Having Trouble Removing Malware Doctor

View previous topic View next topic Go down

Having Trouble Removing Malware Doctor

Post by cathal on 17th June 2009, 9:16 am

Hi,

Hoping someone can help. I'm having trouble completely removing Malware Doctor.
Here's my approach so far
1. Run Hijackthis
2. Run Malwarebytes antiMalware
3. Run Combofix (renamed to Cfix)

Log files in the next post

Each time I reboot Malware Doctor reappears!

Thanks in advance,
Cathal

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Hijack Log

Post by cathal on 17th June 2009, 9:16 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:20:34, on 17/06/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - [You must be registered and logged in to see this link.]
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mqhwoxjv - mqhwoxjv.dll (file missing)
O23 - Service: AGRESSO 5.5 Server - agresso - Unknown owner - C:\Agresso\Bin\AgrBusinessServer.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7176 bytes

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Malwarebytes anti Malware log

Post by cathal on 17th June 2009, 9:21 am

Malwarebytes antiMalware log

Malwarebytes' Anti-Malware 1.37
Database version: 2279
Windows 5.1.2600 Service Pack 2
17/06/2009 01:23:42
mbam-log-2009-06-17 (01-23-42).txt
Scan type: Quick Scan
Objects scanned: 94401
Time elapsed: 2 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\355f8bf8 (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\avast!AntiVirus (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\WINDOWS\system32\drivers\355f8bf8.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Combofix log

Post by cathal on 17th June 2009, 9:26 am

ComboFix 09-06-16.01 - Administrator 17/06/2009 1:25.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.772 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\cfix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\nuiim.sys
c:\windows\system32\Drivers\qqaqr.sys
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\windows\system32\drivers\nuiim.sys
c:\windows\system32\drivers\qqaqr.sys
.
---- Previous Run -------
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Service_kgwwqoos
-------\Legacy_avast!antivirus
-------\Service_zwki


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-16 23:21 . 2009-06-16 23:31 -------- d-s---w- C:\cf
2009-06-15 21:29 . 2009-06-15 21:29 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-15 18:49 . 2009-06-15 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-12 17:11 . 2009-06-12 17:11 83984 ----a-w- c:\documents and settings\Administrator\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\CSDWebLaunch.exe
2009-06-12 17:11 . 2009-06-12 17:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cisco
2009-05-31 18:55 . 2009-05-31 18:55 390664 ----a-w- c:\documents and settings\Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 00:33 . 2009-05-06 21:36 87164 ----a-w- c:\windows\system32\drivers\c53c2f57.sys
2009-06-17 00:33 . 2009-05-05 20:39 111100 ----a-w- c:\windows\system32\drivers\b694d1b1.sys
2009-06-17 00:23 . 2009-06-17 00:23 204 ----a-w- c:\program files\tnmkstcr.txt
2009-06-16 23:20 . 2009-06-16 23:20 2168 ----a-w- c:\program files\zpefai.txt
2009-06-15 23:57 . 2007-10-22 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-15 19:57 . 2007-07-30 21:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-14 23:52 . 2008-08-13 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 22:15 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP66c8.tmp
2009-06-14 22:14 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP67d2.tmp
2009-06-14 22:07 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6929.tmp
2009-06-14 21:52 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6755.tmp
2009-06-14 18:01 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6716.tmp
2009-06-14 17:54 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6561.tmp
2009-06-14 17:54 . 2006-11-28 13:47 90112 ----a-w- c:\windows\DUMP6793.tmp
2009-06-07 17:38 . 2007-04-09 23:55 -------- d-----w- c:\program files\PartyGaming
2009-05-26 12:20 . 2008-08-13 17:30 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2008-08-13 17:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-05 20:38 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-05-04 18:32 . 2006-11-30 18:51 -------- d-----w- c:\program files\LimeWire
2009-05-04 13:37 . 2009-02-04 13:37 51712 --sha-w- c:\windows\system32\bokiluve.exe
2009-04-04 10:51 . 2009-04-04 10:51 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

