenger
 
========== HKEY_CURRENT_USER Uninstall List ==========
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Antimalware Doctor" = Antimalware Doctor
"Facebook Plug-In" = Facebook Plug-In
 
========== Last 10 Event Log Errors ==========
 
[ Application Events ]
Error - 5/6/2010 2:02:26 PM | Computer Name = EV | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: The connection with the server was terminated abnormally  
 
Error - 5/6/2010 2:02:26 PM | Computer Name = EV | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
 from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
 with error: This network connection does not exist.  
 
Error - 5/7/2010 1:51:12 PM | Computer Name = EV | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8312.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 5/7/2010 3:14:52 PM | Computer Name = EV | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8312.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 5/7/2010 6:29:24 PM | Computer Name = EV | Source = Application Hang | ID = 1002
Description = Hanging application OUTLOOK.EXE, version 11.0.8312.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.
 
[ System Events ]
Error - 5/6/2010 2:31:16 PM | Computer Name = EV | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
 with arguments ""  in order to run the server:  {1BE1F766-5536-11D1-B726-00C04FB926AF}
 
Error - 5/6/2010 2:32:38 PM | Computer Name = EV | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.
 
Error - 5/6/2010 2:32:38 PM | Computer Name = EV | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
 a page  file on the boot partition and that is large enough to contain all physical
memory.
 
Error - 5/6/2010 2:35:16 PM | Computer Name = EV | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Apple Mobile Device service
 to connect.
 
Error - 5/6/2010 2:35:16 PM | Computer Name = EV | Source = Service Control Manager | ID = 7000
Description = The Apple Mobile Device service failed to start due to the following
 error:   %%1053
 
Error - 5/6/2010 2:35:16 PM | Computer Name = EV | Source = Service Control Manager | ID = 7000
Description = The MCSTRM service failed to start due to the following error:   %%2
 
Error - 5/6/2010 2:37:55 PM | Computer Name = EV | Source = Service Control Manager | ID = 7022
Description = The Apache2.2 service hung on starting.
 
Error - 5/6/2010 2:37:55 PM | Computer Name = EV | Source = Service Control Manager | ID = 7034
Description = The Apache2.2 service terminated unexpectedly.  It has done this 1
 time(s).
 
Error - 5/6/2010 6:48:49 PM | Computer Name = EV | Source = DCOM | ID = 10010
Description = The server {D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E} did not register
 with DCOM within the required timeout.
 
Error - 5/7/2010 7:40:49 PM | Computer Name = EV | Source = DCOM | ID = 10010
Description = The server {D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E} did not register
 with DCOM within the required timeout.
 
 
< End of report >
« Last Edit: May 08, 2010, 10:00:44 AM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #7 on: May 08, 2010, 10:23:10 AM »
Can you do the following please
Print these instructions, or copy/paste these instructions to a text file on desktop

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot

Afterwards, access your Add and Remove Programs and remove All, or any of the following you possibly can remove
ezLife browser enhancer
Performance Solution Hotrevenue
SmartAds browser enhancer
Viewpoint Media Player

Reboot the computer after removing All, or any of the above
Back in Windows

Double  click on OTL.exe and Run it
  • Under the [color="#0000FF"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote please
    Quote
    :OTL
    PRC - [2010/05/05 13:54:37 | 000,162,304 | ---- | M] () -- C:\Documents and Settings\Evelyn\Local Settings\Temp\Phf.exe
    PRC - [2010/05/05 13:54:24 | 000,164,352 | ---- | M] () -- C:\WINDOWS\Pzepea.exe
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555
    O4 - HKCU..\Run: [M5T8QL3YW3] C:\Documents and Settings\Evelyn\Local Settings\Temp\Phf.exe ()
    O4 - Startup: C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\Antimalware Doctor.lnk = C:\Documents and Settings\Evelyn\Application Data\3F061CC943DE27FE7096EC0ACAF3F839\gotnewupdate000.exe File not found
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.174,93.188.166.177
    [2010/05/08 10:11:00 | 000,000,286 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
    [2010/05/08 09:49:00 | 000,000,248 | -H-- | M] () -- C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
    [2010/05/06 14:32:24 | 000,000,312 | -HS- | M] () -- C:\WINDOWS\tasks\BUHB.job
    :Reg
    :Files
    C:\Program Files\ezLife
    C:\WINDOWS\Pzepea.exe
    C:\Documents and Settings\Evelyn\Desktop\Antimalware Doctor.lnk
    C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\Antimalware Doctor.lnk
    C:\WINDOWS\System32\fmujojkeivfh.exe
    C:\WINDOWS\System32\hpzcon12D.dll
    C:\WINDOWS\Pzepea.exe
    C:\WINDOWS\System32\txixruglclwpnfdsk.dll
    :Commands
    [EmptyTemp]
    [Reboot]

  • Then click the [color="#FF0000"]Run Fix[/color] button at the top
  • Let the program run unhindered, reboot the PC when it is done

On startup, Allow OTL to run if prompted
A log should open, can you post it please
A copy of this log can also be found in
C:\_OTL\Moved Files folder

NOTE: If you have troubles with either IE or Firefox connecting to the Internet after doing the above
In IE, Click on TOOLS>>Internet Options>>Connections tab>>LAN Settings>>
Untick "Use Proxy Server..."
Ok it
In Firefox: Click on TOOLS>>OPTIONS>>ADVANCED>>NETWORK>>Settings
Tick NO PROXY and OK it

In addition:
download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.    
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
       
  • The scan may take some time to finish,so please be patient.    
  • When the scan is complete, click OK, then Show Results to view the results.    
  • Make sure that everything is checked, and click Remove Selected.
        * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)    
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.    
  • Copy&Paste the entire report in your next reply
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
« Last Edit: May 08, 2010, 10:26:16 AM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #8 on: May 08, 2010, 04:58:51 PM »
Thanks so much for your continued help. I successfully uninstalled the programs you listed above (or so it said they were removed, anyway). When I ran the fixes, and the computer rebooted, I noticed that once again Antimalware Doctor appeared in my Programs menu!!!! It was gone, and it reappeared. Anyway, after my computer rebooted, the OTL log appeared as such:

Code: [Select]
All processes killed
========== OTL ==========
No active process named Phf.exe was found!
No active process named Pzepea.exe was found!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\M5T8QL3YW3 deleted successfully.
C:\Documents and Settings\Evelyn\Local Settings\Temp\Phf.exe moved successfully.
C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\Antimalware Doctor.lnk moved successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\NameServer| /E : value set successfully!
C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job moved successfully.
C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job moved successfully.
C:\WINDOWS\tasks\BUHB.job moved successfully.
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\ezLife\ezLife\1.5.5.0 folder moved successfully.
C:\Program Files\ezLife\ezLife folder moved successfully.
C:\Program Files\ezLife folder moved successfully.
C:\WINDOWS\Pzepea.exe moved successfully.
C:\Documents and Settings\Evelyn\Desktop\Antimalware Doctor.lnk moved successfully.
File\Folder C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\Antimalware Doctor.lnk not found.
File\Folder C:\WINDOWS\System32\fmujojkeivfh.exe not found.
C:\WINDOWS\System32\hpzcon12D.dll moved successfully.
File\Folder C:\WINDOWS\Pzepea.exe not found.
File\Folder C:\WINDOWS\System32\txixruglclwpnfdsk.dll not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1864773 bytes
->FireFox cache emptied: 28368878 bytes
->Flash cache emptied: 719 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41 bytes
 
User: Evelyn
->Temp folder emptied: 197686962 bytes
->Temporary Internet Files folder emptied: 13919773 bytes
->Java cache emptied: 15711132 bytes
->FireFox cache emptied: 44507247 bytes
->Flash cache emptied: 2326430 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 49554 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 115960942 bytes
->Java cache emptied: 11466 bytes
->Flash cache emptied: 10429 bytes
 
User: Sue
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2142714 bytes
%systemroot%\System32 .tmp files removed: 4528145 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 61862 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23949044 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 4252201672 bytes
 
Total Files Cleaned = 4,486.00 mb
 
 
OTL by OldTimer - Version 3.2.4.1 log created on 05082010_174318

Files\Folders moved on Reboot...
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_784.dat not found!

Registry entries deleted on Reboot...
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #9 on: May 08, 2010, 05:03:57 PM »
That's looking good, carry on with the installation and running of Malwarebytes AntiMalware
Post the log afterwards please, we'll go from there
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #10 on: May 08, 2010, 05:12:57 PM »
And then here is the MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4079

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

5/8/2010 6:11:03 PM
mbam-log-2010-05-08 (18-11-03).txt

Scan type: Quick scan
Objects scanned: 124593
Time elapsed: 7 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a9722a0d-365f-47d2-b70b-37d046316d99} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ezLife (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adhlpr.adhlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b84d49e5-1410-4485-9b85-9feac6649f88}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.163.174,93.188.166.177 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b84d49e5-1410-4485-9b85-9feac6649f88}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.174,93.188.166.177 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Evelyn\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evelyn\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evelyn\Application Data\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evelyn\Application Data\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Evelyn\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evelyn\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.


Thanks again!
« Last Edit: May 08, 2010, 05:23:00 PM by guestolo »
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #11 on: May 08, 2010, 05:30:19 PM »
Can we run one more scan please
Download ComboFix from Only this location


[color="#0000FF"]Link [/color]
[color="#FF0000"]Save it ONLY to your Desktop[/color]

      --------------------------------------------------------------------
[color="#2E8B57"]Temporarily Disable your AntiVirus/AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with this tool
[/color]
Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

    * Click on Open AVG Interface.
    * Double click on Resident Shield
    * Deselect the option to "Enable Resident Shield."
    * Save changes, and exit the application.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


[color="#2e8b57"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[/color]


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply

NOTE: Do not mouseclick inside ComboFix window as it's running, it may cause it to stall
ComboFix will/may run again on startup, it will prompt that it's creating a log
This process could take up to 10 minutes, let it run uninterrupted please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #12 on: May 08, 2010, 06:01:43 PM »
Thanks again, and I see it removed some things related to Antimalware Doctor- I can't believe after running so many different applications there was still Antimalware Dr stuff to be found! Anyway, here is the Combofix log:

ComboFix 10-05-08.01 - Evelyn 05/08/2010  18:46:44.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1014.570 [GMT -4:00]
Running from: c:\documents and settings\Evelyn\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Evelyn\Application Data\3F061CC943DE27FE7096EC0ACAF3F839
c:\documents and settings\Evelyn\Application Data\3F061CC943DE27FE7096EC0ACAF3F839\enemies-names.txt
c:\documents and settings\Evelyn\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Evelyn\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Evelyn\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\':P\' />
.
(((((((((((((((((((((((((   Files Created from 2010-04-08 to 2010-05-08  )))))))))))))))))))))))))))))))
.

2010-05-08 22:01 . 2010-05-08 22:01   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\Malwarebytes
2010-05-08 22:01 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 22:01 . 2010-05-08 22:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 22:01 . 2010-05-08 22:01   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-08 22:01 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-08 21:43 . 2010-05-08 21:43   --------   d-----w-   C:\_OTL
2010-05-06 19:25 . 2010-05-06 19:26   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-06 18:10 . 2010-05-06 18:10   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-06 18:01 . 2010-05-06 18:01   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-06 15:57 . 2009-09-07 18:02   27944   ----a-w-   c:\windows\system32\sbbd.exe
2010-05-06 15:57 . 2009-08-05 19:58   93872   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 15:56 . 2010-05-06 18:26   --------   d-----w-   C:\VIPRERESCUE
2010-05-06 15:44 . 2010-05-06 15:51   --------   d-----w-   c:\documents and settings\Administrator
2010-05-06 15:44 . 2010-05-06 15:48   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-05-05 17:56 . 2010-05-06 18:26   --------   d-----w-   c:\documents and settings\Evelyn\Local Settings\Application Data\ytnwxmlrn
2010-05-05 17:56 . 2010-05-05 17:56   --------   d-----w-   C:\spoolerlogs
2010-05-05 17:54 . 2010-05-05 17:54   107008   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\b0000379c.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-08 22:46 . 2010-03-30 18:39   --------   d-----w-   c:\program files\Common Files\Akamai
2010-05-08 22:23 . 2009-02-05 14:11   --------   d-----w-   c:\program files\Firefox
2010-05-08 21:31 . 2008-06-05 19:00   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\Orbit
2010-05-08 15:40 . 2008-11-05 01:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-07 09:57 . 2008-04-08 21:51   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-05-06 18:31 . 2010-05-06 15:54   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Orbit
2010-05-06 15:36 . 2008-03-28 16:28   72352   ----a-w-   c:\documents and settings\Evelyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 15:01 . 2008-10-07 02:57   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\Skype
2010-04-23 01:05 . 2008-04-07 20:11   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\CoreFTP
2010-04-14 21:38 . 2008-03-28 03:50   --------   d-----w-   c:\program files\Google
2010-03-10 06:15 . 2004-08-04 12:00   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2004-08-04 12:00   454016   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:04 . 2010-02-23 15:04   50354   ----a-w-   c:\documents and settings\Evelyn\Application Data\Facebook\uninstall.exe
2010-02-16 13:19 . 2004-08-04 12:00   2181376   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59   2058368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 12:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 12:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-07 39408]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:33   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-10-04 02:40   165144   ----a-w-   c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-10-04 02:45   960376   ----a-w-   c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 12:58   611712   ----a-w-   c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 18:32   203264   ----a-w-   c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2004-09-17 16:24   61440   ----a-w-   c:\program files\Lexmark 6200 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-12-13 17:43   155648   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00   208952   ----a-w-   c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 20:33   563984   ----a-w-   c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 20:37   2178832   ----a-w-   c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbumon.exe]
2005-01-18 13:35   196608   ----a-w-   c:\program files\Lexmark 6200 Series\lxbumon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44   3883856   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 08:25   144784   ----a-w-   c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-10-04 02:23   4344472   ----a-w-   c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1043:TCP"= 1043:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [4/4/2009 2:42 PM 971168]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/4/2009 9:43 PM 335240]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [5/6/2010 11:57 AM 93872]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]
R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [9/28/2009 11:41 PM 24645]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/4/2009 9:43 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/7/2009 9:10 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 20:04   8192   ----a-w-   c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 13:09]

2010-05-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 13:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} - hxxp://store02.prostores.com/storeadmin/utilities/pssbedit.cab
FF - ProfilePath - c:\documents and settings\Evelyn\Application Data\Mozilla\Firefox\Profiles\vu97i6ae.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Evelyn\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-googletalk - c:\program files\Google\Google Talk\googletalk.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-lxdnmon - c:\program files\Lexmark 2600 Series\lxdnmon.exe
ActiveSetup-Nitro PDF Professional - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-08 18:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,bd,2e,50,0f,55,b0,49,8c,88,11,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,bd,2e,50,0f,55,b0,49,8c,88,11,\
.
Completion time: 2010-05-08  18:58:36
ComboFix-quarantined-files.txt  2010-05-08 22:58

Pre-Run: 56,115,421,184 bytes free
Post-Run: 56,097,820,672 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 82F4D625A71A805B053E413A7D5C84C5
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #13 on: May 08, 2010, 06:52:24 PM »
Let's update some of your insecure software and remove some folders, etc...

Some of the files I'm going to remove with ComboFix are related to the scan from VipreRescue
Which are not needed any longer

First however
Open your copy of Adobe Reader, click on HELP>>>CHECK FOR UPDATES
Install latest updates
Keep rechecking for updates till you have them all

NEXT>>Close down all browser windows
Access your Add and Remove Programs and remove
Java™ 6 Update 5

Come back here
Copy ALL the below in the Code box and paste to an empty notepad file
Don't use anything else than notepad or the script will not work


Code: [Select]
Driver::
SBRE

File::
c:\windows\system32\sbbd.exe
c:\windows\system32\drivers\SBREDrv.sys

Folder::
C:\VIPRERESCUE
c:\documents and settings\Evelyn\Local Settings\Application Data\ytnwxmlrn
Registry::
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you  with the same name C:\ComboFix.txt..
I'll need to see that log again

In addition: Your version of AVG is a bit out of date, do you plan on updating your copy to AVG 9 free?
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #14 on: May 09, 2010, 09:05:20 AM »
After I dragged CFScript.txt into ComboFix, I received this message from Combofix-

"NIRCMDC is not recognized as an internal or external command, operable program, or batch file."
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #15 on: May 09, 2010, 09:16:11 AM »
Delete  your copy of ComboFix and download a fresh copy from HERE
Save it to your desktop, then try the previous instructions with CFScript.txt
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #16 on: May 09, 2010, 09:18:36 AM »
Ok, will do. I just tried to upgrade AVG to the latest version, and I received this message:


Local machine: installation failed
    Installation:
        Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
            Access is denied.
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #17 on: May 09, 2010, 10:14:48 AM »
I'll just wait for the results from ComboFix before we dig into a different problem
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline mickapoo

  • Full Member
  • ***
  • Posts: 150
  • Karma: +0/-0
    • View Profile
Antimalware Doctor has infected my PC!!
« Reply #18 on: May 09, 2010, 10:47:12 AM »
[quote name='guestolo' date='09 May 2010 - 11:14 AM' timestamp='1273418088' post='469270']
I'll just wait for the results from ComboFix before we dig into a different problem
[/quote]

Ok. Here is the ComboFix log:

ComboFix 10-05-08.03 - Evelyn 05/09/2010  10:23:30.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1014.463 [GMT -4:00]
Running from: c:\documents and settings\Evelyn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Evelyn\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\SBREDrv.sys"
"c:\windows\system32\sbbd.exe"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Evelyn\Local Settings\Application Data\ytnwxmlrn
C:\VIPRERESCUE
c:\viprerescue\20100506115732.csv
c:\viprerescue\20100506115732.xml
c:\viprerescue\20100506115732_1.csv
c:\viprerescue\deep_scan.bat
c:\viprerescue\Definitions\adsrules.dat
c:\viprerescue\Definitions\AdviceTx.vdx
c:\viprerescue\Definitions\api0.std
c:\viprerescue\Definitions\apincl.dat
c:\viprerescue\Definitions\apprules.dat
c:\viprerescue\Definitions\bhmem.vtd
c:\viprerescue\Definitions\bhsl.vtd
c:\viprerescue\Definitions\bmem.vtd
c:\viprerescue\Definitions\CatDesc.vdx
c:\viprerescue\Definitions\CatID.vdx
c:\viprerescue\Definitions\cblk.vtd
c:\viprerescue\Definitions\cmem.vtd
c:\viprerescue\Definitions\cname.wtd
c:\viprerescue\Definitions\comp0.std
c:\viprerescue\Definitions\Cookies.vdx
c:\viprerescue\Definitions\CoreVer.txt
c:\viprerescue\Definitions\ctid.vtd
c:\viprerescue\Definitions\defs0.std
c:\viprerescue\Definitions\DefVer.txt
c:\viprerescue\Definitions\EPSigs.vdx
c:\viprerescue\Definitions\FastSigs.vdx
c:\viprerescue\Definitions\FileDT.vdx
c:\viprerescue\Definitions\FolderDT.vdx
c:\viprerescue\Definitions\fsigs.vdx
c:\viprerescue\Definitions\hcol.wtd
c:\viprerescue\Definitions\heur0.std
c:\viprerescue\Definitions\HistoryCleaner.xml
c:\viprerescue\Definitions\hstn.vtd
c:\viprerescue\Definitions\idsrules.dat
c:\viprerescue\Definitions\ih.vdx
c:\viprerescue\Definitions\IncompatiblePrograms.dll
c:\viprerescue\Definitions\incompats.dat
c:\viprerescue\Definitions\ip.vtd
c:\viprerescue\Definitions\kbu.dat
c:\viprerescue\Definitions\kbu.dll
c:\viprerescue\Definitions\lgpl.dll
c:\viprerescue\Definitions\lib7zip.dll
c:\viprerescue\Definitions\libCHM.dll
c:\viprerescue\Definitions\libEmail.dll
c:\viprerescue\Definitions\libMsi.dll
c:\viprerescue\Definitions\libNSIS.dll
c:\viprerescue\Definitions\libOleA.dll
c:\viprerescue\Definitions\libRar.dll
c:\viprerescue\Definitions\libtd.dll
c:\viprerescue\Definitions\libVvs.dll
c:\viprerescue\Definitions\libZip.dll
c:\viprerescue\Definitions\macroptn.std
c:\viprerescue\Definitions\mime0.std
c:\viprerescue\Definitions\networkrules.dat
c:\viprerescue\Definitions\pack0.std
c:\viprerescue\Definitions\patchw32.dll
c:\viprerescue\Definitions\qscnf.vdx
c:\viprerescue\Definitions\qscnr.vdx
c:\viprerescue\Definitions\RegDT.vdx
c:\viprerescue\Definitions\rem0.std
c:\viprerescue\Definitions\remediation.dll
c:\viprerescue\Definitions\RootCA.wtd
c:\viprerescue\Definitions\RTmem.vdx
c:\viprerescue\Definitions\SBTS.dat
c:\viprerescue\Definitions\script0.std
c:\viprerescue\Definitions\sdll0.std
c:\viprerescue\Definitions\sel.dat
c:\viprerescue\Definitions\smim0.std
c:\viprerescue\Definitions\ThreatCategoryGlossary.xml
c:\viprerescue\Definitions\ThreatCategoryGlossary.xsd
c:\viprerescue\Definitions\ThreatDT.vdx
c:\viprerescue\Definitions\ThreatID.vdx
c:\viprerescue\Definitions\TImem.vdx
c:\viprerescue\Definitions\unpck0.std
c:\viprerescue\Definitions\vcore.dll
c:\viprerescue\Definitions\VVSSigs.vdx
c:\viprerescue\Definitions\white.wtd
c:\viprerescue\Definitions\white0.std
c:\viprerescue\Definitions\whsl.wtd
c:\viprerescue\Definitions\wmem.wtd
c:\viprerescue\sbbd.exe
c:\viprerescue\SBRC.exe
c:\viprerescue\SBRE.dll
c:\viprerescue\SBREDrv.sys
c:\viprerescue\SBTE.dll
c:\viprerescue\vipre.dll
c:\viprerescue\VIPRERescueScanner.exe
c:\windows\system32\drivers\SBREDrv.sys
c:\windows\system32\sbbd.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SBRE
-------\Service_SBRE


(((((((((((((((((((((((((   Files Created from 2010-04-09 to 2010-05-09  )))))))))))))))))))))))))))))))
.

2010-05-08 22:01 . 2010-05-08 22:01   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\Malwarebytes
2010-05-08 22:01 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-08 22:01 . 2010-05-08 22:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-08 22:01 . 2010-05-08 22:01   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-05-08 22:01 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-05-08 21:43 . 2010-05-08 21:43   --------   d-----w-   C:\_OTL
2010-05-06 19:25 . 2010-05-06 19:26   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-06 18:10 . 2010-05-06 18:10   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-05-06 18:01 . 2010-05-06 18:01   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-06 15:54 . 2010-05-06 18:31   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Orbit
2010-05-06 15:51 . 2010-05-06 15:51   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2010-05-06 15:46 . 2010-05-06 15:46   --------   d-sh--w-   c:\documents and settings\Administrator\IECompatCache
2010-05-05 17:56 . 2010-05-05 17:56   --------   d-----w-   C:\spoolerlogs
2010-05-05 17:54 . 2010-05-05 17:54   107008   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\b0000379c.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-09 14:32 . 2010-03-30 18:39   --------   d-----w-   c:\program files\Common Files\Akamai
2010-05-09 14:16 . 2009-02-05 14:11   --------   d-----w-   c:\program files\Firefox
2010-05-09 14:14 . 2009-04-05 01:43   --------   d-----w-   c:\program files\AVG
2010-05-09 14:12 . 2009-04-05 01:43   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg8
2010-05-09 12:31 . 2008-03-27 23:52   --------   d-----w-   c:\program files\Common Files\Adobe
2010-05-08 21:31 . 2008-06-05 19:00   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\Orbit
2010-05-08 15:40 . 2008-11-05 01:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-07 09:57 . 2008-04-08 21:51   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-05-06 15:36 . 2008-03-28 16:28   72352   ----a-w-   c:\documents and settings\Evelyn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-04 15:01 . 2008-10-07 02:57   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\Skype
2010-04-23 01:05 . 2008-04-07 20:11   --------   d-----w-   c:\documents and settings\Evelyn\Application Data\CoreFTP
2010-04-14 21:38 . 2008-03-28 03:50   --------   d-----w-   c:\program files\Google
2010-03-10 06:15 . 2004-08-04 12:00   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-04 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2004-08-04 12:00   454016   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 15:04 . 2010-02-23 15:04   50354   ----a-w-   c:\documents and settings\Evelyn\Application Data\Facebook\uninstall.exe
2010-02-16 13:19 . 2004-08-04 12:00   2181376   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-16 12:39 . 2004-08-03 22:59   2058368   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:47 . 2004-08-04 12:00   100864   ----a-w-   c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-04 12:00   226880   ----a-w-   c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-07 39408]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-11-02 69632]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-12-13 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-13 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:33   11952   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-10-04 02:40   165144   ----a-w-   c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-10-04 02:45   960376   ----a-w-   c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2010-05-09 12:18   611712   ----a-w-   c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 18:32   203264   ----a-w-   c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00   15360   ----a-w-   c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2004-09-17 16:24   61440   ----a-w-   c:\program files\Lexmark 6200 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2004-12-13 17:43   155648   ----a-w-   c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 12:00   208952   ----a-w-   c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 20:33   563984   ----a-w-   c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 20:37   2178832   ----a-w-   c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxbumon.exe]
2005-01-18 13:35   196608   ----a-w-   c:\program files\Lexmark 6200 Series\lxbumon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44   3883856   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 12:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 12:00   455168   ----a-w-   c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 15:30   413696   ----a-w-   c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-10-04 02:23   4344472   ----a-w-   c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Apache Software Foundation\\Apache2.2\\bin\\httpd.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"1030:TCP"= 1030:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 tdrpman140;Acronis Try&Decide and Restore Points filter (build 140);c:\windows\system32\drivers\tdrpm140.sys [4/4/2009 2:42 PM 971168]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/4/2009 9:43 PM 335240]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 8:00 AM 14336]
R2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [9/28/2009 11:41 PM 24645]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/4/2009 9:43 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/7/2009 9:10 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 20:04   8192   ----a-w-   c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 13:09]

2010-05-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-07 13:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {F73BE1F4-82AA-4405-AB81-FAFB5A122359} - hxxp://store02.prostores.com/storeadmin/utilities/pssbedit.cab
FF - ProfilePath - c:\documents and settings\Evelyn\Application Data\Mozilla\Firefox\Profiles\vu97i6ae.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Evelyn\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 10:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...  


c:\windows\system32\wbem\Performance\WmiApRpl_new.h 738 bytes
c:\documents and settings\Evelyn\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{19B9514F-4B19-46AA-942A-1F06888536CD}.xml 913 bytes
c:\documents and settings\Evelyn\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{FC5F66CC-73F3-482B-BAC0-7484BD4491EE}.xml 525 bytes

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,bd,2e,50,0f,55,b0,49,8c,88,11,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,43,bd,2e,50,0f,55,b0,49,8c,88,11,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(6776)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\LINKSY~1\LinksysAdvisor.exe
.
**************************************************************************
.
Completion time: 2010-05-09  10:56:12 - machine was rebooted
ComboFix-quarantined-files.txt  2010-05-09 14:56
ComboFix2.txt  2010-05-08 22:58

Pre-Run: 55,483,129,856 bytes free
Post-Run: 55,505,309,696 bytes free

- - End Of File - - EC3AFAF1DCA4505E3A1D93CF9B0E9266
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Antimalware Doctor has infected my PC!!
« Reply #19 on: May 09, 2010, 10:57:33 AM »
Ok, this is going to take a couple restarts, but let's see if we can get this to work

First:

First, download and save to desktop both
AVGRemover.exe
and
reset_access_avg9_en.exe

NEXT: Run AVGRemover.exe, follow the prompts, when it's complete you may be asked to reboot the computer
If not, reboot manually anyways

Back in Windows, Run reset_access_avg9_en.exe, follow the prompts, reboot the computer again

Back in Windows, redownload AVG 9 installer from here
http://download.cnet.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?part=dl-10044820&subj=dl&tag=button&cdlPid=11014801
Save the installer to desktop then double click on it to run it
See if that helps, let me know please
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »