Had Malware Doctor problem and then it got better, or so I thought

[tigerdood]

Here are the details of my problem. Hope someone can help. I began getting weird popups in my FireFox browser saying my computer was infected and to download Malware Doctor. (later found out it was a virus). Then AVG 9.0 told me I had trojans and viruses. I ran the following tools to help clean my laptop:

AVG 9.0
Spybot search and Destroy
CWS Shredder
AdAware
Malware Bytes

After running these programs I had no more notifications of problems, BUT I am still getting a popup from AVG 9.0 telling me (a few minute after starting my computer) that a Trojan was blocked. Now my computer is running a little slower and I am fearful of logging into my online bank account due to fears of a virus getting my personal banking or email passwords.

To make things worse I cant download the DDS files program (the files download as a Binary file and wont run?) Not sure what is going on but would appreciate the help.

I run Windows XP.

Forgot to mention that I am still getting popup windows in FireFox with links to spam sites.
-----------------------------------
Any chance I can get some help?
-----------------------------------
Waiting for help in the Malware Forum FOUR days or longer?

[jmw3]

Hello & Welcome to Safer-Networking

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

In the meantime please note the following:

• Any recommendations made are for your computer problems only and should NOT be used on any other computer.
• Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
  1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
  2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
• If you get stuck or are unsure of something please ask for a further explanation, do not guess.
• It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.

Please note that the forum is very busy and if I don't hear from you within four days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Thanks

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2

• Double-Click on dds.scr and a command window will appear. This is normal
• Shortly after two logs will appear, DDS.txt & Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

Gmer
Download GMER Rootkit Scanner from here & save it to your desktop.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
• Save it where you can easily find it, such as your desktop, and post it in reply

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Do not run any programs while Gmer is running.

NOTE: If you cannot run GMER as indicated above, save a scan from the initial startup scan.

• Before scanning, make sure all other running programs are closed & no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan
• Double click the gmer.exe file
• The program will begin to run & perform an initial scan. If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No
• After the "initial scan" is complete, click on the Save button, save the log file to your desktop & post it in your reply

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log

[tigerdood]

Thanks for the help! Well I ran into a problem right at the start. I cant download the DDS or the GMER programs. My laptop is old but I dont think its THAT old.

Here is a screen shot of the icons when I download them onto my laptop.
http://i36.tinypic.com/ncmqew.jpg

What should I do?

[jmw3]

So is the problem actually downloading them or running them?

If it is downloading them, try downloading from a known clean computer then transfer them to the infected machine via some type of removable media - a cd would be the safest way.

If it is running them, then it may be a file association error. Do you get any error messages?

You could try renaming DDS to DDS.com or DDS.pif
Same with Gmer change the Gmer file extension to .com or .pif

[tigerdood]

Here is the error when I try to download the DDS file #1
http://i38.tinypic.com/bgxowx.jpg


Here is the screen when I try to download the DDS file #2
http://i36.tinypic.com/n1s2lc.jpg


Here is the screen when I try to download the Gmer file
http://i38.tinypic.com/2klmdd.jpg

I tried adding the .com and .pif extensions and it still doesn't work. I can download other items but not these programs. I dont have access to another computer to download these files onto a cd. I have AVG running, could it be that its blocking these files from downloading? If I turn it off how vulnerable will my computer be?

Thanks

[jmw3]

Hi

We'll try one more thing before trying another set of tools. Re-boot your computer & when it restarts quickly tap the f8 key to bring up the Windows Advanced Options Menu. Scroll down to Safe mode with Networking & press Enter. This will bring you into Safe Mode but still give you Internet access.
Delete the copies of DDS & Gmer you already have & try to download & run them again from within Safe Mode

[tigerdood]

Thanks fo the suggestion! I was able to download the links for DDS and Gmer in safe mode with network like you suggested. But there is bad news, when I ran the Gmer program it took 3 hours to scan and then when it was done, there was no link to save the file (because the screen was cut off in safe mode). Any suggestions?

I was however able to get the 2 DDS logs. They are both below:

DDS ATTACH log
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/5/2007 6:40:45 PM
System Uptime: 8/26/2010 7:34:32 PM (0 hours ago)

Motherboard: Hewlett-Packard | | 002A
Processor: Mobile Intel(R) Celeron(R) CPU 1.80GHz | WMT478/NWD | 1794/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 5.989 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP435: 5/21/2010 7:36:08 PM - System Checkpoint
RP436: 6/7/2010 8:12:50 PM - System Checkpoint
RP437: 6/8/2010 9:33:44 PM - System Checkpoint
RP438: 6/10/2010 8:50:04 PM - System Checkpoint
RP439: 6/11/2010 11:47:00 PM - System Checkpoint
RP440: 6/14/2010 8:00:41 PM - System Checkpoint
RP441: 6/17/2010 10:31:18 PM - System Checkpoint
RP442: 6/19/2010 10:32:25 PM - System Checkpoint
RP443: 7/8/2010 9:34:35 PM - Avg8 Update
RP444: 7/10/2010 10:32:32 AM - Avg8 Update
RP445: 7/10/2010 10:35:08 AM - Avg8 Update
RP446: 7/15/2010 7:56:02 PM - System Checkpoint
RP447: 7/16/2010 8:45:27 PM - System Checkpoint
RP448: 7/19/2010 7:31:31 PM - System Checkpoint
RP449: 7/19/2010 9:34:13 PM - Removed Logitech Vid.
RP450: 7/19/2010 9:35:44 PM - Removed Logitech Vid.
RP451: 7/19/2010 9:38:20 PM - Removed Logitech Vid.
RP452: 7/19/2010 10:36:38 PM - Removed Logitech Vid.
RP453: 7/19/2010 10:41:18 PM - Removed Bonjour
RP454: 7/21/2010 12:12:54 PM - 7-21-10
RP455: 7/22/2010 10:00:42 PM - Installed AVG 9.0
RP456: 7/26/2010 10:21:52 PM - Avg8 Update
RP457: 7/26/2010 10:31:30 PM - Avg Update
RP458: 8/17/2010 10:21:14 PM - System Checkpoint
RP459: 8/21/2010 7:23:41 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
AVG 9.0
Compatibility Pack for the 2007 Office system
Hotfix for Windows XP (KB909394)
iTunes
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.11)
MVision
Skype™ 4.2
Spybot - Search & Destroy
upapp
Update for Windows XP (KB898461)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows XP Service Pack 2

==== Event Viewer Messages From Past Week ========

8/26/2010 7:39:20 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/26/2010 7:35:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 cdudf_xp Fips intelppm
8/26/2010 7:35:55 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/22/2010 12:52:37 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
8/22/2010 12:52:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Ati HotKey Poller service to connect.
8/22/2010 12:52:37 PM, error: Service Control Manager [7000] - The Ati HotKey Poller service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/22/2010 12:52:34 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
8/22/2010 12:52:34 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================


Here is the DDS log

DS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by JR at 19:42:55.72 on Thu 08/26/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.623 [GMT -5:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\TEMP.CPQ73745201364\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
uWindow Title = Microsoft Internet Explorer provided by Compaq
uSearch Bar = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
mDefault_Page_URL = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
uInternet Connection Wizard,ShellNext = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_03\bin\npjpi150_03.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\temp~1.cpq\applic~1\mozilla\firefox\profiles\h8dy4cw1.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-1-6 52872]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-6 243024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1355416]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [2003-3-7 16512]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-6 216400]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-6 29584]
S2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-26 921952]
S2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-26 308136]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [2003-3-7 26112]
S3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2003-3-7 291328]
S3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2003-3-7 244608]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [2003-3-7 57344]

=============== Created Last 30 ================

2010-08-05 02:36:16 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-03 04:47:05 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-02 04:54:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-29 04:54:42 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-29 04:52:23 0 d-----w- c:\program files\Lavasoft

==================== Find3M ====================

2010-08-27 00:15:48 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-07-27 03:29:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-27 03:29:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-27 03:28:08 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-27 03:28:03 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-07-19 03:13:10 0 ----a-w- c:\windows\system32\drivers\rhckjr.sys

============= FINISH: 19:45:06.85 ===============

[jmw3]

Hi

WARNING!!!