------- Sigcheck -------

[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-14 34880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-11-29 69632]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-29 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mqhwoxjv]
mqhwoxjv.dll [BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [28/11/2006 16:57 58016]
R2 AGRESSO 5.5 Server - agresso;AGRESSO 5.5 Server - agresso;c:\agresso\Bin\AgrBusinessServer.exe [01/02/2006 14:19 325136]
S1 63f18e3f;63f18e3f;c:\windows\system32\drivers\63f18e3f.sys --> c:\windows\system32\drivers\63f18e3f.sys [?]
S1 66273cf8;66273cf8;c:\windows\system32\drivers\66273cf8.sys --> c:\windows\system32\drivers\66273cf8.sys [?]
S1 66e6e21c;66e6e21c;c:\windows\system32\drivers\66e6e21c.sys --> c:\windows\system32\drivers\66e6e21c.sys [?]
S1 6771f740;6771f740;c:\windows\system32\drivers\6771f740.sys --> c:\windows\system32\drivers\6771f740.sys [?]
S1 8683d7d4;8683d7d4;c:\windows\system32\drivers\8683d7d4.sys --> c:\windows\system32\drivers\8683d7d4.sys [?]
S1 a27d0d4b;a27d0d4b;c:\windows\system32\drivers\a27d0d4b.sys --> c:\windows\system32\drivers\a27d0d4b.sys [?]
S1 c5a1b198;c5a1b198;c:\windows\system32\drivers\c5a1b198.sys --> c:\windows\system32\drivers\c5a1b198.sys [?]
S1 saskutil;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [28/09/2007 19:35 423576]
S3 MSSQL$AGRESSO;MSSQL$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO [?]
S3 SQLAgent$AGRESSO;SQLAgent$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO [?]
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlLSP.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-17 01:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset005\Services\b694d1b1]
"ImagePath"="\SystemRoot\System32\drivers\b694d1b1.sys"
--

[HKEY_LOCAL_MACHINE\System\controlset005\Services\c53c2f57]
"ImagePath"="\SystemRoot\System32\drivers\c53c2f57.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2784)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\MICROS~2\OFFICE11\MCPS.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\TechSmith\SnagIt 8\TscHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-06-17 1:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 00:34

Pre-Run: 12,786,806,784 bytes free
Post-Run: 12,802,248,704 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
183

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having Trouble Removing Malware Doctor

Post by Belahzur on 17th June 2009, 12:37 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\drivers\c53c2f57.sys
c:\windows\system32\drivers\b694d1b1.sys
c:\program files\tnmkstcr.txt
c:\program files\zpefai.txt
c:\windows\DUMP66c8.tmp
c:\windows\DUMP67d2.tmp
c:\windows\DUMP6929.tmp
c:\windows\DUMP6755.tmp
c:\windows\DUMP6716.tmp
c:\windows\DUMP6561.tmp
c:\windows\DUMP6793.tmp
c:\windows\system32\bokiluve.exe

Folder::
c:\program files\LimeWire

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mqhwoxjv]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_LOCAL_MACHINE\System\controlset005\Services\b694d1b1]
[-HKEY_LOCAL_MACHINE\System\controlset005\Services\c53c2f57]

DDS::
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171

Driver::
63f18e3f
66273cf8
66e6e21c
6771f740
8683d7d4
a27d0d4b
c5a1b198
c53c2f57
b694d1b1

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Combofil.log (CFScript)

Post by cathal on 17th June 2009, 9:31 pm

thanks for the response - unfortunately malware doctor still remains - here's the latest combofix log


ComboFix 09-06-16.01 - Administrator 17/06/2009 22:17.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.785 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\cfix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\program files\tnmkstcr.txt"
"c:\program files\zpefai.txt"
"c:\windows\DUMP6561.tmp"
"c:\windows\DUMP66c8.tmp"
"c:\windows\DUMP6716.tmp"
"c:\windows\DUMP6755.tmp"
"c:\windows\DUMP6793.tmp"
"c:\windows\DUMP67d2.tmp"
"c:\windows\DUMP6929.tmp"
"c:\windows\system32\bokiluve.exe"
"c:\windows\system32\drivers\b694d1b1.sys"
"c:\windows\system32\drivers\c53c2f57.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\windows\system32\Drivers\mtjtwb.sys
c:\program files\LimeWire\.NetworkShare\LimeWirePackedJars4.12.6.7z
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.12.6.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin5.1.2.exe
c:\program files\LimeWire\Buy LimeWire PRO.url
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\hs_err_pid3428.log
c:\program files\LimeWire\hs_err_pid5144.log
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\additional_resources.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\AppFramework.jar
c:\program files\LimeWire\lib\base64-2.2.2.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-math-1.2.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava-2.0.6.jar
c:\program files\LimeWire\lib\EventBus-1.2b.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\glazedlists-1.7.0_java15.jar
c:\program files\LimeWire\lib\guice-assistedinject-snapshot.jar
c:\program files\LimeWire\lib\guice-snapshot.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-beta1.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\iTunes-0.0.1.jar
c:\program files\LimeWire\lib\jacob-1.14.1-x64.dll
c:\program files\LimeWire\lib\jacob-1.14.1-x86.dll
c:\program files\LimeWire\lib\jacob-1.14.1.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcip-annotations.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jna.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\jxlayer.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\miglayout.jar
c:\program files\LimeWire\lib\mozdom4java.jar
c:\program files\LimeWire\lib\MozillaGlue-1.9.jar
c:\program files\LimeWire\lib\MozillaInterfaces-1.9.jar
c:\program files\LimeWire\lib\mozswing.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\smack.jar
c:\program files\LimeWire\lib\smackx-debug.jar
c:\program files\LimeWire\lib\smackx.jar
c:\program files\LimeWire\lib\swing-worker-1.1.jar
c:\program files\LimeWire\lib\swingx-0.9.4.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\unpack.log
c:\program files\tnmkstcr.txt
c:\program files\zpefai.txt
c:\windows\DUMP6561.tmp
c:\windows\DUMP66c8.tmp
c:\windows\DUMP6716.tmp
c:\windows\DUMP6755.tmp
c:\windows\DUMP6793.tmp
c:\windows\DUMP67d2.tmp
c:\windows\DUMP6929.tmp
c:\windows\system32\bokiluve.exe
c:\windows\system32\drivers\b694d1b1.sys
c:\windows\system32\drivers\c53c2f57.sys
c:\windows\system32\drivers\mtjtwb.sys
c:\windows\system32\mqhwoxjv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Service_63f18e3f
-------\Service_66273cf8
-------\Service_66e6e21c
-------\Service_6771f740
-------\Service_8683d7d4
-------\Service_a27d0d4b
-------\Service_c5a1b198
-------\Service_ljvm


((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-17 21:23 . 2009-06-17 21:23 90624 ----a-w- c:\documents and settings\LocalService\Application Data\1361538659.exe
2009-06-16 23:21 . 2009-06-16 23:31 -------- d-s---w- C:\cf
2009-06-15 21:29 . 2009-06-15 21:29 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-06-15 18:49 . 2009-06-15 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-15 18:48 . 2009-06-15 19:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-12 17:11 . 2009-06-12 17:11 83984 ----a-w- c:\documents and settings\Administrator\Application Data\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\CSDWebLaunch.exe
2009-06-12 17:11 . 2009-06-12 17:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\Cisco
2009-05-31 18:55 . 2009-05-31 18:55 390664 ----a-w- c:\documents and settings\Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having Trouble Removing Malware Doctor

Post by cathal on 17th June 2009, 9:31 pm

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 21:25 . 2009-06-17 21:24 99422 ----a-w- c:\windows\system32\drivers\a38d43bf.sys
2009-06-17 21:23 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2009-06-17 21:23 . 2009-06-17 21:23 29184 ----a-w- c:\windows\system32\jbnmck.dll
2009-06-17 21:23 . 2009-06-17 21:23 16896 ----a-w- c:\windows\system32\mqhwoxjv.dll
2009-06-17 21:23 . 2009-06-17 21:23 36864 ----a-w- c:\windows\system32\avast!Antivirus.exe
2009-06-17 21:00 . 2009-06-17 21:00 2484 ----a-w- c:\program files\wmbcgs.txt
2009-06-15 23:57 . 2007-10-22 20:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2009-06-15 19:57 . 2007-07-30 21:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-14 23:52 . 2008-08-13 17:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 17:38 . 2007-04-09 23:55 -------- d-----w- c:\program files\PartyGaming
2009-05-26 12:20 . 2008-08-13 17:30 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 12:19 . 2008-08-13 17:30 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-05 20:38 . 2004-08-04 12:00 212480 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-04-04 10:51 . 2009-04-04 10:51 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
.

------- Sigcheck -------

[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-05 20:38 212480 791778A1F54D4B3F36773F11783A53FC c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 21:23 . 2009-06-17 21:23 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-17 21:21 . 2009-06-17 21:21 16384 c:\windows\temp\Perflib_Perfdata_c0.dat
+ 2009-06-17 21:23 . 2009-06-17 21:23 16384 c:\windows\temp\History\History.IE5\index.dat
+ 2009-06-17 21:23 . 2009-06-17 21:23 16384 c:\windows\temp\Cookies\index.dat
+ 2004-08-04 12:00 . 2009-06-17 00:32 78316 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2004-08-04 12:00 14336 c:\windows\system32\dllcache\svchost.exe
+ 2004-08-04 12:00 . 2009-06-17 21:23 14336 c:\windows\system32\dllcache\svchost.exe
+ 2006-11-28 15:34 . 2009-06-17 21:07 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-11-28 15:34 . 2009-06-16 22:24 65536 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-11-28 15:34 . 2009-06-17 21:07 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-11-28 15:34 . 2009-06-16 22:24 49152 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2009-06-17 00:32 450368 c:\windows\system32\perfh009.dat
+ 2006-12-22 09:50 . 2009-06-17 21:21 212438 c:\windows\system32\inetsrv\MetaBase.bin
+ 2006-11-28 15:34 . 2009-06-17 21:07 770048 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-28 15:34 . 2009-06-16 22:24 770048 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFF01325-0FC2-4749-8914-FBF0565AD9CC}]
2009-06-17 21:23 29184 ----a-w- c:\windows\system32\jbnmck.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Malware Doctor"="c:\documents and settings\LocalService\Application Data\1361538659.exe" [2009-06-17 90624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-08-18 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-25 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Malware Doctor"="c:\documents and settings\LocalService\Application Data\1361538659.exe" [2009-06-17 90624]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-07-14 34880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2006-11-29 69632]
SnagIt 8.lnk - c:\program files\TechSmith\SnagIt 8\SnagIt32.exe [2007-5-1 6395464]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-11-29 122880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mqhwoxjv]
2009-06-17 21:23 16896 ----a-w- c:\windows\system32\mqhwoxjv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [28/11/2006 16:57 58016]
R2 AGRESSO 5.5 Server - agresso;AGRESSO 5.5 Server - agresso;c:\agresso\Bin\AgrBusinessServer.exe [01/02/2006 14:19 325136]
R2 avast!Antivirus;avast!Antivirus;c:\windows\System32\avast!Antivirus.exe -k netsvcs --> c:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
S1 saskutil;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 FCI;FCI;c:\windows\system32\svchost.exe:ext.exe []
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [28/09/2007 19:35 423576]
S3 MSSQL$AGRESSO;MSSQL$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlservr.exe -sAGRESSO [?]
S3 SQLAgent$AGRESSO;SQLAgent$AGRESSO;c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO --> c:\progra~1\MICROS~4\MSSQL$~1\binn\sqlagent.exe -i AGRESSO [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVAST!ANTIVIRUS
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\WHALEC~1\CLIENT~1\31265D~1.0\WhlLSP.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-17 22:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\jbnmck.dll 29184 bytes executable
c:\windows\system32\mqhwoxjv.dll 16896 bytes executable
c:\windows\system32\svchost.exe:ext.exe 32768 bytes executable
c:\windows\system32\avast!Antivirus.exe 36864 bytes executable
c:\windows\system32\sft.res 134 bytes

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset005\Services\FCI]
"ImagePath"="c:\windows\system32\svchost.exe:ext.exe"

[HKEY_LOCAL_MACHINE\System\controlset005\Services\a38d43bf]
"ImagePath"="\SystemRoot\System32\drivers\a38d43bf.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5424)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\NETWOR~1\COMMON~1\naPrdMgr.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\TechSmith\SnagIt 8\TscHelp.exe
c:\program files\TechSmith\SnagIt 8\SnagPriv.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\temp\diw5.tmp
.
**************************************************************************
.
Completion time: 2009-06-17 22:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 21:26
ComboFix2.txt 2009-06-17 21:10
ComboFix3.txt 2009-06-17 00:34

Pre-Run: 12,826,550,272 bytes free
Post-Run: 12,786,122,752 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
313

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having Trouble Removing Malware Doctor

Post by Belahzur on 17th June 2009, 9:47 pm

Hello.
Do you have your XP disc? we can't fix this infection because a patched system file is regenerating all this malware.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Having Trouble Removing Malware Doctor

Post by cathal on 17th June 2009, 11:09 pm

Hi,
Unfortunately I don't have my OS on disk. Any other options?
Thank again

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having Trouble Removing Malware Doctor

Post by Belahzur on 18th June 2009, 12:07 am

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    ndis.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

systemlog

Post by cathal on 18th June 2009, 10:12 pm

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 23:10 on 18/06/2009 by Administrator (Administrator - Elevation successful)

No Context: filefind

No Context: ndis.sys

-=End Of File=-

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Having Trouble Removing Malware Doctor

Post by Belahzur on 18th June 2009, 10:31 pm

Hello.
Not sure if that worked right?
Did you copy my script exactly as seen in the code box? not forgetting the : in front of filefind?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Having Trouble Removing Malware Doctor

Post by cathal on 18th June 2009, 10:36 pm

hi,
yes - copied as per your post - tried again -same log result
as an aside - i no longer get the malware doctor popups - all ooks good again but my wireless connection has been damaged - something you've come across before?
note: malwarebytes anti malware still finds infected files upon scaning
thanks

cathal
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-06-17
OS OS : XP Pro
Points Points : 27341
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum