Malware Doctor infection

View previous topic View next topic Go down

Malware Doctor infection

Post by LOHAD on 11th June 2009, 5:06 am

I'm infected with Malware Doctor. This sucker is nasty, and whoever created it should be waterboarded (just sayin'). I am shut out of Task Manager, Regedit, etc. Here's what I've done so far:

1. Downloaded the latest Malwarebytes on a second computer, quick scanned my system in safe mode, found infections and quarantined the objects.
2. Slow scanned the system in safe mode. Came up clean.
3. Rebooted my system. A few minutes in: Malware Doctore rears its ugly head.
4. Ran Hijack This and deleted the 04 lines with Malware Doctor in them, as well as the 023 lines with Avast! in them.
5. Rebooted and rescanned my system with Malwarebytes -- everything came up clean. I was able to access Task Manager, so I thought perhaps I'm good. BUT: A few minutes after rebooting, -- WHAM! That stinkin' Malware Doctor popup.

Here's my latest HijackThis log -- thanks in advance from your latest Twitter follower

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:55 AM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\AOL\1187798826\ee\AOLSoftware.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\Program Files\iPodmini\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TEMP\BN11.tmp
C:\WINNT\System32\avast!Antivirus.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\Documents and Settings\LocalService\Application Data\1458931097.exe
M:\HiJack(GP)This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll (file missing)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187798826\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECHECK.EXE] C:\WINNT\iecheck.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - [You must be registered and logged in to see this link.]
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - [You must be registered and logged in to see this link.]
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINNT\System32\avast!Antivirus.exe
O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINNT\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPodmini\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sony SCSI Helper Service (sony scsi helper service) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\

--
End of file - 11780 bytes

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 5:09 am

Hoping this will help: Here's my Malwarebytes log file:


Malwarebytes' Anti-Malware 1.37
Database version: 2260
Windows 5.1.2600 Service Pack 3

6/11/2009 1:08:18 AM
mbam-log-2009-06-11 (01-08-06).txt

Scan type: Quick Scan
Objects scanned: 103748
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\WINNT\system32\avast!Antivirus.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
C:\WINNT\system32\jbnmck.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!avscontrolservice (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\jbnmck.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\0KKOMOM1\mlw[1].exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\localservice\application data\1361538659.exe (Trojan.FakeAlert) -> No action taken.
c:\WINNT\Temp\BN11.tmp (Trojan.Agent) -> No action taken.
C:\WINNT\system32\sft.res (Malware.Trace) -> No action taken.
C:\WINNT\system32\avast!Antivirus.exe (Trojan.Agent) -> No action taken.
C:\WINNT\system32\avast!AVSControlService.exe (Trojan.Downloader) -> No action taken.

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 5:40 am

a bit more info that may help: I was able to access RegEdit and I'm finally looking at the registry (which I'm loathe to modify by hand without some expert assistance) and ran a few searches and found:

/root/legacy_avast!antivirus
/root/legacy_avast!avscontrolservice

HKEY_CLASSES_ROOT/.../Software/Microsoft/Search Assistant/acmru/5603/000.REG_SZ (with data value: maLWARE DOCTOR)
HKEY_USERS/.../Software/Microsoft/Search Assistant/acmru/5603/000.REG_SZ (with data value: maLWARE DOCTOR)


Last edited by LOHAD on 11th June 2009, 1:29 pm; edited 1 time in total

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 1:25 pm

okay, here's one more chunk of info that may help: my SpywareGuard log. You'll note that things were squeaky-clean for about two years, then something started happening about five days ago (and I know what it was: a trojan hidden in a self-extracting .rar file -- GRRRR!). What's odd about this too is that the most recent action taken is KEEP BHO -- given the timestamp, that's something that happened while I was asleep this morning. Again, thanks in advance for any assistance you can provide!




--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 15:19:00 09/30/2007 a new BHO installation attempt was detected.
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
ProgramID: n/a
File Location: C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
User Action Taken: KEEP BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:18:00 06/06/2009 a new BHO installation attempt was detected.
BHO: {C6C7B2A1-00F3-42BD-F434-00AABA2C8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:18:13 06/06/2009 a new BHO installation attempt was detected.
BHO: {C6C7B2A1-00F3-42BD-F434-00AABA2C8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:20:01 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:22:06 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:26:48 06/06/2009 a new BHO installation attempt was detected.
BHO: {53707962-6f74-2d53-2644-206d7942484f}
ProgramID: n/a
File Location: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:28:15 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:32:03 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:36:58 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:46:51 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:47:11 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:49:16 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:56:51 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:57:11 06/06/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 00:06:49 06/07/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 00:07:11 06/07/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 00:16:49 06/07/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 00:16:51 06/07/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 00:17:10 06/07/2009 a new BHO installation attempt was detected.
BHO: {c6c7b2a1-00f3-42bd-f434-00aaba2c8953}
ProgramID: n/a
File Location: C:\WINNT\system32\yhafd78auhd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 20:39:56 06/10/2009 a new BHO installation attempt was detected.
BHO: {aff01325-0fc2-4749-8914-fbf0565ad9cc}
ProgramID: MS
File Location: jbnmck.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 23:49:55 06/10/2009 a new BHO installation attempt was detected.
BHO: {aff01325-0fc2-4749-8914-fbf0565ad9cc}
ProgramID: MS
File Location: jbnmcd.dll
User Action Taken: REMOVE BHO

--------------------------------------------------------------------------------
NEW BHO DETECTION ALERT
On 00:06:54 06/11/2009 a new BHO installation attempt was detected.
BHO: {aff01325-0fc2-4749-8914-fbf0565ad9cc}
ProgramID: MS
File Location: jbnmck.dll
User Action Taken: KEEP BHO

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 1:27 pm

By the way, my solution for whoever wrote Malware Doctor:



...just sayin'

Evil or enraged

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by Belahzur on 11th June 2009, 4:14 pm

Yeah, I know, but stay calm.

First, did you remove everything found by MBAM?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 4:46 pm

Calm, just aggravated -- though I suppose an issue like this every two or three years is part of the deal, hm?

Anyway -- I did remove, but didn't reboot ... just to be sure, I scanned again: MBAM ran really slow (about 10 min to get 1/5 of the way through) so I rebooted and rescanned: 14 affected objects found, but when I went to remove them, MBAS locked up -- though not before I captured the log:

BTW: No Malware Doctor popups (yet!) since the reboot ... though I haven't opened a browser yet, either.

Malwarebytes' Anti-Malware 1.37
Database version: 2260
Windows 5.1.2600 Service Pack 3

6/11/2009 12:38:05 PM
mbam-log-2009-06-11 (12-38-00).txt

Scan type: Quick Scan
Objects scanned: 103310
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
C:\WINNT\system32\avast!Antivirus.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!avscontrolservice (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINNT\system32\jbnmck.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\0KKOMOM1\mlw[1].exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\localservice\application data\1361538659.exe (Trojan.FakeAlert) -> No action taken.
c:\WINNT\Temp\BN11.tmp (Trojan.Agent) -> No action taken.
C:\WINNT\system32\sft.res (Malware.Trace) -> No action taken.
C:\WINNT\system32\avast!Antivirus.exe (Trojan.Agent) -> No action taken.
C:\WINNT\system32\avast!AVSControlService.exe (Trojan.Downloader) -> No action taken.

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by Belahzur on 11th June 2009, 5:06 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 5:45 pm

One Combo-Fix log, fresh off the griddle:


ComboFix 09-06-11.02 - Owner 06/11/2009 13:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.693 [GMT -4:00]
Running from: M:\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\winnt\system32\drivers\kungsfjwlgxvjr.sys
c:\winnt\system32\kungsfpykuhndo.dll
c:\winnt\system32\kungsfrgftilrx.dat
c:\winnt\system32\kungsftkebfyvy.dat
c:\winnt\system32\kungsfuelfkqlr.dll
C:\-1537672393
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\755020800.exe
c:\winnt\system32\404Fix.exe
c:\winnt\system32\Agent.OMZ.Fix.exe
c:\winnt\system32\avast!Antivirus.exe
c:\winnt\system32\avast!AVSControlService.exe
c:\winnt\system32\drivers\43fe088e.sys . . . . failed to delete
c:\winnt\system32\drivers\kungsfjwlgxvjr.sys
c:\winnt\system32\dumphive.exe
c:\winnt\system32\IEDFix.C.exe
c:\winnt\system32\IEDFix.exe
c:\winnt\system32\jbnmck.dll
c:\winnt\system32\kungsfpykuhndo.dll
c:\winnt\system32\kungsfrgftilrx.dat
c:\winnt\system32\kungsftkebfyvy.dat
c:\winnt\system32\kungsfuelfkqlr.dll
c:\winnt\system32\mfc45.dll
c:\winnt\system32\o4Patch.exe
c:\winnt\system32\Process.exe
c:\winnt\system32\sft.res
c:\winnt\system32\skinboxer43.dll
c:\winnt\system32\SrchSTS.exe
c:\winnt\system32\VACFix.exe
c:\winnt\system32\VCCLSID.exe
c:\winnt\system32\WS2Fix.exe
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
Infected copy of c:\winnt\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kungsfgviqqmmu
-------\Legacy_avast!antivirus
-------\Service_43fe088e
-------\Service_avast!antivirus
-------\Legacy_avast!avscontrolservice
-------\Service_avast!avscontrolservice


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 04:28 . 2009-06-11 17:37 99422 ----a-w- c:\winnt\system32\drivers\339a5565.sys
2009-06-11 04:06 . 2009-06-11 17:37 99422 ----a-w- c:\winnt\system32\drivers\b7be25e1.sys
2009-06-11 01:46 . 2009-06-11 01:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-10 23:45 . 2009-06-10 23:54 -------- d-----w- c:\documents and settings\Owner\Application Data\calibre
2009-06-10 23:44 . 2009-06-11 03:37 -------- d--h--w- c:\program files\InstallJammer Registry
2009-06-10 16:17 . 2009-06-10 16:17 292878 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}\ARPPRODUCTICON.exe
2009-06-10 16:17 . 2009-06-10 16:17 -------- d-----w- c:\program files\Sony
2009-06-10 16:17 . 2009-06-10 16:17 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-06-10 15:47 . 2009-06-10 15:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\kinoma
2009-06-10 15:47 . 2009-06-10 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\kinoma
2009-06-10 15:46 . 2009-06-10 15:46 -------- d-----w- c:\program files\DIFX
2009-06-10 15:46 . 2009-06-10 15:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sony Corporation
2009-06-09 12:25 . 2009-06-11 01:53 78558 ----a-w- c:\winnt\system32\SKYNETlog.dat
2009-06-07 04:36 . 2009-06-07 04:36 -------- d-----w- C:\VundoFix Backups
2009-06-07 03:31 . 2009-06-07 03:31 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-07 03:27 . 2009-06-07 03:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-07 03:26 . 2009-06-07 03:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-06-07 03:21 . 2009-06-11 17:28 182656 ----a-w- c:\winnt\system32\dllcache\ndis.sys
2009-06-07 03:18 . 2009-06-11 17:37 103372 ----a-w- c:\winnt\system32\drivers\43fe088e.sys
2009-06-02 12:58 . 2009-06-02 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-06-02 12:57 . 2009-06-02 12:57 -------- d-----w- c:\program files\Bonjour
2009-06-02 12:52 . 2009-03-06 03:59 1900544 ----a-w- c:\winnt\system32\usbaaplrc.dll
2009-06-02 12:51 . 2009-06-02 12:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 17:33 . 1980-01-01 06:00 182656 ----a-w- c:\winnt\system32\drivers\ndis.sys
2009-06-11 17:02 . 2002-12-20 03:00 -------- d-----w- c:\program files\NewsReactor
2009-06-11 04:03 . 2008-02-07 17:05 -------- d-----w- c:\program files\LogMeIn
2009-06-11 01:17 . 2003-10-03 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 00:50 . 2009-02-10 00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 00:40 . 2003-01-06 22:04 138024 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 16:33 . 2008-02-01 14:34 3034 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2009-06-07 03:28 . 2005-09-22 03:05 -------- d-----w- c:\program files\SpywareBlaster
2009-06-02 12:58 . 2004-06-25 02:52 -------- d-----w- c:\program files\iTunes
2009-06-02 12:56 . 2006-07-08 16:29 -------- d-----w- c:\program files\QuickTime
2009-06-02 12:55 . 2007-09-18 23:14 -------- d-----w- c:\program files\Common Files\Apple
2009-06-01 21:26 . 2008-05-27 22:29 -------- d-----w- c:\documents and settings\Owner\Application Data\GrabIt
2009-05-26 17:20 . 2009-02-10 00:00 40160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-02-10 00:00 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-05-08 07:57 . 2008-02-01 14:48 849184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\qbpatch.exe
2009-03-16 13:47 . 2009-03-16 13:48 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2002-09-11 14:26 . 2007-04-17 22:53 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
2005-08-25 23:49 . 2005-05-11 01:20 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-08-09 18:08 . 2008-02-07 17:12 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 . 2008-02-07 17:12 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"IECHECK.EXE"="c:\winnt\iecheck.exe" [2004-04-10 91136]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2005-06-21 126976]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2005-08-25 181248]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"HostManager"="c:\program files\Common Files\AOL\1187798826\ee\AOLSoftware.exe" [2008-06-24 41824]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112]

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 5:46 pm

the rest of the log file:



c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-5-4 225280]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-31 13:51 87352 ----a-w- c:\winnt\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1187798826\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\FileZilla Client\\filezilla.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\ZyXEL\\ZyXEL G-220 v2 Wireless Adapter Utility\\ZyXEL G-220 v2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\winnt\system32\drivers\sonyhcb.sys [9/30/2008 10:40 AM 6097]
R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido\security suite\guard.sys [11/22/2004 10:15 AM 3072]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/14/2008 9:20 AM 592232]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/14/2008 9:20 AM 592232]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\winnt\system32\drivers\LMIRfsDriver.sys [2/7/2008 1:05 PM 47640]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [12/17/2002 12:31 AM 6736]
R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\winnt\system32\ZDCndis5.sys [5/27/2008 2:43 PM 19072]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\winnt\system32\drivers\WlanGZXP.SYS [12/7/2008 3:14 PM 402944]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\winnt\system32\drivers\sonyhcs.sys [9/30/2008 10:40 AM 299923]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2002-12-19 c:\winnt\Tasks\ISP signup reminder 2.job
- c:\winnt\System32\OOBE\oobebaln.exe [2002-09-03 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 13:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\339a5565]
"ImagePath"="\SystemRoot\System32\drivers\339a5565.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\43fe088e]
"ImagePath"="\SystemRoot\System32\drivers\43fe088e.sys"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b7be25e1]
"ImagePath"="\SystemRoot\System32\drivers\b7be25e1.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1124)
c:\winnt\system32\LMIinit.dll
c:\winnt\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(1180)
c:\winnt\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3980)
c:\winnt\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\system32\drivers\CDAC11BA.EXE
c:\program files\ewido\security suite\ewidoctrl.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\winnt\system32\NMSSvc.Exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\wanmpsvc.exe
c:\winnt\system32\MsPMSPSv.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPodmini\iPod\bin\iPodService.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\iolo\System Mechanic\SMTrayNotify.exe
.
**************************************************************************
.
Completion time: 2009-06-11 13:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 17:43

Pre-Run: 18,609,459,200 bytes free
Post-Run: 18,635,145,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

274 --- E O F --- 2009-05-14 07:02

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by Belahzur on 11th June 2009, 5:48 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
339a5565
b7be25e1
43fe088e

Rootkit::
c:\winnt\system32\drivers\339a5565.sys
c:\winnt\system32\drivers\b7be25e1.sys
c:\winnt\system32\drivers\43fe088e.sys

Folder::
C:\VundoFix Backups

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\339a5565]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\43fe088e]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\b7be25e1]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 6:08 pm

Latest and greatest:


ComboFix 09-06-11.02 - Owner 06/11/2009 13:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.585 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_339a5565
-------\Service_43fe088e
-------\Service_b7be25e1


((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-11 01:46 . 2009-06-11 01:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-10 23:45 . 2009-06-10 23:54 -------- d-----w- c:\documents and settings\Owner\Application Data\calibre
2009-06-10 23:44 . 2009-06-11 03:37 -------- d--h--w- c:\program files\InstallJammer Registry
2009-06-10 16:17 . 2009-06-10 16:17 292878 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{A212E6C2-20F7-4A8E-BD8E-DC3EE7483FA2}\ARPPRODUCTICON.exe
2009-06-10 16:17 . 2009-06-10 16:17 -------- d-----w- c:\program files\Sony
2009-06-10 16:17 . 2009-06-10 16:17 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-06-10 15:47 . 2009-06-10 15:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\kinoma
2009-06-10 15:47 . 2009-06-10 15:47 -------- d-----w- c:\documents and settings\All Users\Application Data\kinoma
2009-06-10 15:46 . 2009-06-10 15:46 -------- d-----w- c:\program files\DIFX
2009-06-10 15:46 . 2009-06-10 15:46 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sony Corporation
2009-06-09 12:25 . 2009-06-11 01:53 78558 ----a-w- c:\winnt\system32\SKYNETlog.dat
2009-06-07 03:31 . 2009-06-07 03:31 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-07 03:27 . 2009-06-07 03:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-07 03:26 . 2009-06-07 03:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-06-07 03:23 . 2009-06-07 03:23 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-06-07 03:21 . 2009-06-11 17:28 182656 ----a-w- c:\winnt\system32\dllcache\ndis.sys
2009-06-02 12:58 . 2009-06-02 12:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-06-02 12:57 . 2009-06-02 12:57 -------- d-----w- c:\program files\Bonjour
2009-06-02 12:52 . 2009-03-06 03:59 1900544 ----a-w- c:\winnt\system32\usbaaplrc.dll
2009-06-02 12:51 . 2009-06-02 12:51 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 17:33 . 1980-01-01 06:00 182656 ----a-w- c:\winnt\system32\drivers\ndis.sys
2009-06-11 17:02 . 2002-12-20 03:00 -------- d-----w- c:\program files\NewsReactor
2009-06-11 04:03 . 2008-02-07 17:05 -------- d-----w- c:\program files\LogMeIn
2009-06-11 01:17 . 2003-10-03 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-11 00:50 . 2009-02-10 00:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-11 00:40 . 2003-01-06 22:04 138024 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 16:33 . 2008-02-01 14:34 3034 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\qbbackup.sys
2009-06-07 03:28 . 2005-09-22 03:05 -------- d-----w- c:\program files\SpywareBlaster
2009-06-02 12:58 . 2004-06-25 02:52 -------- d-----w- c:\program files\iTunes
2009-06-02 12:56 . 2006-07-08 16:29 -------- d-----w- c:\program files\QuickTime
2009-06-02 12:55 . 2007-09-18 23:14 -------- d-----w- c:\program files\Common Files\Apple
2009-06-01 21:26 . 2008-05-27 22:29 -------- d-----w- c:\documents and settings\Owner\Application Data\GrabIt
2009-05-26 17:20 . 2009-02-10 00:00 40160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-02-10 00:00 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-05-08 07:57 . 2008-02-01 14:48 849184 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\qbpatch.exe
2009-03-16 13:47 . 2009-03-16 13:48 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2002-09-11 14:26 . 2007-04-17 22:53 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
2005-08-25 23:49 . 2005-05-11 01:20 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-08-09 18:08 . 2008-02-07 17:12 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 . 2008-02-07 17:12 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"IECHECK.EXE"="c:\winnt\iecheck.exe" [2004-04-10 91136]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\winnt\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\winnt\system32\hkcmd.exe" [2005-06-21 126976]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2005-08-25 181248]
"NeroFilterCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"HostManager"="c:\program files\Common Files\AOL\1187798826\ee\AOLSoftware.exe" [2008-06-24 41824]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2007-5-4 225280]
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-31 13:51 87352 ----a-w- c:\winnt\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1187798826\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\FileZilla Client\\filezilla.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\ZyXEL\\ZyXEL G-220 v2 Wireless Adapter Utility\\ZyXEL G-220 v2.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\winnt\system32\drivers\sonyhcb.sys [9/30/2008 10:40 AM 6097]
R1 ewido security suite driver;ewido security suite driver;c:\program files\ewido\security suite\guard.sys [11/22/2004 10:15 AM 3072]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/14/2008 9:20 AM 592232]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [5/14/2008 9:20 AM 592232]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\winnt\system32\drivers\LMIRfsDriver.sys [2/7/2008 1:05 PM 47640]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [12/17/2002 12:31 AM 6736]
R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\winnt\system32\ZDCndis5.sys [5/27/2008 2:43 PM 19072]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\winnt\system32\drivers\WlanGZXP.SYS [12/7/2008 3:14 PM 402944]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 sonyhcs;Sony Digital Imaging Video;c:\winnt\system32\drivers\sonyhcs.sys [9/30/2008 10:40 AM 299923]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2002-12-19 c:\winnt\Tasks\ISP signup reminder 2.job
- c:\winnt\System32\OOBE\oobebaln.exe [2002-09-03 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: vzTCPConfig - [You must be registered and logged in to see this link.]
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-11 14:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\winnt\system32\LMIinit.dll
c:\winnt\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(1156)
c:\winnt\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1820)
c:\winnt\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\system32\drivers\CDAC11BA.EXE
c:\program files\ewido\security suite\ewidoctrl.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\wanmpsvc.exe
c:\winnt\system32\MsPMSPSv.exe
c:\winnt\system32\wscntfy.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\iPodmini\iPod\bin\iPodService.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\iolo\System Mechanic\SMTrayNotify.exe
.
**************************************************************************
.
Completion time: 2009-06-11 14:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-11 18:06
ComboFix2.txt 2009-06-11 17:43

Pre-Run: 18,602,418,176 bytes free
Post-Run: 18,587,815,936 bytes free

207 --- E O F --- 2009-05-14 07:02

LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by Belahzur on 11th June 2009, 6:11 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by LOHAD on 11th June 2009, 6:32 pm

[You must be registered and logged in to see this link.] wrote:How is the machine running now?

Like Jim Cornette fleeing his mamma when she threatens to take away his allowance!

Seriously, it seems to be running clean again ... thanks for all the help you and your cohorts provide on this site ... MUCH appreciated ... I'm heading to the tip jar now ...

Quick final question: In addition to MBAM (which I typically like to run every month or so when I backup to external drives), I also use CrapCleaner, Ad-aware, Spybot S&D, System Mechanic, and SpywareGuard (I'm not a fan of Norton or McAfee; too bloated) ... okay, make that two final questions: (1) Is there anything on that list that's a waste of time? and (2) Is there anything else I ought to be using regularly?

Thanks again!


LOHAD
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-06-11
OS OS : XP
Points Points : 27402
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Doctor infection

Post by Belahzur on 11th June 2009, 6:38 pm

Nope, that's a good list of protection.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum