[Aelle]

Yesterday I started getting 'malware doctor' popups on my computer. I've run every single antivirus/anti-malware program I have and they haven't detected it. Also, it appears that what I have ISN'T malware doctor because the screenshots don't look anything like it. While the malware doctor shown in screenshots is a regular windows-looking program, the malware doctor on my computer is black with grey/red/green text and plays a rather obnoxious pig squealing sound whenever it "detects" a virus.

I also tried manually removing it, but the "malware doctor" files don't exist on my computer, further leading me to believe that what I have isn't the actual malware doctor virus (even though it has 'malware doctor' written all over it).

My computer has been under siege from malware for weeks now...I've done everything I can think of. I have more anti-virus and anti-malware programs on my computer than I can count (legit ones, such as spyware doctor and Malwarebytes) with guards out the yingyang, and I'm STILL getting this crap. I run these programs every day, and every day there's new malware on my computer...I'm really at the end of my rope. I hate that I might have to format my harddrive, but it's starting to look like I have no choice.

NOTE: This is the scan AFTER I managed to disable the active Malware Doctor process under task manager.

DDS:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Chu at 12:13:13.70 on Wed 05/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1372 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated) {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
D:\WINDOWS\system32\svchost -k rpcss
D:\WINDOWS\System32\svchost.exe -k netsvcs
D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
D:\WINDOWS\system32\svchost.exe -k NetworkService
D:\WINDOWS\system32\svchost.exe -k LocalService
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\LEXPPS.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Google\Gmail Notifier\gnotify.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\FlashGet\flashget.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\AIM6\aim6.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\System32\AshEvtSvc.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\AIM6\aolsoftware.exe
D:\Program Files\CyberLink\Shared Files\RichVideo.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\WINDOWS\system32\Pen_Tablet.exe
D:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
D:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
D:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
D:\WINDOWS\system32\Pen_Tablet.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\WINDOWS\system32\wbem\unsecapp.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\MSN Messenger\usnsvc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Chu\Desktop\dds.scr
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Documents and Settings\Chu\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - d:\program files\flashget\jccatch.dll
BHO: Microsoft copyright: {56bb6d01-7bd5-4458-a4ae-f03df643d6ee} - stfa.dll
TB: Proxy: {98a7c97a-4fff-4f6e-a313-d21bc759dd99} -
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - d:\program files\ask.com\GenericAskToolbar.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Aim6] "d:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [msnmsgr] "d:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Malware Doctor] d:\documents and settings\localservice.nt authority\application data\916653139.exe
uRun: [autochk] rundll32.exe d:\docume~1\locals~1.nta\protect.dll,[email protected]
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] d:\program files\google\gmail notifier\gnotify.exe
mRun: [avgnt] "d:\program files\avira\antivir personaledition premium\avgnt.exe" /min
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [AVP] "d:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [Ad-Watch] d:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Flashget] d:\program files\flashget\flashget.exe /min
mRun: [UVS12 Preload] d:\program files\corel\corel videostudio 12\uvPL.exe
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malware Doctor] d:\documents and settings\localservice.nt authority\application data\916653139.exe
mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
mRun: [autochk] rundll32.exe d:\windows\system32\autochk.dll,[email protected]
dRun: [<NO NAME>] d:\windows\temp\tofehnztwv.exe
dRun: [uidenhiufgsduiazghs] d:\windows\temp\tofehnztwv.exe
dRun: [Diagnostic Manager] d:\windows\temp\1639392202.exe
dRun: [SYS32DLL] SYS32DLL
dRun: [autochk] rundll32.exe d:\windows\system32\config\system~1\protect.dll,[email protected]
StartupFolder: d:\documents and settings\chu\start menu\programs\startup\ChkDisk.dll
StartupFolder: d:\docume~1\chu\startm~1\programs\startup\chkdisk.lnk - d:\windows\system32\rundll32.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download All with FlashGet - d:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - d:\program files\flashget\jc_link.htm
IE: Copy to Semagic - d:\program files\semagic\copy.htm
IE: Semagic - d:\program files\semagic\link.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - d:\program files\flashget\FlashGet.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - d:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v5.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.cdnetworks.co.kr/cdndist/neffynew/NeffyLauncher.cab
DPF: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A} - hxxp://www.flipviewer.com/exe/fvoem1.cab
DPF: {C8F5F737-2683-40B8-BFB6-47B15AC20A79} - hxxps://gash.gamania.co.jp/acxauth/cab/1_2_38/lcjggame.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: klogon - d:\windows\system32\klogon.dll
Notify: pmnnKCsr - pmnnKCsr.dll
Notify: WBSrv - d:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: wbsys.dll ojcnpd.dll d:\windows\system32\nogezote.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 d:\windows\system32\nnnLcdBr

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;d:\windows\system32\drivers\kl1.sys [2007-4-28 110360]
R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-1-25 64160]
R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2009-5-19 130936]
R0 pnpshark;pnpshark;d:\windows\system32\drivers\pnpshark.sys [2003-10-2 119552]
R0 st3shark;st3shark;d:\windows\system32\drivers\st3shark.sys [2003-9-27 5504]
R1 avgio;avgio;d:\program files\avira\antivir personaledition premium\avgio.sys [2008-5-23 11840]
R1 klif;Klif;d:\windows\system32\drivers\klif.sys [2007-5-18 194320]
R2 AntiVirScheduler;Avira AntiVir Premium Scheduler;d:\program files\avira\antivir personaledition premium\sched.exe [2008-5-23 68865]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;d:\program files\avira\antivir personaledition premium\avwebgrd.exe [2008-5-23 258305]
R2 AshEvtSvc;AshEvtSvc;d:\windows\system32\ashevtsvc.exe -k netsvcs --> d:\windows\system32\AshEvtSvc.exe -k netsvcs [?]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;d:\program files\avira\antivir personaledition premium\avesvc.exe [2008-5-23 41217]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-5-19 348752]
R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-5-19 1095560]
R2 TabletServicePen;TabletServicePen;d:\windows\system32\Pen_Tablet.exe [2008-4-13 1373480]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;d:\windows\system32\drivers\klim5.sys [2007-4-4 24344]
S2 AVP;Kaspersky Anti-Virus 7.0;d:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2007-5-19 218640]
S3 AntiVirService;Avira AntiVir Premium Guard;d:\program files\avira\antivir personaledition premium\avguard.exe [2008-5-23 149761]
S3 avgntflt;avgntflt;d:\program files\avira\antivir personaledition premium\avgntflt.sys [2008-5-23 52032]
S3 npggsvc;nProtect GameGuard Service;d:\windows\system32\gamemon.des -service --> d:\windows\system32\GameMon.des -service [?]
S3 Revolution1;Revolution1;\??\d:\docume~1\chu\locals~1\temp\rar$ex07.734\gb\revolution_engine_8.3_shak3\shak3.sys --> d:\docume~1\chu\locals~1\temp\rar$ex07.734\gb\revolution_engine_8.3_shak3\SHAK3.sys [?]
S3 XDva164;XDva164;\??\d:\windows\system32\xdva164.sys --> d:\windows\system32\XDva164.sys [?]
S3 XDva186;XDva186;\??\d:\windows\system32\xdva186.sys --> d:\windows\system32\XDva186.sys [?]
S3 XDva189;XDva189;\??\d:\windows\system32\xdva189.sys --> d:\windows\system32\XDva189.sys [?]
S3 XDva190;XDva190;\??\d:\windows\system32\xdva190.sys --> d:\windows\system32\XDva190.sys [?]
S3 XDva222;XDva222;\??\d:\windows\system32\xdva222.sys --> d:\windows\system32\XDva222.sys [?]
S3 XDva224;XDva224;\??\d:\windows\system32\xdva224.sys --> d:\windows\system32\XDva224.sys [?]

=============== Created Last 30 ================

2009-05-20 12:03 29,184 a------- d:\windows\system32\stfa.dll
2009-05-20 09:52 23,552 a--sh--- d:\documents and settings\chu\protect.dll
2009-05-20 09:52 23,552 a--sh--- d:\windows\system32\autochk.dll
2009-05-20 09:52 28,672 a------- d:\windows\system32\lmn_setup.exe
2009-05-20 09:39 708 a------- d:\windows\system32\sft.res
2009-05-20 09:38 439 a------- d:\windows\system32\win32hlp.cnf
2009-05-19 16:17 159,600 a------- d:\windows\system32\drivers\pctgntdi.sys
2009-05-19 16:17 130,936 a------- d:\windows\system32\drivers\PCTCore.sys
2009-05-19 16:17 73,840 a------- d:\windows\system32\drivers\PCTAppEvent.sys
2009-05-19 16:17 <DIR> --d----- d:\program files\common files\PC Tools
2009-05-19 16:17 64,392 a------- d:\windows\system32\drivers\pctplsg.sys
2009-05-19 16:17 <DIR> --d----- d:\program files\Spyware Doctor
2009-05-19 16:17 <DIR> --d----- d:\docume~1\chu\applic~1\PC Tools
2009-05-19 16:17 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\PC Tools
2009-05-19 15:59 32,768 a------- d:\windows\system32\AshEvtSvc.exe
2009-05-18 14:27 <DIR> --d----- d:\windows\system32\AGEIA
2009-05-18 12:53 <DIR> --d----- d:\program files\Ê¢´óÍøÂç
2009-05-18 11:39 <DIR> --d----- d:\program files\NCSoft
2009-05-18 10:28 37,376 a------- d:\windows\system32\glsetup.exe
2009-05-15 11:50 1 a------- d:\windows\9g2234wesdf3dfgjf23
2009-05-15 11:50 13,824 a------- d:\windows\system32\SYS32DLL.exe
2009-05-08 08:27 66,048 a------- d:\windows\system32\lds.exe
2009-05-06 00:37 36,864 a------- d:\windows\system32\winglsetup.exe
2009-05-04 01:32 <DIR> --d----- d:\program files\MSN Messenger
2009-05-04 00:43 <DIR> --d----- d:\docume~1\chu\applic~1\Blitware
2009-05-03 19:52 <DIR> --d----- d:\program files\Eusing Free Registry Cleaner
2009-05-03 19:52 <DIR> --d----- d:\docume~1\chu\applic~1\Malwarebytes
2009-05-03 19:52 15,504 a------- d:\windows\system32\drivers\mbam.sys
2009-05-03 19:52 38,496 a------- d:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 19:52 <DIR> --d----- d:\program files\Malwarebytes' Anti-Malware
2009-05-03 19:52 <DIR> --d----- d:\docume~1\alluse~1.win\applic~1\Malwarebytes
2009-05-03 18:26 95 a------- d:\windows\wininit.ini
2009-05-03 16:42 23,040 a------- d:\windows\system32\ak1.exe
2009-05-03 12:32 104,960 a------- d:\windows\system32\userinit.exe
2009-05-03 03:07 335 a------- d:\windows\system32\Pen_Tablet.dat
2009-05-01 00:31 1,657,376 a------- d:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- d:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- d:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- d:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- d:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- d:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- d:\windows\system32\nvshell.dll
2009-05-01 00:31 73,728 a------- d:\windows\system32\nvtuicpl.cpl
2009-04-30 22:02 1,579,630 a------- d:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- d:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 663,552 a------- d:\windows\system32\nvcuvid.dll
2009-04-29 20:15 <DIR> --d----- d:\documents and settings\chu\Tracing
2009-04-29 20:11 <DIR> --d----- d:\program files\Windows Live SkyDrive
2009-04-29 19:57 <DIR> --d----- d:\program files\common files\Windows Live
2009-04-26 23:14 43,213 a------- D:\His-Test3StudyGuide.abw

==================== Find3M ====================

2009-05-19 18:13 68,104,992 a--sh--- d:\windows\system32\drivers\fidbox.dat
2009-05-19 18:13 4,044,320 a--sh--- d:\windows\system32\drivers\fidbox2.dat
2009-05-19 18:13 911,636 a--sh--- d:\windows\system32\drivers\fidbox.idx
2009-05-19 18:13 379,484 a--sh--- d:\windows\system32\drivers\fidbox2.idx
2009-05-03 16:36 52,224 a--sh--- d:\windows\system32\dararudi.exe
2009-05-03 02:48 81,920 a--sh--- d:\windows\system32\sejosobi.dll
2009-05-03 02:48 52,224 a--sh--- d:\windows\system32\vogasaya.exe
2009-04-30 22:02 9,994,240 a------- d:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- d:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- d:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- d:\windows\system32\nvcuda.dll
2009-04-30 22:02 806,912 a------- d:\windows\system32\nvapi.dll
2009-04-30 22:02 457,248 a------- d:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- d:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- d:\windows\system32\nvcod.dll
2009-04-27 04:53 15,688 a------- d:\windows\system32\lsdelete.exe
2009-04-27 04:52 64,160 a------- d:\windows\system32\drivers\Lbd.sys
2009-04-27 00:42 457,248 a------- d:\windows\system32\NVUNINST.EXE
2009-04-14 14:17 41,808 a------- d:\windows\system32\xfcodec.dll
2009-04-03 12:39 70,936 a------- d:\windows\system32\PhysXLoader.dll
2008-11-10 18:16 3,328,899 a------- d:\docume~1\chu\applic~1\GameCommUpdate.v53.exe
2008-05-26 11:25 0 a------- d:\program files\initdebug.nfo
2008-05-08 12:21 0 a------- d:\program files\QMStatusFile.txt
2007-08-22 17:41 24 a------- d:\program files\defaults.ini
2007-08-22 17:41 24 a------- d:\program files\components.ini
2007-08-14 09:25 3 a------- d:\program files\dxva_sig.txt
2007-08-09 09:21 6 a------- d:\docume~1\chu\applic~1\mmrpzlic.dat
2007-06-24 04:06 604 a---h--- d:\program files\STLL Notifier
2007-04-18 00:41 0 ----h--- d:\program files\AppUpdate.log
2004-05-06 12:11 4,289,024 a------- d:\program files\trial_setup.msi
2004-05-06 12:11 40,448 a------- d:\program files\trial_setup.exe
2004-05-06 12:11 777 a------- d:\program files\trial_setup.ini
1999-07-06 20:00 6 ---shr-- d:\windows\@@desktop.dat
2007-06-19 13:35 56 ---shr-- d:\windows\system32\BE77DE36E1.sys
2007-06-19 13:35 1,056 a--sh--- d:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:13:49.71 ===============

 

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

It appears that you have two antivirus programs installed and running, Avira and Kaspersky. While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs. Please choose one to keep and uninstall the other via Add or Remove Programs in your Control Panel.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

 

[Aelle]

Thanks for your help.

Unfortunately, the day after I made this post I was unable to access my computer at all (Windows froze on startup even under safe mode) and so I've formatted my harddrive and installed a fresh copy of windows.

I've taken your suggestion and at the moment I only have Malwarebytes installed on my system, which comes up clean.

I am worried however that the virus somehow affected my BIOS. One of my case fans started spinning entirely too fast shortly after I got the virus, and that has not cleared up since the format. I do have a spare fan if it needs to be replaced; I would just like to make sure it's the actual fan that's messed up and not an error in BIOS.

Should I take this thread to one of the hardware forums, or is it possible the virus contaminated my BIOS in some way?

 

[chemist]

Hello Aelle. Thanks for letting us know you reformatted.

I've taken your suggestion and at the moment I only have Malwarebytes installed on my system

MBAM is not an antivirus. You had both AVG and Kaspersky installed. Reinstall one of those, or another antivirus program of your choice.

------------------------------------------------------

Just to be sure, run gmer again and attach its log to your next reply.

Download GMER Rootkit Scanner from herehttp://www.gmer.net/download.phphttp://www.gmer.net/download.php and Save it to your Desktop.

• Double-click gmer.exe to run it. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop, and attach it to your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

------------------------------------------------------

As far as the case fan problem, I suggest you seek expert advice in our Windows XP Support Forum or Hardware Support Forum

------------------------------------------------------

 

[Aelle]

Sorry about the late reply. Here's the gmer scan.

 

[chemist]

Scan from gmer is clean. I forgot to ask for a fresh dds scan.

Download DDS and Save it to your Desktop from here

Disable any script blocker, and then double-click dds.scr to run the tool.

Post the first log, DDS.txt, in your next reply.

-----------------------------------------------------

 

[Aelle]

Here's the DDS scan.

As for the case fan, that problem was also resolved. I just put in a new fan and it's working fine now, so no need for a new thread.

 

[chemist]

You need to get Avira installed back on this machine > http://www.free-av.com/

Don't forget to reinstall all the Windows Updates also.

Disable the real-time protections of your antivirus and antispyware applications, usually via a right-click on the System Tray icon. Please re-enable them after the scan.

• Download ToolBarSD and Save it to your Desktop.
• Double-click ToolBarSD.exe to run it.
• Type the letter of your chosen language and press Enter
• Click OK to the prompt.
• Type 1 and press Enter
• Please post the log, TB.txt, which it creates at C:\TB.txt in your next reply.

------------------------------------------------------

 

[Aelle]

Here's the toolbarSD log.

 

[chemist]

D:\DOCUME~1\Lani\Recent\Adobe Photoshop CS3 + Crack.lnk

This is the main reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Before posting for help, uninstall any such applications.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine.

In 2006, a study revealed that 59% of keygens and crack tools downloaded from peer-to-peer networks contained malicious or "unwanted" software.

------------------------------------------------------

 

[Aelle]

It's the *one* program I ever downloaded and used a crack for. Who can afford to spend $700 on adobe photoshop? It should be illegal to charge that much for an image editing program.

As for crack/warez sites, I've never visited one. I got the program from a search on ISOhunt, and the file itself was scanned before I ran it on my computer.

I read the rules. I assumed they were referring only to a valid copy of windows-- which I have. But if having that one program on my computer is enough to prevent me from getting any help on these forums; well, that's that, then. Thank you for your time.

 

[chemist]

It's the *one* program I ever downloaded and used a crack for.

It's called *stealing*.

------------------------------------------------------