Persistent Malware Doctor infection

View previous topic View next topic Go down

Persistent Malware Doctor infection

Post by barb940 on 10th June 2009, 5:52 pm

I am running XP on my laptop which has become infected with Malware Doctor. I have tried cleaning it with Malwarebytes but that hasn't worked, Malware Doctor keeps reappearing.

Here's my HijackThis log. Thanks in advance for any advice!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:11 PM, on 6/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O1 - Hosts: 63.119.44.200 [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InfoMyCa.exe] C:\Program Files\Wireless 802.11g Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [XPFix] C:\Program Files\Wireless 802.11g Monitor\XPFix.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &aol toolbar search - [You must be registered and logged in to see this link.] Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!AVSControlService - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 3863 bytes

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 10th June 2009, 5:58 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: 63.119.44.200 [You must be registered and logged in to see this link.]
    O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
    O23 - Service: avast!AVSControlService - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 10th June 2009, 6:58 pm

Here is my MBAM log:

Malwarebytes' Anti-Malware 1.37
Database version: 2255
Windows 5.1.2600 Service Pack 2
6/10/2009 2:50:15 PM
mbam-log-2009-06-10 (14-50-15).txt
Scan type: Quick Scan
Objects scanned: 129370
Time elapsed: 17 minute(s), 33 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!avscontrolservice (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\drivers\17499237.sys (Rootkit.Rustock) -> Delete on reboot.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\37ML0EOM\install_10[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\WO0SACS2\mlw[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\1361538659.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avast!AVSControlService.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Malware Doctor is still on my computer. Thank you very much for your help!

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 10th June 2009, 9:37 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 12:58 am

Here is the combo fix log:

ComboFix 09-06-09.06 - Owner 06/10/2009 20:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.173 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\program files\Internet Explorer\setupapi.dll
c:\windows\Install.txt
c:\windows\KBPK090530.log
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\drivers\772c111d.sys
c:\windows\system32\Install.txt
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll
c:\windows\system32\sft.res
c:\windows\Temp\1466591784.exe
c:\windows\Temp\1476591784.exe
c:\windows\Temp\312060534.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.
2009-06-10 18:55 . 2009-06-11 00:53 99422 ----a-w- c:\windows\system32\drivers\b245ec85.sys
2009-06-10 16:59 . 2009-06-10 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-10 01:56 . 2009-06-10 01:56 -------- d-----w- c:\program files\Trend Micro
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\Malwarebytes
2009-06-09 20:25 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 20:25 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 20:09 . 2009-06-09 20:09 -------- d-s---w- c:\documents and settings\Barb Admin\UserData
2009-06-09 19:49 . 2009-06-09 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-06-09 19:49 . 2009-06-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-09 19:46 . 2009-06-09 20:05 -------- d-----w- c:\program files\NortonInstaller
2009-06-09 19:46 . 2009-06-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-04 00:56 . 2009-06-04 00:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-05-30 05:55 . 2009-05-30 05:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-30 05:48 . 2009-05-30 05:53 -------- d--h--w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Application Data(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Local Settings(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Templates(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-s---w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000
2009-05-30 05:13 . 2009-05-30 18:44 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-30 05:03 . 2009-05-30 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 04:30 . 2009-05-30 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\10706874
2009-05-21 15:56 . 2009-05-21 15:56 -------- d-----w- c:\program files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 16:22 . 2004-10-05 11:33 -------- d-----w- c:\program files\Pure Networks
2009-06-10 15:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\program files\Common Files\AOL
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-10 15:38 . 2004-10-02 10:41 -------- d-----w- c:\program files\BigFix
2009-06-10 15:35 . 2009-04-29 01:03 -------- d-----w- c:\documents and settings\Barbara Admin 2\Application Data\AOL
2009-06-10 15:35 . 2004-10-05 11:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-06-10 15:35 . 2009-05-30 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-06-10 15:35 . 2009-04-27 10:09 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\AOL
2009-06-09 20:09 . 2004-10-02 11:08 36496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Symantec
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-30 04:33 . 2008-12-23 01:44 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
.
------- Sigcheck -------
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-05-30 04:33 212480 1DDCD4F10C093B87A59A0FBA97E8462D c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-03 249856]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-02 98304]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-02 67584]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-03 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-2 331776]
[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^bigfix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [10/2/2004 6:29 AM 193280]
S1 17499237;17499237;c:\windows\system32\drivers\17499237.sys --> c:\windows\system32\drivers\17499237.sys [?]
S1 23215e67;23215e67;c:\windows\system32\drivers\23215e67.sys --> c:\windows\system32\drivers\23215e67.sys [?]
S1 335b346e;335b346e;c:\windows\system32\drivers\335b346e.sys --> c:\windows\system32\drivers\335b346e.sys [?]
S1 4a6b2b4;4a6b2b4;c:\windows\system32\drivers\4a6b2b4.sys --> c:\windows\system32\drivers\4a6b2b4.sys [?]
S2 avast!AVSControlService;avast!AVSControlService;c:\windows\System32\avast!AVSControlService.exe -k netsvcs --> c:\windows\System32\avast!AVSControlService.exe -k netsvcs [?]
S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys --> c:\docume~1\Owner\LOCALS~1\Temp\Safe To Delete 3_0_4_8\AMDMSRIO.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2008-12-23 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-02 07:17]
.
- - - - ORPHANS REMOVED - - - -
BHO-{aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll
HKLM-Run-InfoMyCa.exe - c:\program files\Wireless 802.11g
HKLM-Run-XPFix - c:\program files\Wireless 802.11g

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-10 20:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b245ec85]
"ImagePath"="\SystemRoot\System32\drivers\b245ec85.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\COMRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-06-11 20:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 00:55
Pre-Run: 4,134,977,536 bytes free
Post-Run: 5,655,494,656 bytes free
145 --- E O F --- 2009-04-23 13:51

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 11th June 2009, 1:13 am

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
17499237
23215e67
335b346e
4a6b2b4
avast!AVSControlService
AMDMSRIO
b245ec85

File::
c:\windows\system32\drivers\b245ec85.sys

FCopy::
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys | c:\windows\system32\drivers\ndis.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 1:42 am

The new log:

ComboFix 09-06-09.06 - Owner 06/10/2009 21:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.151 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt.txt
FILE ::
"c:\windows\system32\drivers\b245ec85.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\program files\Internet Explorer\setupapi.dll
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\jbnmcd.dll
c:\windows\system32\sft.res
c:\windows\system32\drivers\b245ec85.sys . . . . failed to delete
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AMDMSRIO
-------\Legacy_avast!antivirus
-------\Legacy_AVAST!AVSCONTROLSERVICE
-------\Service_17499237
-------\Service_23215e67
-------\Service_335b346e
-------\Service_4a6b2b4
-------\Service_AMDMSRIO
-------\Service_avast!antivirus
-------\Service_avast!AVSControlService
-------\Service_b245ec85

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.
2009-06-11 00:56 . 2009-06-11 01:37 99422 ----a-w- c:\windows\system32\drivers\817efd2b.sys
2009-06-10 18:55 . 2009-06-11 01:37 99422 ----a-w- c:\windows\system32\drivers\b245ec85.sys
2009-06-10 16:59 . 2009-06-10 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-10 01:56 . 2009-06-10 01:56 -------- d-----w- c:\program files\Trend Micro
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\Malwarebytes
2009-06-09 20:25 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 20:25 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 20:09 . 2009-06-09 20:09 -------- d-s---w- c:\documents and settings\Barb Admin\UserData
2009-06-09 19:49 . 2009-06-09 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-06-09 19:49 . 2009-06-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-09 19:46 . 2009-06-09 20:05 -------- d-----w- c:\program files\NortonInstaller
2009-06-09 19:46 . 2009-06-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-04 00:56 . 2009-06-04 00:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-05-30 05:55 . 2009-05-30 05:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-30 05:48 . 2009-05-30 05:53 -------- d--h--w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Application Data(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Local Settings(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Templates(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-s---w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000
2009-05-30 05:13 . 2009-05-30 18:44 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-30 05:03 . 2009-05-30 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 04:30 . 2009-05-30 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\10706874
2009-05-21 15:56 . 2009-05-21 15:56 -------- d-----w- c:\program files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-10 16:22 . 2004-10-05 11:33 -------- d-----w- c:\program files\Pure Networks
2009-06-10 15:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\program files\Common Files\AOL
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-10 15:38 . 2004-10-02 10:41 -------- d-----w- c:\program files\BigFix
2009-06-10 15:35 . 2009-04-29 01:03 -------- d-----w- c:\documents and settings\Barbara Admin 2\Application Data\AOL
2009-06-10 15:35 . 2004-10-05 11:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-06-10 15:35 . 2009-05-30 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-06-10 15:35 . 2009-04-27 10:09 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\AOL
2009-06-09 20:09 . 2004-10-02 11:08 36496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Symantec
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-05-30 04:33 . 2008-12-23 01:44 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
.
------- Sigcheck -------
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-05-30 04:33 212480 1DDCD4F10C093B87A59A0FBA97E8462D c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 23:12 . 2009-06-11 00:55 53166 c:\windows\system32\perfc009.dat
- 2004-08-26 23:12 . 2009-06-10 18:57 53166 c:\windows\system32\perfc009.dat
+ 2004-08-26 23:12 . 2009-06-11 00:55 380918 c:\windows\system32\perfh009.dat
- 2004-08-26 23:12 . 2009-06-10 18:57 380918 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmcd.dll [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-03 249856]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-02 98304]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-02 67584]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-03 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-2 331776]
[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^bigfix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [10/2/2004 6:29 AM 193280]
.
Contents of the 'Scheduled Tasks' folder
2008-12-23 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-02 07:17]
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-10 21:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\817efd2b]
"ImagePath"="\SystemRoot\System32\drivers\817efd2b.sys"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b245ec85]
"ImagePath"="\SystemRoot\System32\drivers\b245ec85.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-11 21:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 01:38
ComboFix2.txt 2009-06-11 00:55
Pre-Run: 5,671,755,776 bytes free
Post-Run: 5,663,289,344 bytes free
149 --- E O F --- 2009-04-23 13:51

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 2:38 am

Malware Doctor just popped back up after a few minutes of browsing using Internet Explorer, if it means anything.

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 11th June 2009, 3:59 pm

Hello.
Time to get serious, the rootkit came back. Lets see if survive this though.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
817efd2b
b245ec85

Rootkit::
c:\windows\system32\drivers\b245ec85.sys
c:\windows\system32\drivers\817efd2b.sys

FCOPY::
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys | c:\windows\system32\drivers\ndis.sys

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\817efd2b]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b245ec85]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 6:16 pm

Here is the new Combofix log:

ComboFix 09-06-11.02 - Owner 06/11/2009 13:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.223 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\program files\Internet Explorer\setupapi.dll
c:\windows\system32\1.tmp
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\avast!AVSControlService.exe
c:\windows\system32\drivers\b06789f0.sys
c:\windows\system32\jbnmck.dll
c:\windows\system32\sft.res
Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile
.
--------------- FCopy ---------------
c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys --> c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_avast!antivirus
-------\Service_817efd2b
-------\Service_avast!antivirus
-------\Service_b245ec85
-------\Legacy_avast!avscontrolservice
-------\Service_avast!avscontrolservice

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.
2009-06-11 00:56 . 2009-06-11 17:58 99422 ----a-w- c:\windows\system32\drivers\817efd2b.sys
2009-06-10 18:55 . 2009-06-11 17:58 99422 ----a-w- c:\windows\system32\drivers\b245ec85.sys
2009-06-10 16:59 . 2009-06-10 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-10 01:56 . 2009-06-10 01:56 -------- d-----w- c:\program files\Trend Micro
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\Malwarebytes
2009-06-09 20:25 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 20:25 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 20:09 . 2009-06-09 20:09 -------- d-s---w- c:\documents and settings\Barb Admin\UserData
2009-06-09 19:49 . 2009-06-09 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-06-09 19:49 . 2009-06-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-09 19:46 . 2009-06-09 20:05 -------- d-----w- c:\program files\NortonInstaller
2009-06-09 19:46 . 2009-06-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-04 00:56 . 2009-06-04 00:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-05-30 05:55 . 2009-05-30 05:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-30 05:48 . 2009-05-30 05:53 -------- d--h--w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Application Data(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Local Settings(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Templates(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-s---w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000
2009-05-30 05:13 . 2009-05-30 18:44 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-30 05:03 . 2009-05-30 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 04:30 . 2009-05-30 05:54 -------- d-----w- c:\documents and settings\All Users\Application Data\10706874
2009-05-21 15:56 . 2009-05-21 15:56 -------- d-----w- c:\program files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 17:54 . 2008-12-23 01:44 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-10 16:22 . 2004-10-05 11:33 -------- d-----w- c:\program files\Pure Networks
2009-06-10 15:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\program files\Common Files\AOL
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-10 15:38 . 2004-10-02 10:41 -------- d-----w- c:\program files\BigFix
2009-06-10 15:35 . 2009-04-29 01:03 -------- d-----w- c:\documents and settings\Barbara Admin 2\Application Data\AOL
2009-06-10 15:35 . 2004-10-05 11:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-06-10 15:35 . 2009-05-30 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-06-10 15:35 . 2009-04-27 10:09 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\AOL
2009-06-09 20:09 . 2004-10-02 11:08 36496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Symantec
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 23:12 . 2009-06-11 17:51 53166 c:\windows\system32\perfc009.dat
- 2004-08-26 23:12 . 2009-06-10 18:57 53166 c:\windows\system32\perfc009.dat
+ 2004-08-26 23:12 . 2009-06-11 17:51 380918 c:\windows\system32\perfh009.dat
- 2004-08-26 23:12 . 2009-06-10 18:57 380918 c:\windows\system32\perfh009.dat
+ 2008-12-23 01:44 . 2009-06-11 17:52 182912 c:\windows\system32\dllcache\ndis.sys
+ 2009-06-11 17:52 . 2009-06-11 17:51 388608 c:\windows\system32\CF1133.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmcd.dll [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-03 249856]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-02 98304]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-02 67584]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-03 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-2 331776]
[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^bigfix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [10/2/2004 6:29 AM 193280]
.
Contents of the 'Scheduled Tasks' folder
2008-12-23 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-02 07:17]
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 13:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\817efd2b]
"ImagePath"="\SystemRoot\System32\drivers\817efd2b.sys"
--
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b245ec85]
"ImagePath"="\SystemRoot\System32\drivers\b245ec85.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1648)
c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wscntfy.exe
c:\windows\system32\CF1133.exe
c:\combofix\hidec.exe
c:\windows\system32\rundll32.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-06-11 14:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 17:59
ComboFix2.txt 2009-06-11 01:39
ComboFix3.txt 2009-06-11 00:55
Pre-Run: 5,662,375,936 bytes free
Post-Run: 5,653,504,000 bytes free
152 --- E O F --- 2009-04-23 13:51

Thanks again!

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 11th June 2009, 6:21 pm

Darn, it still came back. But on the other hand, ndis.sys is replaced with a clean copy, so maybe that's what was regenerating them.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
817efd2b
b245ec85

File::
c:\windows\system32\drivers\817efd2b.sys
c:\windows\system32\drivers\b245ec85.sys

Rootkit::
c:\windows\system32\drivers\817efd2b.sys
c:\windows\system32\drivers\b245ec85.sys

Folder::
c:\documents and settings\All Users\Application Data\10706874

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\817efd2b]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b245ec85]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 7:53 pm

Here is the resulting log:

ComboFix 09-06-11.05 - Owner 06/11/2009 15:45.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.223 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
FILE ::
"c:\windows\system32\drivers\817efd2b.sys"
"c:\windows\system32\drivers\b245ec85.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\10706874
c:\documents and settings\All Users\Application Data\10706874\10706874.glu
c:\documents and settings\All Users\Application Data\10706874\pc10706874cnf
c:\documents and settings\All Users\Application Data\10706874\pc10706874ins
c:\program files\Internet Explorer\setupapi.dll
c:\windows\system32\1.tmp
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_817efd2b
-------\Service_b245ec85

((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.
2009-06-10 16:59 . 2009-06-10 16:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-10 01:56 . 2009-06-10 01:56 -------- d-----w- c:\program files\Trend Micro
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\Malwarebytes
2009-06-09 20:25 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 20:25 . 2009-06-09 20:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 20:25 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 20:09 . 2009-06-09 20:09 -------- d-s---w- c:\documents and settings\Barb Admin\UserData
2009-06-09 19:49 . 2009-06-09 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PCSettings
2009-06-09 19:49 . 2009-06-09 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-06-09 19:46 . 2009-06-09 20:05 -------- d-----w- c:\program files\NortonInstaller
2009-06-09 19:46 . 2009-06-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-04 00:56 . 2009-06-04 00:56 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Identities
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-06-01 00:59 . 2009-06-01 00:59 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-05-30 05:55 . 2009-05-30 05:55 -------- d-----w- c:\windows\system32\wbem\Repository
2009-05-30 05:48 . 2009-05-30 05:53 -------- d--h--w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Application Data(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Local Settings(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-----w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000\Templates(2)
2009-05-30 05:48 . 2009-05-30 05:53 -------- d-s---w- c:\documents and settings\TEMP.YOUR-05A9FDE1C4(2).000
2009-05-30 05:13 . 2009-05-30 18:44 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-05-30 05:03 . 2009-05-30 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 15:56 . 2009-05-21 15:56 -------- d-----w- c:\program files\Common Files\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 17:54 . 2008-12-23 01:44 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-10 16:22 . 2004-10-05 11:33 -------- d-----w- c:\program files\Pure Networks
2009-06-10 15:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\program files\Common Files\AOL
2009-06-10 15:49 . 2004-10-02 10:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-10 15:38 . 2004-10-02 10:41 -------- d-----w- c:\program files\BigFix
2009-06-10 15:35 . 2009-04-29 01:03 -------- d-----w- c:\documents and settings\Barbara Admin 2\Application Data\AOL
2009-06-10 15:35 . 2004-10-05 11:46 -------- d-----w- c:\documents and settings\Owner\Application Data\AOL
2009-06-10 15:35 . 2009-05-30 05:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2009-06-10 15:35 . 2009-04-27 10:09 -------- d-----w- c:\documents and settings\Barb Admin\Application Data\AOL
2009-06-09 20:09 . 2004-10-02 11:08 36496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\program files\Symantec
2009-06-09 19:51 . 2004-10-02 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-26 23:12 . 2009-06-11 18:18 53166 c:\windows\system32\perfc009.dat
- 2004-08-26 23:12 . 2009-06-10 18:57 53166 c:\windows\system32\perfc009.dat
+ 2004-08-26 23:12 . 2009-06-11 18:18 380918 c:\windows\system32\perfh009.dat
- 2004-08-26 23:12 . 2009-06-10 18:57 380918 c:\windows\system32\perfh009.dat
+ 2008-12-23 01:44 . 2009-06-11 17:52 182912 c:\windows\system32\dllcache\ndis.sys
+ 2009-06-11 19:44 . 2009-06-11 19:44 388608 c:\windows\system32\CF23107.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc}]
jbnmcd.dll [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-09-03 249856]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-10 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-10-02 98304]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-07-02 67584]
"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2004-09-03 49152]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2004-10-2 331776]
[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^bigfix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [10/2/2004 6:29 AM 193280]
.
Contents of the 'Scheduled Tasks' folder
2008-12-23 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
2008-12-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-10-02 07:17]
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 15:49
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wscntfy.exe
c:\windows\system32\CF23107.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-06-11 15:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 19:51
ComboFix2.txt 2009-06-11 18:00
ComboFix3.txt 2009-06-11 01:39
ComboFix4.txt 2009-06-11 00:55
Pre-Run: 5,650,300,928 bytes free
Post-Run: 5,641,859,072 bytes free
132 --- E O F --- 2009-04-23 13:51

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 11th June 2009, 7:56 pm

Hello.
Please post a new Hijack This log now. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 8:01 pm

I'm hoping that smiley face is foreshadowing good news...

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:34 PM, on 6/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmcd.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 3073 bytes

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 11th June 2009, 8:05 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmcd.dll (file missing)
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent


  • Press "Fix Checked"
  • Close Hijack This.

These services needs resetting back to their default value.

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

Please download this fix tool from [You must be registered and logged in to see this link.].

Double click it to run it.
Allow it to run if protection programs stop it.
The services should now be back to default value and no longer appear in Hijack This.

Now we just have to make sure this doesn't come back.

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

After installing it, right click the umberella icon in the corner > "Start Update" and let it update!

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Next, we need to remove some old software.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 8:30 pm

I installed Norton Antivirus 2009 onto my computer.

Here is the list from Hijack this:

Adobe Flash Player 10 ActiveX
Adobe Reader 6.0
Athlon 64 Processor Driver
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Java 2 Runtime Environment, SE v1.4.2
LiveUpdate 1.90 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Works
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero OEM
Norton Internet Security
PowerDVD
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
SiS 900 PCI Fast Ethernet Adapter Driver
SiS VGA Utilities
SoftK56 Data Fax CARP
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Wireless 802.11g Adapter

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by Belahzur on 11th June 2009, 8:47 pm

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java 2 Runtime Environment, SE v1.4.2
    Viewpoint Media Player

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Persistent Malware Doctor infection

Post by barb940 on 11th June 2009, 10:50 pm

The computer is working great now! I've been using it for over an hour now, trying to prompt any latent virus but so far Maleware Doctor has not popped up again. I also have access to the Task Manager and Registry Editor, which I did not while my system was infected. Hopefully it is gone now.

Thank you thank you so much for all your help! I will promptly donate to Geekpolice for your wonderful help!

Thanks again

barb940

barb940
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-10
OS OS : XP laptop/Vista desktop
Points Points : 27422
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum