malware doctor

Hi I have contracted some sort of malware on my pc. It brings up this malware doctor window which I cant get rid of. I have run malwarebytes multiple times and it continually shows up again. Through reading some other posts, I recognized that my explorer search engine is also being hijacked to other websites than I intended. You guys helped me remove a virus I had before. So, I am back again for some more help. Please tell me what to do to rid my pc of this crap. I have included my hijack this log( trying to be proactive) Thanks as always. You guys rock!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:49 PM, on 5/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\LocalService\Application Data\916653139.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.freeze.com/ping/?shortname=infrarecorder&format=xml&os=5&parents=428,385,357,509&v=4&max=7&browsers=2,4&DefaultBrowser=2&a=8741&f=infrarecorder_exe
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] m‘|\ü
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\ebz52lvyj9.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\ebz52lvyj9.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Jts\WiseUpdt.exe
O4 - Startup: The Matrix_ Path of Neo Registration.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\{A955F952-9B4C-4703-8981-0E5FB9F55B33}\{E571E8B1-9771-465D-9DE0-3BA2D1BDAE99}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: TransactNOW Monitor.lnk = C:\Program Files\AMS Services\TransactNOW\OALaunch.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242774153281
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: ,
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 8372 bytes

I strongly recommend you to remove Ask from your computer because it's:

• Promoting its toolbars on sites targeted to kids.
  
• Promoting its toolbars through ads that appear to be part of other companies' sites.
  
• Promoting its toolbars through other companies' spyware.
  
• Installing without any disclosure whatsoever and without any consent whatsoever.
  
• Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  
• Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
  

See here for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Ask Toolbar
  

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis

Vista:

If you choose to follow my recommendation then follow these instructions.

• Click Start >> Control Panel.
  
• Under the Programs click Uninstall a Program
  
• Highlight Ask Toolbar
  
• Click on the Uninstall/Change button at the top.
  

Then please find and delete this folder in bold (if present):
C:\Program Files\AskBarDis



I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
  R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.freeze.com/ping/?shortname=infrarecorder&format=xml&os=5&parents=428,385,357,509&v=4&max=7&browsers=2,4&DefaultBrowser=2&a=8741&f=infrarecorder_exe
  R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
  R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
  O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
  O4 - HKLM\..\Run: [GEST] m‘|\ü
  O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
  O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
  O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
  O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
  O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\ebz52lvyj9.exe (User 'SYSTEM')
  O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\ebz52lvyj9.exe (User 'Default user')
  O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
  O4 - S-1-5-18 Startup: ChkDisk.lnk = ? (User 'SYSTEM')
  O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
  O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe
  O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
  O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Origin,

1. I checked into add/remove programs and I did not see a listing for Ask. (I dont recall installing for the ask toolbar and by all means torch the Gdam thing!)
2. I was able to delete the C:\Program Files\AskBarDis only after running Avenger.
3. I checked all the items that you requested to check off in HIJACK this.
4. Ran Avenger .

I did have some problems. Since the avenger program required a reboot spybot kept wanting to do a full scan after each reboot. It was taking 45 min or more, so i rebooted into safe mode and deleted spybot. So I had to run avenger again after the spybot deletion. These were the results From Avenger


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.


I think we have made progress because my normal desktop is back. The malware doctor is still running and screeching. I'm ready for the next step. Thanks

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV..

• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Origin,

Loaded combo fix and executed here are the results.

ComboFix 09-05-26.02 - Administrator 05/26/2009 22:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3326.2848 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\LocalService\Application Data\691447002.exe
c:\documents and settings\LocalService\Application Data\916653139.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\windows\system32\AshEvtSvc.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\drivers\ovfsthdevrtjrxjcxrrklpsgkfqpqbltkhaixd.sys
c:\windows\system32\glsetup.exe
c:\windows\system32\jhxm32.dll
c:\windows\system32\lklf32.dll
c:\windows\system32\lmn_setup.exe
c:\windows\system32\loader49.exe
c:\windows\system32\service-466.exe
c:\windows\system32\sft.res
c:\windows\system32\vp_setup.exe
c:\windows\system32\vp_setup.exe.bat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASHEVTSVC
-------\Legacy_AVAST!ANTIVIRUS
-------\Service_AshEvtSvc
-------\Service_avast!Antivirus
-------\Service_ovfsthbpjwpktpuyxmynmyrobrrsdknovusmgi


((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))
.

2009-05-27 03:28 . 2009-05-27 03:28 -------- d-----w c:\documents and settings\Administrator\Application Data\AMS Services
2009-05-26 16:40 . 2009-05-26 16:40 57344 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-67e54663-n\Decora-SSE.dll
2009-05-26 16:40 . 2009-05-26 16:40 24064 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-525d10a6-n\Decora-D3D.dll
2009-05-26 16:40 . 2009-05-26 16:40 315392 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-71da985d-n\jogl.dll
2009-05-26 16:40 . 2009-05-26 16:40 20480 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-71da985d-n\jogl_awt.dll
2009-05-26 16:40 . 2009-05-26 16:40 20480 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-519bd469-n\gluegen-rt.dll
2009-05-26 16:40 . 2009-05-26 16:40 114688 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-71da985d-n\jogl_cg.dll
2009-05-26 16:40 . 2009-05-26 16:40 499712 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5a710b2a-n\msvcp71.dll
2009-05-26 16:40 . 2009-05-26 16:40 499712 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5a710b2a-n\jmc.dll
2009-05-26 16:40 . 2009-05-26 16:40 348160 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-5a710b2a-n\msvcr71.dll
2009-05-25 20:16 . 2009-05-27 03:28 95198 ----a-w c:\windows\system32\drivers\bf0d278.sys
2009-05-25 00:20 . 2009-05-25 00:20 -------- d-----w c:\program files\Trend Micro
2009-05-24 15:49 . 2009-05-24 15:49 10684866 ----a-w c:\documents and settings\Administrator\Application Data\Azureus\plugins\azump\mplayer.exe
2009-05-24 01:24 . 2009-05-24 01:24 23600 ----a-w c:\windows\system32\drivers\TVICHW32.SYS
2009-05-24 01:24 . 2009-05-24 01:24 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\eSupport.com
2009-05-24 00:45 . 2009-05-24 00:45 -------- d-----w c:\program files\AC3Filter
2009-05-24 00:30 . 2009-05-24 00:30 -------- d-----w c:\program files\ffdshow
2009-05-23 03:51 . 2009-05-23 03:51 -------- d-----w c:\documents and settings\Administrator\Application Data\Leadertech
2009-05-23 03:44 . 2009-05-23 03:44 -------- d-----w c:\program files\Atari
2009-05-22 16:12 . 2009-05-22 16:12 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\AMS Services, Inc
2009-05-22 16:08 . 2009-05-27 03:28 -------- d-----w c:\documents and settings\Administrator\Application Data\OA
2009-05-22 16:08 . 2009-05-22 16:08 -------- d-----w c:\program files\AMS Services
2009-05-22 15:38 . 2009-05-22 15:38 -------- d-----w c:\program files\Common Files\Business Objects
2009-05-22 15:38 . 2008-08-25 22:05 2134016 ----a-r c:\windows\system32\cdintf251.dll
2009-05-22 15:38 . 2009-05-22 15:38 -------- d-----w c:\program files\AMS Services, Inc
2009-05-22 15:36 . 2009-05-22 15:36 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\assembly
2009-05-08 14:59 . 2009-05-08 14:59 1915520 ----a-w c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-05-07 17:53 . 2009-05-07 17:53 -------- d-----w c:\program files\Citrix
2009-05-07 17:53 . 2009-05-07 17:53 60744 ----a-w c:\documents and settings\Administrator\g2mdlhlpx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 03:28 . 2009-03-22 06:35 16608 ----a-w c:\windows\gdrv.sys
2009-05-26 23:51 . 2009-03-22 07:09 -------- d-----w c:\program files\PokerStars.NET
2009-05-26 00:24 . 2009-03-22 04:36 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-26 00:24 . 2009-03-22 04:36 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-25 22:39 . 2009-03-27 15:40 -------- d-----w c:\documents and settings\Administrator\Application Data\Azureus
2009-05-23 04:02 . 2009-03-22 06:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-23 03:44 . 2009-05-17 02:07 -------- d-----w c:\program files\VUGames
2009-05-20 21:56 . 2009-05-20 21:56 -------- d-----w c:\program files\CCleaner
2009-05-17 03:46 . 2009-03-22 13:20 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-17 03:46 . 2009-05-17 03:46 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-17 02:16 . 2009-05-17 02:16 43520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-05-16 22:27 . 2009-05-16 22:27 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-16 22:27 . 2009-05-16 22:27 -------- d-----w c:\program files\NOS
2009-05-15 23:46 . 2009-03-22 13:18 -------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-04-21 18:02 . 2009-03-27 15:40 -------- d-----w c:\program files\Vuze
2009-04-17 02:25 . 2009-04-01 17:35 349184 ----a-w c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2009-04-17 02:25 . 2009-04-17 02:25 79872 ----a-w c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2009-04-17 02:25 . 2009-04-17 02:25 541696 ----a-w c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2009-04-06 20:32 . 2009-03-22 13:20 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-22 13:20 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 23:44 . 2009-03-28 14:53 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-03 23:36 . 2009-03-22 06:36 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-01 17:35 . 2009-04-01 17:35 -------- d-----w c:\documents and settings\Administrator\Application Data\SanDisk
2009-03-28 14:42 . 2009-03-28 14:42 -------- d-----w c:\program files\AGEIA Technologies
2009-03-28 14:42 . 2009-03-28 14:42 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-27 16:10 . 2009-03-27 16:10 413696 ----a-w c:\windows\system32\wrap_oal.dll
2009-03-27 16:10 . 2009-03-27 16:10 110592 ----a-w c:\windows\system32\OpenAL32.dll
2009-03-24 23:31 . 2009-03-24 23:31 245 ----a-w c:\windows\PowerReg.dat
2009-03-24 23:23 . 2009-03-24 23:23 717296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-03-24 21:45 . 2009-03-22 05:22 68456 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 01:57 . 2009-03-22 04:34 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-22 07:07 . 2009-03-22 07:07 0 ----a-w c:\windows\ativpsrm.bin
2009-03-22 07:03 . 2009-03-22 07:03 9158 ----a-r c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}\ARPPRODUCTICON.exe
2009-03-22 06:58 . 2009-03-22 06:58 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 06:57 . 2009-03-22 06:57 152576 ----a-w c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-22 06:40 . 2009-03-22 06:40 319488 ----a-w c:\windows\HideWin.exe
2009-03-22 05:21 . 2009-03-22 05:21 0 ----a-w c:\windows\nsreg.dat
2009-03-22 04:32 . 2009-03-22 04:32 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-22 04:28 . 2009-03-22 04:37 4127 ----a-w c:\windows\mozver.dat
2009-03-16 19:18 . 2009-04-15 17:36 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 19:18 . 2009-04-15 17:36 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 19:18 . 2009-04-15 17:36 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 19:18 . 2009-04-15 17:36 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 20:27 . 2009-04-15 17:36 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 20:27 . 2009-04-15 17:36 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-09 20:27 . 2009-04-15 17:36 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-03 19:53 . 2009-05-16 22:27 17464 ----a-w c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ujw7fip.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg.exe
2009-03-03 19:53 . 2009-05-16 22:27 12792 ----a-w c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ujw7fip.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\chrome\content\getPlus_Adobe_reg_bootstrap.exe
2009-03-03 19:53 . 2009-05-16 22:27 109420 ----a-w c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ujw7fip.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}\plugins\np_gp.dll
.

------- Sigcheck -------
Do you guys have a recommendation for anti virus ? Is one better than the other? I use spybot for spyware but would like to know what the wizards of the web recommend. Thanks so much!

thanks so much for the help. I just donated some $$$$ so you guys can keep this site alive. You guys are great and I am grateful for your support and help. Keep it up! Us neophytes need the help.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\program files\PokerStars.NET

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Origin,

Is everthing in the right order? I didn't see a response from my last post and was wondering if I am ok now

There are still a few steps, can you please post the ComboFix log.