You are running a version of Windows that is no longer supported. You need to be aware that once an operating system is no longer supported there will be no further Microsoft Updates issued for that operating system. If you are running XP SP2, or running Vista with no Service Packs installed, be forewarned that those unpatched operating systems will soon become prime targets for malware infestations unless you take steps to bring them up to date by installing the required Service Pack for your system.

http://windows.microsoft.com/en-us/w...f-support-mean

Support for Windows Vista without any service packs ended on April 13, 2010. To continue support, make sure you've installed Windows Vista SP2.

Support for Windows XP with Service Pack 2 (SP2) ended on July 13, 2010. To continue support, make sure you've installed Windows XP Service Pack 3 (SP3).

IMPORTANT: The above mentioned Service Packs should only be installed on a malware free computer.
So wait until I have given the All Clean.

NOTE: 64 bit Windows XP SP2 will still receive security updates as there is no SP3 for 64 bit XP.

Support for Windows XP SP1 ended on October 10, 2006.

Leave Gmer for now. We'll come back to it if needed.

Stay in Safe Mode with Networking for this next instruction as you will need to download another tool. If ComboFix needs to reboot the computer, make sure you boot back to Safe Mode to allow it to finish. Once it has produced it's log, then re-boot back to Normal Mode:

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  A guide to do this can be found here
• Double click on ComboFix.exe & follow the prompts
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
ComboFix log
Update on how the computer is running

[tigerdood]

Thanks so much for all your help! If this works then you guys have saved me from purchasing a new laptop. Is there a place I can make a donation for your help?

I'm still testing out my computer but so far everything seems to be running ok (after Combofix I reactivated my AVG 9 virus detection) and below is the log file.

Is it ok to download the service packs you referenced?






COMBO FIX FILE

ComboFix 10-08-27.03 - JR 2008 08/28/2010 12:08:10.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.605 [GMT -5:00]
Running from: c:\documents and settings\TEMP.CPQ73745201364\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\certstore.dat
c:\windows\system32\dfttuyo.txt
c:\windows\system32\Install.txt

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
Infected copy of c:\windows\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4


((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-28 )))))))))))))))))))))))))))))))
.

2010-08-27 00:39 . 2010-08-27 00:39 -------- d-----w- c:\documents and settings\TEMP.CPQ73745201364\Local Settings\Application Data\AVG Security Toolbar
2010-08-27 00:36 . 2010-08-27 00:36 -------- d-----w- c:\documents and settings\TEMP.CPQ73745201364\Local Settings\Application Data\Mozilla
2010-08-05 02:36 . 2010-08-05 02:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-03 04:47 . 2010-08-03 04:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-02 18:25 . 2010-08-02 18:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-02 04:54 . 2010-07-12 08:55 15880 ----a-w- c:\windows\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-28 17:23 . 2010-03-28 19:27 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-08-24 04:24 . 2010-03-28 17:34 -------- d-----w- c:\documents and settings\JR 2008\Application Data\Skype
2010-08-03 13:39 . 2007-10-30 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-29 04:55 . 2010-07-29 04:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-29 04:52 . 2010-07-29 04:52 -------- d-----w- c:\program files\Lavasoft
2010-07-29 04:52 . 2009-01-04 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-29 04:46 . 2010-07-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-07-27 03:29 . 2009-01-07 02:19 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-27 03:29 . 2010-07-27 03:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-27 03:29 . 2009-01-07 02:19 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-07-27 03:28 . 2009-01-07 02:19 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-27 03:28 . 2009-01-07 02:20 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-07-23 03:01 . 2010-07-23 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-07-23 03:01 . 2009-01-07 02:19 -------- d-----w- c:\program files\AVG
2010-07-21 04:18 . 2007-06-05 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-21 04:18 . 2008-07-10 04:25 -------- d-----w- c:\program files\FolderAccess
2010-07-20 04:06 . 2010-07-20 04:06 -------- d-----w- c:\documents and settings\JR 2008\Application Data\Malwarebytes
2010-07-20 04:05 . 2010-07-20 04:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 04:05 . 2010-07-20 04:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-20 03:36 . 2010-03-28 19:18 -------- d-----w- c:\program files\Logitech
2010-07-20 03:11 . 2010-07-20 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp
2010-07-19 03:13 . 2010-07-19 03:06 0 ----a-w- c:\windows\system32\drivers\rhckjr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-27 2065760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-27 03:29 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^JR 2008^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
path=c:\documents and settings\JR 2008\Start Menu\Programs\Startup\Antimalware Doctor.lnk
backup=c:\windows\pss\Antimalware Doctor.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
2007-08-12 23:26 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2002-08-15 01:29 290816 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2002-10-23 21:19 176197 ----a-w- c:\program files\HPQ\Default Settings\Cpqset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Display Settings]
2002-08-15 14:26 45056 ----a-w- c:\program files\HPQ\Notebook Utilities\hptasks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-03 19:56 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-02-08 07:12 488984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-02-08 07:13 774168 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PreloadApp]
2001-12-12 15:05 36864 ----a-w- c:\hp\drivers\printers\photosmart\HPHprld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QT4HPOT]
2003-01-30 22:53 106496 ----a-w- c:\program files\HPQ\One-Touch\ONETOUCH.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-04-13 08:48 36975 ----a-w- c:\program files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2003-01-03 13:11 577536 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-01-03 13:12 126976 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2003-03-07 16:57 151597 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=3 (0x3)
"NICSer_WPC54G"=2 (0x2)
"LiveUpdate"=3 (0x3)
"HPWirelessMgr"=2 (0x2)
"HPConfig"=2 (0x2)
"gusvc"=3 (0x3)
"LckFldService"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/6/2009 9:20 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/6/2009 9:19 PM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/6/2009 9:19 PM 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/26/2010 10:28 PM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/26/2010 10:28 PM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1355416]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [3/7/2003 11:42 AM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [3/7/2003 11:42 AM 244608]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [3/7/2003 11:38 AM 16512]
S3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\aliirda.sys [3/7/2003 11:39 AM 26112]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 10:22 PM 15008]
S3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [3/7/2003 11:39 AM 57344]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/19/2007 5:12 PM 715248]
.
Contents of the 'Scheduled Tasks' folder

2010-08-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:22]

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\JR 2008\Application Data\Mozilla\Firefox\Profiles\d5hq0fq3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.drudgereport.com
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: XULRunner: {3E5880AA-84A0-4D93-93DA-52E8EFD93CE6} - c:\documents and settings\JR 2008\Local Settings\Application Data\{3E5880AA-84A0-4D93-93DA-52E8EFD93CE6}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
Notify-NavLogon - (no file)
MSConfigStartUp-070700Setup - c:\documents and settings\JR 2008\Application Data\CD0DAF0C9C56A4650FD675EEF6E0A157\070700Setup.exe
MSConfigStartUp-Cheyefoqesodamap - c:\windows\exafiziwesifi.dll
MSConfigStartUp-Fvibotoced - c:\windows\FCowcp.dll
MSConfigStartUp-MChk - c:\windows\system32\feazp.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
MSConfigStartUp-pfqykkcl - c:\documents and settings\JR 2008\Local Settings\Application Data\fmprpitlg\sptylkvtssd.exe
MSConfigStartUp-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-sta - seazp.dll
MSConfigStartUp-sxuluj - c:\windows\system32\msmxjchn.dll
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-28 12:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\wdfmgr.exe
c:\program files\AVG\AVG9\avgam.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-08-28 12:40:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-28 17:39

Pre-Run: 6,865,301,504 bytes free
Post-Run: 7,285,133,312 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 40895D3B22D680C06CEB7012BE9D0ADD

[jmw3]

Hi

Leave updating to Service Pack 3 for the time being. There are still signs of infection & that could cause you problems while trying to install SP 3.

GooredFix
Download GooredFix from one of the locations below & save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed
• To run the tool, double-click it
• When prompted to run the scan, click Yes
• GooredFix will check for infections, then a log will appear. Post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt)

CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code:

http://forums.spybot.info/showthread.php?t=59089
Collect::
c:\windows\system32\drivers\rhckjr.sys
File::
c:\documents and settings\JR 2008\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\windows\pss\Antimalware Doctor.lnkStartup
Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^JR 2008^Start Menu^Programs^Startup^Antimalware Doctor.lnk]
DDS::
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Save this as CFScript.txt, in the same location as ComboFix.exe



Referring to the picture above, drag CFScript into ComboFix.exe
If prompted by ComboFix to update, please do so
When finished, it shall produce a log for you at "C:\ComboFix.txt"
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
GooredFix log
ComboFix log