AntiMalware Doctor

View previous topic View next topic Go down

Re: AntiMalware Doctor

Post by Misteretc on Sat Mar 27, 2010 11:37 pm

Here we go...

ComboFix 10-03-27.02 - Ann 2010-03-27 19:19:56.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1763 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.scr
Command switches used :: /S
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nowepeto.dll
c:\windows\Tasks\zqjtjhpw.job

.
((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))
.

2010-03-20 02:52 . 2010-03-20 02:52 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGPWINJTGTD
2010-03-15 09:18 . 2010-03-15 09:18 4 ----a-w- c:\program files\8728890.dat
2010-03-15 08:04 . 2010-03-15 08:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
2010-03-15 08:01 . 2010-03-15 08:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-15 00:22 . 2010-03-15 00:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-03-14 20:19 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 20:19 . 2010-03-27 11:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 20:19 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 16:44 . 2010-03-14 16:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-14 16:27 . 2010-03-14 16:28 -------- d-----w- c:\documents and settings\Ann\Application Data\GetRightToGo
2010-03-14 15:34 . 2010-03-14 15:34 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Threat Expert
2010-03-14 15:26 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-14 15:26 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-14 15:26 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-14 15:26 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-03-14 15:26 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-14 15:26 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-14 15:26 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-14 15:25 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-14 15:25 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-14 15:25 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-14 15:25 . 2010-03-14 15:26 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-14 15:25 . 2010-03-14 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-14 15:12 . 2010-03-14 15:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-14 15:12 . 2010-03-14 15:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-14 03:29 . 2010-03-14 03:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-14 03:18 . 2010-03-14 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-14 03:17 . 2010-03-14 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-14 03:17 . 2010-03-14 03:17 -------- d-----w- c:\program files\Common Files\iS3
2010-03-14 03:15 . 2010-03-14 03:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-03-14 02:43 . 2010-03-24 16:42 -------- d-----w- c:\documents and settings\Ann\Application Data\770F2997F2BFA71D1B8B4463F6319FB4
2010-03-06 17:05 . 2010-03-06 17:05 -------- d-----w- c:\documents and settings\Ann\Application Data\CyberLink
2010-03-06 17:04 . 2010-03-06 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-03-06 17:04 . 2010-03-06 17:04 -------- d-----w- c:\program files\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 23:26 . 2009-01-17 16:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-27 23:26 . 2009-01-13 00:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-27 22:50 . 2009-01-18 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-27 21:39 . 2009-01-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-18 13:13 . 2009-06-10 20:37 -------- d-----w- c:\program files\QuickTime
2010-03-18 13:13 . 2009-01-17 16:19 -------- d-----w- c:\program files\Spyware Doctor
2010-03-18 13:13 . 2009-09-19 18:41 -------- d-----w- c:\program files\Verizon
2010-03-18 13:13 . 2009-06-10 20:42 -------- d-----w- c:\program files\iTunes
2010-03-18 13:13 . 2009-02-27 17:54 -------- d-----w- c:\program files\AIM6
2010-03-18 13:13 . 2009-01-13 00:20 -------- d-----w- c:\program files\Norton 360
2010-03-14 23:08 . 2010-02-12 11:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-14 20:47 . 2009-11-07 23:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-14 20:47 . 2009-11-07 23:36 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-14 20:47 . 2010-03-14 20:46 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-14 20:46 . 2009-11-07 23:36 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-14 20:46 . 2009-05-25 21:21 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-14 20:46 . 2009-01-25 03:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-14 20:46 . 2009-11-07 23:36 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-14 20:46 . 2009-11-07 23:36 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-14 20:46 . 2009-06-16 21:21 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-14 20:46 . 2010-03-14 20:46 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-14 20:12 . 2010-02-12 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-03-14 20:06 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-14 16:44 . 2009-01-20 22:17 -------- d-----w- c:\program files\Lavasoft
2010-03-14 14:51 . 2010-03-14 14:49 2240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-14 02:43 . 2010-03-14 02:43 17920 ----a-w- c:\documents and settings\Ann\Application Data\770F2997F2BFA71D1B8B4463F6319FB4\hookdll.dll
2010-03-14 02:43 . 2010-03-14 02:43 962560 ----a-w- c:\documents and settings\Ann\Application Data\770F2997F2BFA71D1B8B4463F6319FB4\dbf70700 .exe
2010-03-14 02:03 . 2009-01-17 14:44 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-03-11 08:03 . 2009-01-13 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 17:04 . 2008-12-30 03:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-05 01:21 . 2009-01-13 00:31 -------- d-----w- c:\program files\Google
2010-03-01 12:40 . 2009-10-02 00:23 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-04 15:53 . 2010-03-14 16:44 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-01-20 22:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-30 12:38 . 2009-01-13 03:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 11:36 . 2009-06-16 21:21 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\system32\bizivata.dll
1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\bogogife.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\buloboti.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\fakiyegi.dll
1601-01-01 00:03 . 1601-01-01 00:03 56320 --sha-w- c:\windows\system32\gekininu.dll
1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\hanipolu.dll
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\system32\hogayigi.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\kelahudu.dll
1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\lokomoha.dll
1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\nodujohu.dll
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\system32\nuyujivu.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\pagoteba.dll
1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\polufili.dll
1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\riwozubi.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\ronilipi.dll
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\system32\samotaso.dll
1601-01-01 00:03 . 1601-01-01 00:03 65536 --sha-w- c:\windows\system32\sikafemu.dll
1601-01-01 00:03 . 1601-01-01 00:03 70144 --sha-w- c:\windows\system32\soyeviwa.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\sudovufu.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\susiwoye.dll
1601-01-01 00:03 . 1601-01-01 00:03 65536 --sha-w- c:\windows\system32\taloziku.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\tayoyeza.dll
1601-01-01 00:03 . 1601-01-01 00:03 173568 --sha-w- c:\windows\system32\tijayoni.exe
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\tisibufu.dll
1601-01-01 00:03 . 1601-01-01 00:03 47616 --sha-w- c:\windows\system32\vigenayu.dll
.
Code:
<pre>
c:\program files\AIM6\aim6 .exe
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lavasoft\Ad-Aware\aawtray .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\defmgr .exe
c:\program files\Nitro PDF\Professional\nitropdfprintermonitor .exe
c:\program files\Norton 360\oscheck .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spyware Doctor\pctstray .exe
c:\program files\Verizon\mccitrayapp .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{940d0ca2-1da7-4c85-b314-52a878575b57}]
1601-01-01 00:03 65536 --sha-w- c:\windows\system32\sikafemu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"Remote System Protection"="c:\windows\system32\lzfl50.dll" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-18 818256]
"vigutiture"="sasisudi.dll" [N/A]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]
"wukiwebit"="c:\windows\system32\nowepeto.dll" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Remote System Protection"="c:\windows\system32\lzfl50.dll" [N/A]
"Security Guard"="c:\documents and settings\All Users\Application Data\3931f85\SG3931.exe" [N/A]

c:\documents and settings\Ann\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 12:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCSVCHST.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-20 6:21 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 5:17 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-14 207280]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-03-14 112592]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 3:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-02-27 1:55 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 8:11 PM 101936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 9:54 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1263728]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-17 365280]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
[N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 09:08]

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]

2010-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {77EA3CD6-B134-4CD9-ACD2-0CFC6428F7FD} = 217.23.14.75,4.2.2.1,192.168.1.1
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{7d455ead-64d0-4cc8-b035-ce6c9df0adcc} - c:\windows\system32\nowepeto.dll
SSODL-vesuzigoh-{7d455ead-64d0-4cc8-b035-ce6c9df0adcc} - c:\windows\system32\nowepeto.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-27 19:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1008)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1064)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3592)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\netdde.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-03-27 19:36:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-27 23:35
ComboFix2.txt 2010-03-27 21:50
ComboFix3.txt 2010-03-27 19:45

Pre-Run: 75,606,302,720 bytes free
Post-Run: 75,564,867,584 bytes free

- - End Of File - - 759940ACE4AB86D19AFB4CE9D69080B2

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Sun Mar 28, 2010 12:43 pm

Hello.
Weird why Combofix says the command switch used was /S, I do notice however you are running Combofix.exe as a .scr file, please delete it and download a new copy that is .exe.

Try run my script again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Sun Mar 28, 2010 12:57 pm

Okay, sure will.

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Sun Mar 28, 2010 1:37 pm

I'm only able to run it with the SCR at the end. I tried Combo-Fix.exe and Combofix.exe and neither of those will run. It says there was an issue with installation and that a reboot of the computer is needed.

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Sun Mar 28, 2010 4:38 pm

ComboFix 10-03-27.03 - Ann 2010-03-28 11:55:56.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2494.1719 [GMT -4:00]
Running from: c:\documents and settings\Ann\Desktop\Combo-fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ativva5x.dat
c:\windows\system32\loseteni.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 11:04 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-28 11:04 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 11:04 . 2010-03-28 11:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-28 10:58 . 2010-02-02 14:13 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-03-28 10:58 . 2010-02-02 14:13 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-03-28 10:58 . 2010-02-02 14:13 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-03-20 02:52 . 2010-03-20 02:52 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGPWINJTGTD
2010-03-15 09:18 . 2010-03-15 09:18 4 ----a-w- c:\program files\8728890.dat
2010-03-15 08:04 . 2010-03-15 08:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
2010-03-15 08:01 . 2010-03-15 08:01 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-15 00:22 . 2010-03-15 00:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Threat Expert
2010-03-14 16:44 . 2010-03-14 16:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-14 16:27 . 2010-03-14 16:28 -------- d-----w- c:\documents and settings\Ann\Application Data\GetRightToGo
2010-03-14 15:34 . 2010-03-14 15:34 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Threat Expert
2010-03-14 15:26 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-14 15:26 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-14 15:26 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-14 15:26 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-03-14 15:26 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-14 15:26 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-14 15:26 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-14 15:25 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-14 15:25 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-14 15:25 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-14 15:25 . 2010-03-28 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-14 15:25 . 2010-03-14 15:26 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-14 15:12 . 2010-03-14 15:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-03-14 15:12 . 2010-03-14 15:12 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-03-14 03:29 . 2010-03-14 03:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-14 03:18 . 2010-03-14 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-14 03:17 . 2010-03-14 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-14 03:17 . 2010-03-14 03:17 -------- d-----w- c:\program files\Common Files\iS3
2010-03-14 03:15 . 2010-03-14 03:15 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-03-14 02:43 . 2010-03-28 02:27 -------- d-----w- c:\documents and settings\Ann\Application Data\770F2997F2BFA71D1B8B4463F6319FB4
2010-03-06 17:05 . 2010-03-06 17:05 -------- d-----w- c:\documents and settings\Ann\Application Data\CyberLink
2010-03-06 17:04 . 2010-03-06 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2010-03-06 17:04 . 2010-03-06 17:04 -------- d-----w- c:\program files\CyberLink

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 16:28 . 2009-01-17 16:19 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-28 16:27 . 2009-01-13 00:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-28 13:49 . 2009-01-17 16:19 -------- d-----w- c:\program files\Spyware Doctor
2010-03-28 13:23 . 2009-01-18 16:34 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-27 21:39 . 2009-01-13 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-18 13:13 . 2009-06-10 20:37 -------- d-----w- c:\program files\QuickTime
2010-03-18 13:13 . 2009-09-19 18:41 -------- d-----w- c:\program files\Verizon
2010-03-18 13:13 . 2009-06-10 20:42 -------- d-----w- c:\program files\iTunes
2010-03-18 13:13 . 2009-02-27 17:54 -------- d-----w- c:\program files\AIM6
2010-03-18 13:13 . 2009-01-13 00:20 -------- d-----w- c:\program files\Norton 360
2010-03-14 23:08 . 2010-02-12 11:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-14 20:47 . 2009-11-07 23:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-14 20:47 . 2009-11-07 23:36 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-03-14 20:47 . 2010-03-14 20:46 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-03-14 20:46 . 2009-11-07 23:36 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-03-14 20:46 . 2009-05-25 21:21 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-03-14 20:46 . 2009-01-25 03:14 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-03-14 20:46 . 2009-11-07 23:36 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-03-14 20:46 . 2009-11-07 23:36 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-03-14 20:46 . 2009-06-16 21:21 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-03-14 20:46 . 2010-03-14 20:46 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-03-14 20:12 . 2010-02-12 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-03-14 20:06 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-14 16:44 . 2009-01-20 22:17 -------- d-----w- c:\program files\Lavasoft
2010-03-14 14:51 . 2010-03-14 14:49 2240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-14 02:03 . 2009-01-17 14:44 -------- d-----w- c:\documents and settings\Ann\Application Data\FrostWire
2010-03-11 08:03 . 2009-01-13 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 17:04 . 2008-12-30 03:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-05 01:21 . 2009-01-13 00:31 -------- d-----w- c:\program files\Google
2010-03-01 12:40 . 2009-10-02 00:23 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-04 15:53 . 2010-03-14 16:44 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-01-20 22:21 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-30 12:38 . 2009-01-13 03:37 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-27 11:36 . 2009-06-16 21:21 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-31 16:50 . 2008-04-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\system32\bizivata.dll
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\system32\hogayigi.dll
1601-01-01 00:03 . 1601-01-01 00:03 96768 --sha-w- c:\windows\system32\nuyujivu.dll
1601-01-01 00:03 . 1601-01-01 00:03 41472 --sha-w- c:\windows\system32\riwozubi.dll
1601-01-01 00:03 . 1601-01-01 00:03 65536 --sha-w- c:\windows\system32\sikafemu.dll
1601-01-01 00:03 . 1601-01-01 00:03 65536 --sha-w- c:\windows\system32\taloziku.dll
1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\windows\system32\tisibufu.dll
.
Code:
<pre>
c:\program files\AIM6\aim6 .exe
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Lavasoft\Ad-Aware\aawtray .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\defmgr .exe
c:\program files\Nitro PDF\Professional\nitropdfprintermonitor .exe
c:\program files\Norton 360\oscheck .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Spyware Doctor\pctstray .exe
c:\program files\Verizon\mccitrayapp .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{940d0ca2-1da7-4c85-b314-52a878575b57}]
1601-01-01 00:03 65536 --sha-w- c:\windows\system32\sikafemu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"Google Update"="c:\documents and settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [N/A]
"Remote System Protection"="c:\windows\system32\lzfl50.dll" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-18 818256]
"vigutiture"="sasisudi.dll" [N/A]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]
"wukiwebit"="c:\windows\system32\nowepeto.dll" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Remote System Protection"="c:\windows\system32\lzfl50.dll" [N/A]
"Security Guard"="c:\documents and settings\All Users\Application Data\3931f85\SG3931.exe" [N/A]

c:\documents and settings\Ann\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 12:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\CCSVCHST.EXE"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-20 6:21 PM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-20 5:17 PM 28544]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-14 207280]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-03-28 6:58 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-03-28 6:58 AM 59664]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-18 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-18 108552]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-03-14 233136]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-18 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2010-03-14 112592]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-18 3:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-02-27 1:55 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 8:11 PM 101936]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 9:54 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1263728]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-03-14 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-17 365280]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-03-28 6:58 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
[N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 09:08]

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]

2010-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 13:54]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {77EA3CD6-B134-4CD9-ACD2-0CFC6428F7FD} = 217.23.14.75,4.2.2.1,192.168.1.1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-28 12:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,14,93,6e,2e,97,40,8e,4b,83,90,3b,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1076)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll

- - - - - - - > 'explorer.exe'(448)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\netdde.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2010-03-28 12:35:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 16:35
ComboFix2.txt 2010-03-27 23:36
ComboFix3.txt 2010-03-27 21:50
ComboFix4.txt 2010-03-27 19:45

Pre-Run: 75,419,652,096 bytes free
Post-Run: 75,457,159,168 bytes free

- - End Of File - - 4DC362DDD12D16BE9EBFE2EA5DF3ACF4

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Sun Mar 28, 2010 4:47 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Sun Mar 28, 2010 5:19 pm

I've tried downloading it several times and each time it fails after install. It says...

A Pop-up box that says "Setup"

Unable to Execute file:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

CreateProcess failed; code 2.
The system cannot find the file specified.

***Note: I've tried different variations and for a brief nano second I get to the scan page, but then it fails immediately and disappears.

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Sun Mar 28, 2010 8:49 pm

Also after installing it, sometimes if I try to double click on "Malwarebytes' Anti-Malware" it asks me which program I want to use to open it. Everything else on my computer seems to work fine except this one.

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Mon Mar 29, 2010 12:22 am

Hello.
Lets try this a different way then.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\program files\8728890.dat
    c:\windows\system32\bizivata.dll
    c:\windows\system32\bogogife.dll
    c:\windows\system32\buloboti.dll
    c:\windows\system32\fakiyegi.dll
    c:\windows\system32\gekininu.dll
    c:\windows\system32\hanipolu.dll
    c:\windows\system32\hogayigi.dll
    c:\windows\system32\kelahudu.dll
    c:\windows\system32\lokomoha.dll
    c:\windows\system32\nodujohu.dll
    c:\windows\system32\nuyujivu.dll
    c:\windows\system32\polufili.dll
    c:\windows\system32\riwozubi.dll
    c:\windows\system32\ronilipi.dll
    c:\windows\system32\samotaso.dll
    c:\windows\system32\sikafemu.dll
    c:\windows\system32\sudovufu.dll
    c:\windows\system32\susiwoye.dll
    c:\windows\system32\taloziku.dll
    c:\windows\system32\tayoyeza.dll
    c:\windows\system32\tijayoni.exe
    c:\windows\system32\tisibufu.dll
    c:\windows\system32\vigenayu.dll

    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{940d0ca2-1da7-4c85-b314-52a878575b57}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Remote System Protection"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vigutiture"=-
    "wukiwebit"=-
    "Adobe_Reader"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Remote System Protection"=-
    "Security Guard"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4098ae48-3f18-4678-b8bd-77d31e5f01cb}]
    "NameServer"=-


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Mon Mar 29, 2010 1:52 am

Okay great, I will give it a try! Thanks!

Right On!

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Mon Mar 29, 2010 1:53 am

Wow, that was fast. Here are the results...

========== FILES ==========
c:\program files\8728890.dat moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\bizivata.dll
c:\windows\system32\bizivata.dll moved successfully.
File/Folder c:\windows\system32\bogogife.dll not found.
File/Folder c:\windows\system32\buloboti.dll not found.
File/Folder c:\windows\system32\fakiyegi.dll not found.
File/Folder c:\windows\system32\gekininu.dll not found.
File/Folder c:\windows\system32\hanipolu.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\hogayigi.dll
c:\windows\system32\hogayigi.dll moved successfully.
File/Folder c:\windows\system32\kelahudu.dll not found.
File/Folder c:\windows\system32\lokomoha.dll not found.
File/Folder c:\windows\system32\nodujohu.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\nuyujivu.dll
c:\windows\system32\nuyujivu.dll moved successfully.
File/Folder c:\windows\system32\polufili.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\riwozubi.dll
c:\windows\system32\riwozubi.dll moved successfully.
File/Folder c:\windows\system32\ronilipi.dll not found.
File/Folder c:\windows\system32\samotaso.dll not found.
File/Folder c:\windows\system32\sikafemu.dll not found.
File/Folder c:\windows\system32\sudovufu.dll not found.
File/Folder c:\windows\system32\susiwoye.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\taloziku.dll
c:\windows\system32\taloziku.dll moved successfully.
File/Folder c:\windows\system32\tayoyeza.dll not found.
File/Folder c:\windows\system32\tijayoni.exe not found.
DllUnregisterServer procedure not found in c:\windows\system32\tisibufu.dll
c:\windows\system32\tisibufu.dll moved successfully.
File/Folder c:\windows\system32\vigenayu.dll not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{940d0ca2-1da7-4c85-b314-52a878575b57}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{940d0ca2-1da7-4c85-b314-52a878575b57}\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Remote System Protection deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\vigutiture deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wukiwebit deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Adobe_Reader deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Remote System Protection deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Security Guard deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4098ae48-3f18-4678-b8bd-77d31e5f01cb} not found.

OTM by OldTimer - Version 3.1.10.1 log created on 03282010_215222

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Mon Mar 29, 2010 6:21 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Tue Mar 30, 2010 10:43 am

Thanks! Here it is...

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 6:42:34 AM, on 2010-03-30
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {940d0ca2-1da7-4c85-b314-52a878575b57} - sikafemu.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [vigutiture] Rundll32.exe "sasisudi.dll",s
O4 - HKLM\..\Run: [wukiwebit] Rundll32.exe "c:\windows\system32\nuyujivu.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware1\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ann\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{77EA3CD6-B134-4CD9-ACD2-0CFC6428F7FD}: NameServer = 217.23.14.75,4.2.2.1,192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: lofiketo.dll c:\windows\system32\hogayigi.dll c:\windows\system32\nuyujivu.dll
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O21 - SSODL: yajisilar - {50214219-ef55-4ddd-9dad-207e4e7e4f56} - c:\windows\system32\nuyujivu.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: tokatiluy - {50214219-ef55-4ddd-9dad-207e4e7e4f56} - c:\windows\system32\nuyujivu.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 12383 bytes

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Tue Mar 30, 2010 10:14 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
    O2 - BHO: (no name) - {940d0ca2-1da7-4c85-b314-52a878575b57} - sikafemu.dll (file missing)
    O4 - HKLM\..\Run: [vigutiture] Rundll32.exe "sasisudi.dll",s
    O4 - HKLM\..\Run: [wukiwebit] Rundll32.exe "c:\windows\system32\nuyujivu.dll",a
    O17 - HKLM\System\CCS\Services\Tcpip\..\{77EA3CD6-B134-4CD9-ACD2-0CFC6428F7FD}: NameServer = 217.23.14.75,4.2.2.1,192.168.1.1
    O20 - AppInit_DLLs: lofiketo.dll c:\windows\system32\hogayigi.dll c:\windows\system32\nuyujivu.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O21 - SSODL: yajisilar - {50214219-ef55-4ddd-9dad-207e4e7e4f56} - c:\windows\system32\nuyujivu.dll (file missing)
    O22 - SharedTaskScheduler: tokatiluy - {50214219-ef55-4ddd-9dad-207e4e7e4f56} - c:\windows\system32\nuyujivu.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Remove the Proxy setting in Internet Explorer and/or in FireFox.

    In Internet Explorer
  1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

    In Firefox
  1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
  2. Click the apply button and restart that computer in normal mode.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Wed Mar 31, 2010 2:05 am

Thanks, I did as you asked. Everything went well except for the Malwarebytes' Anti-Malware installation. I ran it and updated it, however when I tried to run it, I got this pop-up/error message...

"Missing Shortcut

Windows is searching for mbam.exe. To locate the file yourself, click Browse."

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Wed Mar 31, 2010 1:06 pm

Download [You must be registered and logged in to see this link.]

  • Load SuperAntiSpyware and click the Check for updates button.
  • Once the update is finished click the Scan your computer button.
  • Check Perform Complete Scan and then next.
  • SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
  • Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  • Copy and paste the log onto the forum.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Thu Apr 01, 2010 8:51 am

Thanks! Will do...

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Thu Apr 01, 2010 10:22 am

Okay, a couple of problems...

1). I found Antivirus XP running on my computer this morning. I used RKILL to get it to stop.

2). I downloaded and ran SuperAntiSpyware, but couldn't get the log at first. It told me I needed to reboot to get some of the viruses off.

3). I rebooted and found I could not get into any of the files. (I got the popup where it asked me which program to use to open the file. I couldn't open SuperAntiSpyware).

4). So I ran combo-fix again, and after I did everything seemed to work again. I was able to get the SuperAntiSpyware log and here it is...

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 04/01/2010 at 05:28 AM

Application Version : 4.35.1000

Core Rules Database Version : 4756
Trace Rules Database Version: 2568

Scan type : Complete Scan
Total Scan Time : 00:34:16

Memory items scanned : 572
Memory threats detected : 1
Registry items scanned : 6056
Registry threats detected : 7
File items scanned : 24688
File threats detected : 35

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\ANN\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE
C:\DOCUMENTS AND SETTINGS\ANN\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE

Adware.Vundo/Variant-Senorita
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{940d0ca2-1da7-4c85-b314-52a878575b57}
HKCR\CLSID\{940D0CA2-1DA7-4C85-B314-52A878575B57}
HKCR\CLSID\{940D0CA2-1DA7-4C85-B314-52A878575B57}\InprocServer32
HKCR\CLSID\{940D0CA2-1DA7-4C85-B314-52A878575B57}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SIKAFEMU.DLL
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{940D0CA2-1DA7-4C85-B314-52A878575B57}
HKU\S-1-5-21-436374069-515967899-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{940D0CA2-1DA7-4C85-B314-52A878575B57}
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{940D0CA2-1DA7-4C85-B314-52A878575B57}
C:\_OTM\MOVEDFILES\03282010_215222\C_WINDOWS\SYSTEM32\TALOZIKU.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Ann\Cookies\ann@pointroll[2].txt
C:\Documents and Settings\Ann\Cookies\ann@advertise[1].txt
C:\Documents and Settings\Ann\Cookies\ann@tripod[1].txt
C:\Documents and Settings\Ann\Cookies\ann@realmedia[1].txt
C:\Documents and Settings\Ann\Cookies\ann@ads.pointroll[2].txt
C:\Documents and Settings\Ann\Cookies\ann@trafficmp[1].txt
C:\Documents and Settings\Ann\Cookies\ann@collective-media[1].txt
C:\Documents and Settings\Ann\Cookies\ann@interclick[2].txt
C:\Documents and Settings\Ann\Cookies\ann@statcounter[2].txt
C:\Documents and Settings\Ann\Cookies\ann@counter.surfcounters[1].txt
C:\Documents and Settings\Ann\Cookies\ann@ad.yieldmanager[2].txt
C:\Documents and Settings\Ann\Cookies\ann@doubleclick[1].txt
C:\Documents and Settings\Ann\Cookies\ann@ad.wsod[3].txt
C:\Documents and Settings\Ann\Cookies\ann@zedo[2].txt
C:\Documents and Settings\Ann\Cookies\ann@atdmt[1].txt
C:\Documents and Settings\Ann\Cookies\ann@invitemedia[2].txt
C:\Documents and Settings\Ann\Cookies\ann@bizzclick[1].txt
C:\Documents and Settings\Ann\Cookies\ann@msnportal.112.2o7[1].txt
C:\Documents and Settings\Ann\Cookies\ann@overture[1].txt
C:\Documents and Settings\Ann\Cookies\ann@tribalfusion[2].txt
C:\Documents and Settings\Ann\Cookies\ann@revsci[2].txt
C:\Documents and Settings\Ann\Cookies\ann@ad.wsod[2].txt
C:\Documents and Settings\Ann\Cookies\ann@imrworldwide[2].txt
C:\Documents and Settings\Ann\Cookies\ann@lfstmedia[2].txt
C:\Documents and Settings\Ann\Cookies\ann@media6degrees[2].txt
C:\Documents and Settings\Ann\Cookies\ann@specificmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@businessfind[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@[You must be registered and logged in to see this link.]

Adware.Vundo/Variant-Nx
C:\_OTM\MOVEDFILES\03282010_215222\C_WINDOWS\SYSTEM32\BIZIVATA.DLL

Adware.Vundo/Variant-[Fixed]
C:\_OTM\MOVEDFILES\03282010_215222\C_WINDOWS\SYSTEM32\RIWOZUBI.DLL
C:\_OTM\MOVEDFILES\03282010_215222\C_WINDOWS\SYSTEM32\TISIBUFU.DLL

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Thu Apr 01, 2010 10:23 am

To be safe I'm going to shut down this computer. I will use my laptop to check for your responses.

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Thu Apr 01, 2010 11:37 pm

Hello.
Is the machine running any better now? SAS should have caught most of it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Fri Apr 02, 2010 1:46 am

It does seem to be working alot better. Even the issue in my browser when I would do searches is gone. Thanks!

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Fri Apr 02, 2010 10:40 am

I found some more stuff on there this morning and ran the Super Antispyware program. It seems to have worked and here's the log...

SUPERAntiSpyware Scan Log
[You must be registered and logged in to see this link.]

Generated 04/02/2010 at 06:37 AM

Application Version : 4.35.1000

Core Rules Database Version : 4760
Trace Rules Database Version: 2572

Scan type : Complete Scan
Total Scan Time : 00:29:05

Memory items scanned : 623
Memory threats detected : 0
Registry items scanned : 6034
Registry threats detected : 0
File items scanned : 24674
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Ann\Cookies\ann@ad.wsod[3].txt

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Belahzur on Fri Apr 02, 2010 1:45 pm

Cookies is nothing to worry about, everyone has them and they are used by your browsers.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: AntiMalware Doctor

Post by Misteretc on Sat Apr 03, 2010 10:13 am

Oh sure, so I put it to its paces last night, no anomalies. So I'm considering my machine healed. Thanks sooooo much for your patience and help. Have a safe and happy Easter Belahzur!

Thank You!

Misteretc
Intermediate
Intermediate

Status :
Online
Offline

Posts : 113
Joined : 2010-03-14
Gender : Male
OS : Microsoft Windows XP

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum