Help in trying to get rid of Malware Doctor

View previous topic View next topic Go down

Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Wed Jun 10, 2009 5:53 pm

Well, from reading recent posts it looks like I'm not the only one trying to blow away this infernal thing. I've tried Malwarebytes and SuperAntispyware (free version). They find and delete the infected files/reg keys but MD comes back as soon as I reboot out of safe mode and enable a network connection. Like one of the other posters this version of MD looks different from the screenshot - it's black with red and green lettering. I'm also getting continual buffer overflow messages from McAfee for services, svchost and iexplorer - does anyone know if this is related to the malware? Any help in getting rid of it is much much much appreciated. Thanks.

Here's the Hijack this file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:33 PM, on 6/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\tool.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\avast!Antivirus.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
c:\PROGRA~1\mcafee\msc\mcupdui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmcd.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Spybot - Search & Destroy.lnk = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: c:\progra~1\MicPhone\antit.dll
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9115 bytes

Thanks again. Jason.

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Wed Jun 10, 2009 6:23 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmcd.dll (file missing)
    O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
    O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Wed Jun 10, 2009 7:21 pm

Thanks for the quick response. I followed your instructions above. Here is the MB logfile.

Malwarebytes' Anti-Malware 1.37
Database version: 2259
Windows 5.1.2600 Service Pack 2

6/10/2009 4:00:20 PM
mbam-log-2009-06-10 (16-00-20).txt

Scan type: Quick Scan
Objects scanned: 93163
Time elapsed: 6 minute(s), 44 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACdgkayabvgwqcslu.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!avscontrolservice (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACdgkayabvgwqcslu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\040C4P5C\install_10[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\0I06TB0S\mlw[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\application data\1361538659.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\temp\BN56.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jbnmcd.dll (Password.Stealer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avast!AVSControlService.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Thanks again

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Wed Jun 10, 2009 8:22 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 11:46 am

Hello again. I launched it and received a cmd window that said "The system cannot find the file specified." While in the process of downloading Malware Doctor came back - I'll go through the Malware Bytes and Hijack this steps again. BTW I ran malware bytes again and it keeps finding a file called uacinit.dll in Windows/system32 which it can't get rid of. Thanks again for the help.

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Thu Jun 11, 2009 12:19 pm

Hello.
No, it's just your machine is badly infected which is why everything is failing to work.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 1:36 pm

Okey doke, here's the combo-fix text:

Again, many thanks.

ComboFix 09-06-11.01 - Kate McNally 06/11/2009 9:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.161 [GMT -7:00]
Running from: c:\documents and settings\Kate McNally\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\3361
c:\windows\system32\drivers\UACtiwyovmfkcryeyp.sys
c:\windows\system32\UACdgkayabvgwqcslu.dll
c:\windows\system32\UACdxevpopyrxtefva.dll
c:\windows\system32\UACgihtsyshiyatpbc.dat
c:\windows\system32\UACjpdtkpybwtkamyc.log
c:\windows\system32\UAClwuowsawukhlyls.log
c:\windows\system32\UACnhqweogpmhyuubt.dll
c:\windows\system32\UACpawcrkdxjuddqcb.dll
c:\windows\system32\UACrdnwtldntvvykkp.dll
c:\windows\system32\UACyrejxoxafoapefd.log
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\windows\Install.txt
c:\windows\system32\drivers\UACtiwyovmfkcryeyp.sys
c:\windows\system32\fhpatch.dll
c:\windows\system32\inf\svchosd.exe
c:\windows\system32\Install.txt
c:\windows\system32\IpSvchostF.dll
c:\windows\system32\sfcfiles.dat
c:\windows\system32\syspilog.pil
c:\windows\system32\UACdgkayabvgwqcslu.dll
c:\windows\system32\UACdxevpopyrxtefva.dll
c:\windows\system32\UACgihtsyshiyatpbc.dat
c:\windows\system32\UACjpdtkpybwtkamyc.log
c:\windows\system32\UAClwuowsawukhlyls.log
c:\windows\system32\UACnhqweogpmhyuubt.dll
c:\windows\system32\UACpawcrkdxjuddqcb.dll
c:\windows\system32\UACrdnwtldntvvykkp.dll
c:\windows\system32\UACyrejxoxafoapefd.log
c:\windows\temp\1567983626.exe
c:\windows\temp\1659531586.exe
c:\windows\temp\204375336.exe
c:\windows\temp\2102969086.exe
c:\windows\temp\2241890646.exe
c:\windows\temp\2272359396.exe
c:\windows\temp\485156586.exe
c:\windows\temp\514382606.exe
c:\windows\temp\724687836.exe
C:\xcrashdump.dat

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6TO4
-------\Legacy_avast!antivirus
-------\Legacy_DHCPSRV
-------\Legacy_ntalme
-------\Legacy_SFC
-------\Legacy_SYSTEMNTMI
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 15:41 . 2009-06-11 17:04 99422 ----a-w- c:\windows\system32\drivers\aa97887b.sys
2009-06-10 23:11 . 2009-06-11 17:04 99422 ----a-w- c:\windows\system32\drivers\f76635a8.sys
2009-06-10 21:47 . 2009-06-11 17:04 99422 ----a-w- c:\windows\system32\drivers\4f59c335.sys
2009-06-10 21:18 . 2009-06-10 21:18 -------- d-----w- c:\program files\Trend Micro
2009-06-10 18:26 . 2009-06-11 17:03 117760 ----a-w- c:\documents and settings\Kate McNally\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-10 18:25 . 2009-06-11 17:04 99422 ----a-w- c:\windows\system32\drivers\fe7cfed2.sys
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\documents and settings\Kate McNally\Application Data\SUPERAntiSpyware.com
2009-06-10 17:17 . 2009-06-11 17:04 99422 ----a-w- c:\windows\system32\drivers\3a6225bc.sys
2009-06-10 15:52 . 2009-06-10 15:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-10 15:52 . 2009-06-10 15:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-10 00:02 . 2009-06-10 16:42 -------- d-----w- c:\program files\Enigma Software Group
2009-06-09 23:54 . 2009-06-09 23:54 -------- d-----w- c:\documents and settings\Kate McNally\Application Data\Malwarebytes
2009-06-09 23:36 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 23:36 . 2009-06-09 23:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 23:36 . 2009-06-09 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 23:36 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 22:35 . 2009-06-10 19:21 0 ----a-w- c:\windows\system32\drivers\6b97ad9b.sys
2009-06-09 21:17 . 2009-06-09 21:17 -------- d-----w- c:\windows\system32\MpEngineStore
2009-06-09 17:35 . 2009-06-09 17:35 -------- d-----w- C:\395f0614cf1a5cc0ca80
2009-06-08 22:51 . 2009-06-08 22:52 188016 ----a-w- c:\windows\system32\drivers\dwshd.sys
2009-06-08 22:39 . 2009-06-08 22:39 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-08 00:50 . 2009-06-08 00:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-08 00:43 . 2009-06-08 00:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-07 21:47 . 2009-06-10 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 21:47 . 2009-06-08 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-31 10:20 . 2009-05-31 10:20 9216 ----a-w- C:\skye.exe
2009-05-31 10:14 . 2009-05-31 10:14 153 ----a-w- C:\43454354.bat
2009-05-31 09:09 . 2009-05-31 09:21 10240 ----a-w- C:\dyae.exe
2009-05-31 09:08 . 2009-06-08 22:51 -------- d-----w- c:\windows\dhcp
2009-05-31 09:08 . 2009-06-08 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\95585306
2009-05-31 09:08 . 2009-06-08 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\15575314
14905-06-11 18:31 . 2009-06-09 22:35 1580544 ----a-w- c:\windows\system32\sfcfiles.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 16:56 . 2009-01-08 01:45 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-05-31 16:04 . 2008-10-15 04:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-03-25 18:06 . 2008-10-15 03:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-10-15 03:55 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-10-15 03:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-10-15 03:55 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-10-15 03:50 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2004-08-04 12:00 . 2004-08-04 12:00 549888 --sha-r- c:\windows\system32\dxdicg.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sfcfiles.dll
[-] 2009-06-09 22:35 1580544 23CD88E359D4683A4CB792AEF8F87DD8 c:\windows\system32\sfcfiles.dll
.

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 1:37 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Spybot - Search & Destroy.lnk - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-6-7 5365592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"\\"= c:\\WINDOWS\\system\\svchost.exe

S1 6b97ad9b;6b97ad9b;c:\windows\system32\drivers\6b97ad9b.sys [6/9/2009 3:35 PM 0]
S1 9fc7ef1a;9fc7ef1a;c:\windows\system32\drivers\9fc7ef1a.sys --> c:\windows\system32\drivers\9fc7ef1a.sys [?]
S1 datrrdfe;datrrdfe;\??\c:\windows\system32\drivers\datrrdfe.sys --> c:\windows\system32\drivers\datrrdfe.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - sfc
*Deregistered* - sfc
.
Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-15 18:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-15 18:53]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mfehidk
SafeBoot-mfehidk.sys
SafeBoot-mferkdk
SafeBoot-mferkdk.sys
SafeBoot-mfetdik
SafeBoot-mfetdik.sys


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 10:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\mcmsc_wDtg8452fTKsSLM-journal 512 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\3a6225bc]
"ImagePath"="\SystemRoot\System32\drivers\3a6225bc.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4f59c335]
"ImagePath"="\SystemRoot\System32\drivers\4f59c335.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aa97887b]
"ImagePath"="\SystemRoot\System32\drivers\aa97887b.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\f76635a8]
"ImagePath"="\SystemRoot\System32\drivers\f76635a8.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fe7cfed2]
"ImagePath"="\SystemRoot\System32\drivers\fe7cfed2.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(612)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\ICA Client\pnsson.dll

- - - - - - - > 'explorer.exe'(112)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\McAfee\SiteAdvisor\McSACore.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
.
**************************************************************************
.
Completion time: 2009-06-11 10:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 17:10

Pre-Run: 64,477,429,760 bytes free
Post-Run: 64,549,961,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

279 --- E O F --- 2009-05-15 06:05

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Thu Jun 11, 2009 1:43 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
6b97ad9b
9fc7ef1a
datrrdfe

Rootkit::
c:\windows\system32\drivers\aa97887b.sys
c:\windows\system32\drivers\f76635a8.sys
c:\windows\system32\drivers\4f59c335.sys
c:\windows\system32\drivers\fe7cfed2.sys
c:\windows\system32\drivers\3a6225bc.sys
c:\windows\system32\drivers\6b97ad9b.sys

File::
C:\skye.exe
C:\43454354.bat
C:\dyae.exe

Folder::
c:\windows\dhcp
c:\documents and settings\All Users\Application Data\95585306
c:\documents and settings\All Users\Application Data\15575314

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\"= c:\\WINDOWS\\system\\svchost.exe=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\3a6225bc]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4f59c335]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\aa97887b]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\f76635a8]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fe7cfed2]

FCOPY::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sfcfiles.dll | c:\windows\system32\sfcfiles.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 2:11 pm

I blue screened while combofix was running. Should I boot up and follow the above steps again?

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Thu Jun 11, 2009 2:12 pm

Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 2:39 pm

Here's the resulting combofix.txt log:

ComboFix 09-06-11.01 - Kate McNally 06/11/2009 11:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.239 [GMT -7:00]
Running from: c:\documents and settings\Kate McNally\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kate McNally\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\43454354.bat"
"C:\dyae.exe"
"C:\skye.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.

c:\windows\system32\drivers\null.sys . . . is missing!!

.
--------------- FCopy ---------------

c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\sfcfiles.dll --> c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sfc
-------\Service_6b97ad9b
-------\Service_9fc7ef1a
-------\Service_datrrdfe
-------\Service_sfc
-------\Service_3a6225bc
-------\Service_4f59c335
-------\Service_aa97887b
-------\Service_f76635a8
-------\Service_fe7cfed2


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-10 21:18 . 2009-06-10 21:18 -------- d-----w- c:\program files\Trend Micro
2009-06-10 18:26 . 2009-06-11 18:28 117760 ----a-w- c:\documents and settings\Kate McNally\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\documents and settings\Kate McNally\Application Data\SUPERAntiSpyware.com
2009-06-10 15:52 . 2009-06-10 15:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-10 15:52 . 2009-06-10 15:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-10 00:02 . 2009-06-10 16:42 -------- d-----w- c:\program files\Enigma Software Group
2009-06-09 23:54 . 2009-06-09 23:54 -------- d-----w- c:\documents and settings\Kate McNally\Application Data\Malwarebytes
2009-06-09 23:36 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 23:36 . 2009-06-09 23:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 23:36 . 2009-06-09 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 23:36 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 21:17 . 2009-06-09 21:17 -------- d-----w- c:\windows\system32\MpEngineStore
2009-06-09 17:35 . 2009-06-09 17:35 -------- d-----w- C:\395f0614cf1a5cc0ca80
2009-06-08 22:51 . 2009-06-08 22:52 188016 ----a-w- c:\windows\system32\drivers\dwshd.sys
2009-06-08 22:39 . 2009-06-08 22:39 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-08 00:50 . 2009-06-08 00:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-08 00:43 . 2009-06-08 00:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-07 21:47 . 2009-06-10 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 21:47 . 2009-06-08 22:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
14905-06-11 18:31 . 2004-08-04 12:00 1580544 -c--a-w- c:\windows\system32\dllcache\sfcfiles.dll
14905-06-11 18:31 . 2004-08-04 12:00 1580544 ----a-w- c:\windows\system32\sfcfiles.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 16:56 . 2009-01-08 01:45 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-05-31 16:04 . 2008-10-15 04:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-03-25 18:06 . 2008-10-15 03:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-10-15 03:55 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-10-15 03:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-10-15 03:55 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-10-15 03:50 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2004-08-04 12:00 . 2004-08-04 12:00 549888 --sha-r- c:\windows\system32\dxdicg.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
Spybot - Search & Destroy.lnk - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-6-7 5365592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=
"\\"= c:\\WINDOWS\\system\\svchost.exe

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/14/2008 8:58 PM 206096]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S1 qqipscxi;qqipscxi;\??\c:\windows\system32\drivers\qqipscxi.sys --> c:\windows\system32\drivers\qqipscxi.sys [?]

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 2:40 pm

.
Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-15 18:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-15 18:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 11:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(568)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\ICA Client\pnsson.dll

- - - - - - - > 'explorer.exe'(3300)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\ati2evxx.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2009-06-11 11:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 18:33
ComboFix2.txt 2009-06-11 17:10

Pre-Run: 64,525,393,920 bytes free
Post-Run: 64,509,181,952 bytes free

207 --- E O F --- 2009-05-15 06:05

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Thu Jun 11, 2009 2:48 pm

Hello.
Good news and bad news.

The good news is, the malware is gone.
The bad news is, the damage left behind by the malware is quite severe and we may not be able to repair it. A needed system file is gone and we need to replace it. If we can't replace it, a system repair or format maybe the only options left.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    null.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 3:00 pm

Here 'tis

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 11:59 on 11/06/2009 by Kate McNally (Administrator - Elevation successful)

========== filefind ==========

Searching for "null.sys"
C:\Documents and Settings\Administrator\Desktop\SDFix\SDFix\apps\Replace\w2k\null.sys --a--- 2800 bytes [22:27 07/08/2008] [22:27 07/08/2008] 280209CDE798720A24D232BF9CFDA8E9
C:\Documents and Settings\Administrator\Desktop\SDFix\SDFix\apps\Replace\xp\null.sys --a--- 2944 bytes [22:27 07/08/2008] [22:27 07/08/2008] 73C1E1F395918BC2C6DD67AF7591A3AD

-=End Of File=-

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Thu Jun 11, 2009 3:06 pm

Wow, you had SDFix on the system? Well, good news, that needed system file is in the SDFix folder.

Now open a new notepad file.
Input this into the notepad file:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"\\"=-

FCOPY::
C:\Documents and Settings\Administrator\Desktop\SDFix\SDFix\apps\Replace\xp\null.sys | c:\windows\system32\drivers\null.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 5:35 pm

Yeah, SDfix was recommended to me but it didn't seem to accomplish anything. But in the end it looks like it did...

Here's the text of the resulting CF file:

ComboFix 09-06-10.02 - Kate McNally 06/11/2009 14:18.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.163 [GMT -7:00]
Running from: c:\documents and settings\Kate McNally\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kate McNally\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\documents and settings\Administrator\Desktop\SDFix\SDFix\apps\Replace\xp\null.sys --> c:\windows\system32\drivers\null.sys
.
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 19:43 . 2009-06-11 21:06 -------- d-----w- C:\Spyware Files
2009-06-11 19:40 . 2009-06-11 19:40 -------- d-----w- c:\windows\LastGood
2009-06-11 19:22 . 2008-08-07 22:27 2944 -c--a-w- c:\windows\system32\dllcache\null.sys
2009-06-11 19:22 . 2008-08-07 22:27 2944 ----a-w- c:\windows\system32\drivers\null.sys
2009-06-10 21:18 . 2009-06-10 21:18 -------- d-----w- c:\program files\Trend Micro
2009-06-10 18:26 . 2009-06-11 19:29 117760 ----a-w- c:\documents and settings\Kate McNally\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-10 18:24 . 2009-06-10 18:24 -------- d-----w- c:\documents and settings\Kate McNally\Application Data\SUPERAntiSpyware.com
2009-06-10 15:52 . 2009-06-10 15:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-10 15:52 . 2009-06-10 15:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-10 00:02 . 2009-06-10 16:42 -------- d-----w- c:\program files\Enigma Software Group
2009-06-09 23:54 . 2009-06-09 23:54 -------- d-----w- c:\documents and settings\Kate McNally\Application Data\Malwarebytes
2009-06-09 23:36 . 2009-05-26 20:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-09 23:36 . 2009-06-09 23:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 23:36 . 2009-06-09 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-09 23:36 . 2009-05-26 20:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-09 21:17 . 2009-06-09 21:17 -------- d-----w- c:\windows\system32\MpEngineStore
2009-06-09 17:35 . 2009-06-09 17:35 -------- d-----w- C:\395f0614cf1a5cc0ca80
2009-06-08 22:51 . 2009-06-08 22:52 188016 ----a-w- c:\windows\system32\drivers\dwshd.sys
2009-06-08 22:39 . 2009-06-08 22:39 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-08 00:50 . 2009-06-08 00:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-08 00:43 . 2009-06-08 00:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-06-07 21:47 . 2009-06-11 19:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-07 21:47 . 2009-06-11 19:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
14905-06-11 18:31 . 2004-08-04 12:00 1580544 -c--a-w- c:\windows\system32\dllcache\sfcfiles.dll
14905-06-11 18:31 . 2004-08-04 12:00 1580544 ----a-w- c:\windows\system32\sfcfiles.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 16:56 . 2009-01-08 01:45 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-05-31 16:04 . 2008-10-15 04:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-03-25 18:06 . 2008-10-15 03:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 18:06 . 2008-10-15 03:55 79880 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 18:06 . 2008-10-15 03:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-03-25 18:06 . 2008-10-15 03:55 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-03-25 18:05 . 2008-10-15 03:50 34216 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2004-08-04 12:00 . 2004-08-04 12:00 549888 --sha-r- c:\windows\system32\dxdicg.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-16 00:07 . 2009-06-11 15:39 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-16 00:07 . 2009-06-11 20:42 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-10-16 00:07 . 2009-06-11 20:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-10-16 00:07 . 2009-06-11 15:39 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 5:36 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1131163763\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/14/2008 8:58 PM 206096]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S1 qqipscxi;qqipscxi;\??\c:\windows\system32\drivers\qqipscxi.sys --> c:\windows\system32\drivers\qqipscxi.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-15 18:53]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-15 18:53]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\ICA Client\pnsson.dll

- - - - - - - > 'explorer.exe'(248)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-11 14:27
ComboFix-quarantined-files.txt 2009-06-11 21:27
ComboFix2.txt 2009-06-11 18:34
ComboFix3.txt 2009-06-11 17:10

Pre-Run: 64,794,423,296 bytes free
Post-Run: 64,783,368,192 bytes free

169 --- E O F --- 2009-05-15 06:05

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by Belahzur on Thu Jun 11, 2009 5:40 pm

Hello.
Well, SDFix saved your machine, I didn't know it had a backup of null.sys

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

sc delete qqipscxi

Now do the same for this next command.

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Help in trying to get rid of Malware Doctor

Post by jjhuber237 on Thu Jun 11, 2009 6:05 pm

It's running great. Thanks for all your help. I'll be sure to leave something in the tip jar.

jjhuber237
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-06-09
OS OS : Windows XP
Points Points : 27404
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum