WiredWX Hobby Weather ToolsLog in

 


Potential VirusDoctor threat?

2 posters

descriptionPotential VirusDoctor threat? EmptyPotential VirusDoctor threat?

more_horiz
Hello!

I'm running Vista with the latest version of Firefox and was browsing some lyrics website when, suddenly, one of those Virus Doctor things telling me that my computer was infected popped up. It was trying to get me to download some file called Green...something.exe and it did the whole thing where it gives you the screen that looks like it scanned your computer and found a million problems. I (probably foolishly) clicked the red x on the top right corner of the little pop up instead of closing the whole browser through task manager or something. Of course, it just seemed to keep popping up, so I opened task manager and closed the browser through there. I was hoping all was well but I got paranoid and ran Malwarebytes Anti-Malware just to be sure. I did both the quick scan and the full scan and neither scan found a problem.

A bit later, the thing popped up again about my computer being infected and my browser window became tiny. I got concerned and did the Malwarebytes Anti-Malware scan again (making sure I had the latest version) and I also ran McAfee full scan. Malwarebytes found nothing but McAfee found that strange Greensomething.exe file in one of the TEMP folders, I think, and quarantined it. I promptly removed it and thought all was well again.

About an hour later, the pop up showed up again and made the window tiny again, so I began to search online for ways to remove VirusDoctor. I was really puzzled because most of what I found suggested using Malwarebytes' quick scan to remove it and not one of my scans with Malwarebytes ever found anything at all. Some had some lists of files, dll libraries, registries, and processes I could try to find and remove/stop, so I tried that. I searched pretty thoroughly through every method I knew how and didn't find a single file listed anywhere on those sites in my laptop. Still, because it happened again after I removed that Greensomething.exe file, I was pretty paranoid, so I also ran the Kaspersky online scanner thing. That didn't find anything wrong either. I ran both McAfee Virus Scan and Malwarebytes full scansagain a couple more times after this just to be sure and neither found any other problems.

The pop ups haven't shown up again and it's been over 12 hours, so I'm hoping it's truly gone but I'm still kind of concerned and wanted to make sure. I'm pasting my HijackThis log file in the hopes that someone here can tell me whether it's truly gone or still hiding somewhere.

Thanks for your time and help!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:19 PM, on 9/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISBMgr.exe] "C:\Program Files\Sony\ISB Utility\ISBMgr.exe"
O4 - HKLM\..\Run: [VAIO Center Access Bar] "c:\program files\sony\VAIO Center Access Bar\VCAB.exe" 1
O4 - HKLM\..\Run: [VAIO Help and Support Demo] "C:\Program Files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe"
O4 - HKLM\..\Run: [VWLASU] "C:\Program Files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe"
O4 - HKLM\..\Run: [VAIORegistration] "C:\Program Files\Sony\First Experience\WelcomeLauncher.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [VAIOSurvey] "C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Windows\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper.dll",Uninstall /Get1noarp
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [RunSpySweeperScheduleAtStartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{A0CEBAC2-3889-448C-8BD3-03850E433B4B}
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c5f6f475c028) (gupdate1c9c5f6f475c028) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: CamMonitor (uCamMonitor) - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Media Content Collection (VAIOMediaPlatform-UCLS-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\UCLS.exe
O23 - Service: VAIO Media Content Collection (HTTP) (VAIOMediaPlatform-UCLS-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Content Collection (UPnP) (VAIOMediaPlatform-UCLS-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 14241 bytes

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Hi

Potential VirusDoctor threat? Mbamicontw5 Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Hi again!

I did as you said and redownloaded Malwarebytes's Anti-Malware and ran a full scan. When it was completed it just said "The scan completed successfully. No malicious items were detected, click 'Main Menu.' Does this mean my system is okay and there's no trace of VirusDoctor anywhere on it? I am pasting the Malwarebytes log below.

Thanks again for your help!

Malwarebytes' Anti-Malware 1.41
Database version: 2825
Windows 6.0.6001 Service Pack 1

9/19/2009 11:21:22 PM
mbam-log-2009-09-19 (23-21-22).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 300120
Time elapsed: 1 hour(s), 42 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
I apologize for replying again before receiving a reply from you but this just happened and I thought it might be an important detail in figuring out what is going on. Hours after having done the Malwarebytes scan with the log I posted above (the one that said there were no infected files), my browser appeared to close (though I could see Firefox was still open on the taskbar at the bottom and it said "VirusDoctor - Online Protection") and this popup showed up:

"The page at http://rootscan.info says:

'Warning! Your PC is at risk of virus and malware attack.

Your system requires immediate check!
System Security will perform a quick and free scan of your PC for viruses and malicious programs'

There was only an OK button on the popup. I opened task manager and ended Firefox through that. I don't understand what this means because whenever I run Malwarebytes and McAfee it says there are no infected files or malicious files or anything. The websites I'm going to are the websites I've been visiting after this are the ones I've been visiting for over a year and I never had anything like this happen, so I have no idea why this is still happening. The last time it popped up was almost 24 hours before this time.

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Hi

Please download ComboFixPotential VirusDoctor threat? Combofix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:

Potential VirusDoctor threat? Cf110
Potential VirusDoctor threat? Cf210

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

Potential VirusDoctor threat? Cf410
Potential VirusDoctor threat? Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Hello again!

I know you said to disable antiviruses and so on before running a ComboFix scan but as soon as I tried to download it McAfee alerted me that it had gotten rid of a trojan called Artemis something or other and the download failed. Is that supposed to happen?? Do I have to disable my antivirus before I even download ComboFix? I chose Link 2 from the links you provided (the one where I'd be getting it from bleepingcomputer.com).

Also, I thought I should let you know that I also tried a program called SuperAntiSpyware Free Edition and it removed 14 spyware cookies from my computer. I hope that doesn't change anything we've done so far.

Oh! One more thing I was wondering about. I tried looking around in other threads to see how ComboFix works and what I should expect when I run it and after and I noticed that in pretty much all other instances people were told to rename it to Combo-Fix rather than svchost.exe. I was just curious as to why this is, though I do understand that each case is different and maybe that's why. Does what you rename it to make a difference in how it runs...?

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Hi

Yes, renaming it helps. As I said in the bottom of the ComboFix request above: "Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe." Some malware is smart, some are not. Some malware will block all user processes, sometimes it will block anything but system processes. Most of the time, malware is dumb and will block everything but its own whitelist. Its whitelist is usually just "winlogon.exe, iexplore.exe, explorer.exe, svchost.exe, lsass.exe, and much more."

Seems like McAfee blocked it. Do you have a paid subscription to McAfee?

==

I will go ahead and do this, I will give you an alternate download link for ComboFix, so it will be ready. Just download the file.

Please download ComboFixPotential VirusDoctor threat? Combofix by sUBs
from HMOS Labs

Please save the file to your Desktop. Right click on it and click Extract all. Then, follow the prompts and extract it to your Desktop. Once on your Desktop, please drag wininit.exe out of the folder and on to the Desktop, if it is not already. Then, run it from there.

Important information about ComboFix

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on wininit.exe & follow the prompts.
  • It will attempt to install the Recovery Console:

Potential VirusDoctor threat? Cf410
Potential VirusDoctor threat? Cf510

  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Ok! I ran it and the log is below.

By the way, I do indeed have a paid subscription to McAfee and I have the Security Center with the Virus Scan, anti Spyware, and the Firewall. I disabled them all before running ComboFix.

Also, right now (after I've reenabled all the McAfee protection programs) there's a popup from McAfee saying:

"McAfee has detected a potentially unauthorized registry change to your computer.

About this Registry Change
SystemGuards: Winlogin Shell
Program: Registry Editor
Location: C\ComboFix\regt.cfxxe

Spyware, adware, and other potentially unwanted programs can make registry changes to the Winlogon Shell, allowing other programs to replace Windows Explorer."

Then it asks me whether to allow this change or block it. I'm sure it's due to ComboFix but, since ComboFix is done, should I say to block it...?

ComboFix 09-09-20.04 - Ingrid 09/21/2009 18:59.1.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1762 [GMT -4:00]
Running from: c:\users\Ingrid\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1263029672-1435515123-3760688381-500
c:\$recycle.bin\S-1-5-21-2068866768-3888667489-438035881-500
c:\windows\Installer\5d825c.msi

.
((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 )))))))))))))))))))))))))))))))
.

2009-09-21 23:07 . 2009-09-21 23:07 -------- d-----w- c:\users\Ingrid\AppData\Local\temp
2009-09-21 23:07 . 2009-09-21 23:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-21 05:13 . 2009-09-21 05:13 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-09-21 05:13 . 2009-09-21 05:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-21 05:13 . 2009-09-21 05:13 -------- d-----w- c:\users\Ingrid\AppData\Roaming\SUPERAntiSpyware.com
2009-09-21 05:11 . 2009-09-21 05:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-19 21:33 . 2009-09-19 21:33 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-09-19 21:31 . 2009-09-20 15:15 -------- d-----w- c:\programdata\NOS
2009-09-19 12:59 . 2009-09-19 12:59 -------- d-----w- c:\program files\Trend Micro
2009-09-19 11:51 . 2009-09-19 11:52 -------- d-----w- c:\users\Ingrid\.housecall6.6
2009-09-19 07:03 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-19 07:03 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-19 07:03 . 2009-09-20 01:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 15:09 . 2009-09-10 15:09 -------- d-----w- c:\programdata\McAfee Security Scan
2009-09-10 15:09 . 2009-09-10 15:09 -------- d-----w- c:\program files\McAfee Security Scan
2009-09-09 10:23 . 2009-08-14 17:07 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 10:23 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-09 10:23 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 10:23 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 10:23 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-09 10:23 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-09 10:23 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-09 10:23 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-09 10:23 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-09 10:23 . 2009-08-14 16:29 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-09 10:21 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 10:21 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 10:21 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 10:21 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 10:20 . 2009-06-10 12:11 2868224 ----a-w- c:\windows\system32\mf.dll
2009-08-26 07:00 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 09:02 . 2008-02-16 21:41 2428 ----a-w- c:\windows\bthservsdp.dat
2009-09-21 03:49 . 2008-04-27 05:26 -------- d-----w- c:\users\Ingrid\AppData\Roaming\OpenOffice.org2
2009-09-19 21:37 . 2008-02-16 22:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-09-19 21:11 . 2009-05-24 07:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-17 15:54 . 2009-06-15 00:27 -------- d-----w- c:\program files\Electronic Arts
2009-09-17 15:54 . 2008-02-16 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-10 01:14 . 2008-04-26 21:51 97600 ----a-w- c:\users\Ingrid\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-10 01:12 . 2008-08-24 07:37 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 01:12 . 2008-02-28 13:49 -------- d-----w- c:\programdata\Microsoft Help
2009-08-29 05:33 . 2008-02-16 22:57 -------- d-----w- c:\program files\Java
2009-08-13 23:19 . 2009-05-24 07:44 -------- d-----w- c:\program files\McAfee
2009-07-24 00:53 . 2009-07-24 00:53 -------- d-----w- c:\program files\SpeedFan
2009-07-18 16:06 . 2009-07-28 21:47 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-28 21:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-28 21:47 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-12 05:06 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-12 05:05 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 05:05 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 05:05 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 05:05 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2008-03-14 22:26 . 2008-03-14 22:26 37375 ----a-w- c:\program files\openoffice.org-xsltfilter.cab
2008-03-14 22:26 . 2008-03-14 22:26 2489204 ----a-w- c:\program files\openoffice.org-writer.cab
2008-03-14 22:26 . 2008-03-14 22:26 207388 ----a-w- c:\program files\openoffice.org-testtool.cab
2008-03-14 22:26 . 2008-03-14 22:26 2504855 ----a-w- c:\program files\openoffice.org-pyuno.cab
2008-03-14 22:26 . 2008-03-14 22:26 51973 ----a-w- c:\program files\openoffice.org-onlineupdate.cab
2008-03-14 22:26 . 2008-03-14 22:26 1090334 ----a-w- c:\program files\openoffice.org-math.cab
2008-03-14 22:25 . 2008-03-14 22:25 118910 ----a-w- c:\program files\openoffice.org-javafilter.cab
2008-03-14 22:25 . 2008-03-14 22:25 1254017 ----a-w- c:\program files\openoffice.org-impress.cab
2008-03-14 22:25 . 2008-03-14 22:25 86870 ----a-w- c:\program files\openoffice.org-graphicfilter.cab
2008-03-14 22:25 . 2008-03-14 22:25 2769 ----a-w- c:\program files\openoffice.org-emailmerge.cab
2008-03-14 22:25 . 2008-03-14 22:25 919329 ----a-w- c:\program files\openoffice.org-draw.cab
2008-03-14 22:25 . 2008-03-14 22:25 2031954 ----a-w- c:\program files\openoffice.org-core09.cab
2008-03-14 22:25 . 2008-03-14 22:25 293054 ----a-w- c:\program files\openoffice.org-core08.cab
2008-03-14 22:25 . 2008-03-14 22:25 3842531 ----a-w- c:\program files\openoffice.org-core07.cab
2008-03-14 22:25 . 2008-03-14 22:25 28861971 ----a-w- c:\program files\openoffice.org-core06.cab
2008-03-14 22:21 . 2008-03-14 22:21 18636793 ----a-w- c:\program files\openoffice.org-core05.cab
2008-03-14 22:19 . 2008-03-14 22:19 16453751 ----a-w- c:\program files\openoffice.org-core04.cab
2008-03-14 22:18 . 2008-03-14 22:18 9118219 ----a-w- c:\program files\openoffice.org-core03.cab
2008-03-14 22:18 . 2008-03-14 22:18 3860200 ----a-w- c:\program files\openoffice.org-core02.cab
2008-03-14 22:18 . 2008-03-14 22:18 15102497 ----a-w- c:\program files\openoffice.org-core01.cab
2008-03-14 22:17 . 2008-03-14 22:17 4696905 ----a-w- c:\program files\openoffice.org-calc.cab
2008-03-14 22:17 . 2008-03-14 22:17 1802028 ----a-w- c:\program files\openoffice.org-base.cab
2008-03-14 22:17 . 2008-03-14 22:17 43005 ----a-w- c:\program files\openoffice.org-activex.cab
2008-03-14 22:17 . 2008-03-14 22:17 217 ----a-w- c:\program files\setup.ini
2008-03-14 22:17 . 2008-03-14 22:17 4372992 ----a-w- c:\program files\openofficeorg24.msi
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\opera\program\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\opera\program\plugins\ssldivx.dll
2008-11-11 03:06 . 2008-04-26 22:15 88 --sh--r- c:\windows\System32\B5274A87D2.sys
2008-11-11 03:06 . 2008-04-26 22:15 2828 --sha-w- c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AOLOverlayIcon]
@="{AB0C8BE3-041C-47d6-8195-E089D32B38DD}"
[HKEY_CLASSES_ROOT\CLSID\{AB0C8BE3-041C-47d6-8195-E089D32B38DD}]
2007-10-05 17:54 303104 ------w- c:\ddi\OverIcon.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"RunSpySweeperScheduleAtStartup"="c:\windows\system32\msfeedssync.exe" [2008-01-21 12800]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-03-28 3325952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-03-08 835584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-19 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-19 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-19 137752]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2007-09-19 311296]
"VAIO Center Access Bar"="c:\program files\sony\VAIO Center Access Bar\VCAB.exe" [2007-09-06 53248]
"VAIO Help and Support Demo"="c:\program files\Sony\VAIO Help and Support Demo\LaunchVHSD.exe" [2007-08-28 290816]
"VWLASU"="c:\program files\Sony\VAIO PC Wireless LAN Wizard\AutoLaunchWLASU.exe" [2007-10-13 45056]
"VAIORegistration"="c:\program files\Sony\First Experience\WelcomeLauncher.exe" [2007-10-17 20480]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"VAIOSurvey"="c:\program files\Sony\VAIO Survey\Vista VAIO Survey.exe" [2007-07-20 577536]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-01 185896]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-25 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-01-09 1176808]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-19 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-04-06 4423680]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-2-28 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-10-30 748072]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-9-11 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-08-15 04:05 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3C5FC576-A0C9-425D-A148-804ABDAB0482}"= UDP:c:\program files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{684D9182-0F98-4ECE-8D02-B35E7216CE95}"= TCP:c:\program files\Sony\LocationFreePlayer\LFPC3\LFPC3.exe:LocationFree Player
"{D6A8CA4E-6DD2-4D61-A425-D02B84C8AB22}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{AED9B8B9-FAA4-4543-9BF3-44B4E86FFE65}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B598839D-29D6-4F9F-B249-393F4EE3128D}"= Disabled:UDP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"{85C87DDE-8E1B-4E2D-A6F3-4422C3C6F637}"= Disabled:TCP:c:\program files\Sony\VAIO Media 6.0\Vc.exe:[VAIO Media] VAIO Media
"TCP Query User{6BC7ECCD-7F60-4550-9356-A001041D1F97}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{9C850EEB-D5C7-4194-9E18-F997FA739D4C}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"TCP Query User{3776CDC6-BEDE-4B7A-87ED-DFBD6E37FDAB}c:\\users\\ingrid\\desktop\\oc11b72rv1.exe"= UDP:c:\users\ingrid\desktop\oc11b72rv1.exe:oc11b72rv1.exe
"UDP Query User{67858362-3A92-4BF1-AF05-BB83FFCA6CBC}c:\\users\\ingrid\\desktop\\oc11b72rv1.exe"= TCP:c:\users\ingrid\desktop\oc11b72rv1.exe:oc11b72rv1.exe
"{9A1B41BA-6864-4B30-A441-3B26F5BCE933}"= UDP:c:\users\Ingrid\Desktop\opencanvas.exe:opencanvas
"{590F021F-943C-4701-930A-FAADC96F3872}"= TCP:c:\users\Ingrid\Desktop\opencanvas.exe:opencanvas
"TCP Query User{6B93A8FA-07C5-4708-A58C-7B525F759D1F}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{BED8FB7E-694E-4E14-B5DD-CAA82093A4AE}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{DBF1CA70-C3D7-4172-83C5-C2CF893E901B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C6D2E2ED-E2B4-4527-AAED-64629EC3651D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E01C095F-4C05-4C05-82D9-9DCCD65A39BF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{91663028-A126-4B91-BD2C-1B72503153DC}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{1C071A2D-B19D-431A-B55D-0187791967A0}c:\\program files\\msn messenger\\msnmsgr.exe"= UDP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"UDP Query User{07A56CEE-7BE1-43E3-98BB-16CA04C371EC}c:\\program files\\msn messenger\\msnmsgr.exe"= TCP:c:\program files\msn messenger\msnmsgr.exe:Messenger
"{7B455280-D4A4-4FE3-9B0C-3B57D67DDFB6}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{0EA4909E-C017-4A15-9972-718290B58C98}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6FCB393D-7481-4391-A75A-BD58B07CA79F}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{04993418-4A4B-47E5-8E8D-973117DEDD1F}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{B5C0788E-0268-4D1D-98A1-BE1375E6E585}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/24/2009 3:48 AM 210216]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [4/18/2007 12:09 AM 11032]
R2 uCamMonitor;CamMonitor;c:\program files\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe [2/28/2008 9:47 AM 125440]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/28/2009 12:32 AM 24652]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\System32\drivers\ArcSoftKsUFilter.sys [2/28/2008 9:47 AM 17920]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [2/16/2008 6:02 PM 73472]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [2/16/2008 6:02 PM 43904]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [2/16/2008 6:03 PM 9344]
R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [2/16/2008 6:03 PM 818688]
S2 gupdate1c9c5f6f475c028;Google Update Service (gupdate1c9c5f6f475c028);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 6:41 PM 133104]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2/16/2008 5:55 PM 28464]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2/28/2008 10:00 AM 745472]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2/28/2008 10:00 AM 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2/28/2008 10:00 AM 1089536]
S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2/16/2008 7:04 PM 292128]
S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2/16/2008 7:05 PM 79136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 22:41]

2009-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-25 22:41]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-24 14:53]

2009-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-24 14:53]

2009-09-21 c:\windows\Tasks\User_Feed_Synchronization-{A0CEBAC2-3889-448C-8BD3-03850E433B4B}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sony.com/vaiopeople
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Ingrid\AppData\Roaming\Mozilla\Firefox\Profiles\vjtsn1zt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.gmail.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\Ingrid\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKLM-Run- - (no file)
AddRemove-GoldWave v5.23 - c:\program files\GoldWave\unstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 19:07
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-09-21 19:09
ComboFix-quarantined-files.txt 2009-09-21 23:09

Pre-Run: 102,185,447,424 bytes free
Post-Run: 102,335,455,232 bytes free

280 --- E O F --- 2009-09-17 14:14

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Hi

I think your computer is clean, but let's make sure.

Please go HERE to run Panda ActiveScan 2.0

  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Okay! I'm running the scan right now and will post the results shortly.

Also, McAfee is still warning me about change ComboFix seems to have made (they're all related to ComboFix somehow in the Location area)... It keeps popping up notices saying Registry Change Detected. Now it says

About this Registry Change
SystemGuards: Windows Protocols
Program: NirCmd
Location: C:\ComboFix\NirCmd.cfxxe

And is again asking me whether or not to allow those changes. I actually said to block a few because I figured we're done with ComboFix but is that okay...?? Will it stop asking if I delete ComboFix? I don't want to mess anything up by allowing or blocking a Registry Change...

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Allow the change please.

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
I allowed the change, as you said. I thought I'd mention that right after I allowed the change, McAfee once again gave me that notice about the "Artemis! 190812DCF350 (Trojan)" and quarantined wininit.exe/ComboFix, so the file isn't on my desktop anymore and now shows up in McAfee's list of Quarantined Files. McAfee gives me the option of restoring the file or removing it. Should I let McAfee remove the file or should I restore it?

Once again, thank you so much for your help.

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Ok! Here are the results of the Panda ActiveScan you had me do:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-09-21 21:46:09
PROTECTIONS: 2
MALWARE: 1
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender 1.1.1505.0 No Yes
SUPERAntiSpyware 4, 29, 0, 1002 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Ingrid\AppData\Roaming\Microsoft\Windows\Cookies\ingrid@atdmt[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location ��0�
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ��0�
;===================================================================================================================================================================================
;===================================================================================================================================================================================

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Hi

Your computer is now clean. Hooray!

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

  • Firefox may be downloaded from here: http://www.getfirefox.com
  • Opera is available here: http://www.opera.com/download/


Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions? Is everything running okay?

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
Yaay! Thank you so much for your help! Smile... I'll definitely keep the information you've provided in mind.

The only question I had was regarding the removal of ComboFix and whether I should just let McAfee get rid of it after it quarantined the file. That's what I ended up doing, so I hope that's not a problem. Are there any other files ComboFix may have installed that I would have to manually remove or anything?

Thank You!

descriptionPotential VirusDoctor threat? EmptyRe: Potential VirusDoctor threat?

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum