Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Doctor Removal


  • Please log in to reply
9 replies to this topic

#1 jlavezzo

jlavezzo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 23 May 2009 - 02:52 PM

I recently discovered that I was infected with what appears to be Malware Doctor. I have followed the instructions on the link listed below with limited success. Once I run the quick scan and identify and remove several infected files. Malewarebytes indicates that it cannot delete two files within Windows/Temp. It marks them for deletion on reboot. Once rebooted it appears that my computer is re-infected with Malware Doctor. If there are more current instructions for removing this rogue software please point me in the right direction.


http://www.bleepingcomputer.com/malware-re...move-malwaredoc

Regards,
JL

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:54 PM

Posted 23 May 2009 - 03:28 PM

Give Super AntiSpyware a shot at it. It is best run in safe mode.
Be sure to update after downloading, installing and before booting into safe mode.

Instructions for using and link to download in link below.
http://www.bleepingcomputer.com/forums/ind...t&p=1040160

Post back with the scan log and for further instructions.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 jlavezzo

jlavezzo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 25 May 2009 - 07:41 AM

Below is the log from SUPERAntiSpyware. It seems to have helped. During this whole process I downloaded and installed AVG and the AVG Toolbar. I noticed once I rebooted after the SuperAntiSpyware scan the AVG Toolbar seemed to be preventing any browsing. The toolbar was configured with "Total Protection" which seemed to block everything. I was required to disable the toolbar to enable normal browsng. I am going to check in at the AVG site but if you have any thoughts I would greatly appreciate them.

Regards,
JL

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/25/2009 at 03:19 AM

Application Version : 4.26.1002

Core Rules Database Version : 3908
Trace Rules Database Version: 1853

Scan type : Complete Scan
Total Scan Time : 13:19:20

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 6665
Registry threats detected : 11
File items scanned : 135046
File threats detected : 58

Trojan.Unknown Origin
[autochk] C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
[autochk] C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUME~1\LOCALS~1\PROTECT.DLL
[autochk] C:\DOCUME~1\NETWOR~1\PROTECT.DLL
C:\DOCUME~1\NETWOR~1\PROTECT.DLL
[autochk] C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\JOEY\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\JOEY\START MENU\PROGRAMS\STARTUP\CHKDISK.DLL
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\PROTECT.DLL
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\PROTECT.DLL
C:\WINDOWS\TEMP\MSB.DLL

Trojan.Agent/Gen-AvastFake
HKLM\System\ControlSet001\Services\avast!Antivirus
C:\WINDOWS\SYSTEM32\AVAST!ANTIVIRUS.EXE
HKLM\System\ControlSet001\Enum\Root\LEGACY_avast!Antivirus
HKLM\System\ControlSet002\Services\avast!Antivirus
HKLM\System\ControlSet002\Enum\Root\LEGACY_avast!Antivirus
HKLM\System\CurrentControlSet\Services\avast!Antivirus
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_avast!Antivirus

Adware.Tracking Cookie
C:\Documents and Settings\Joey\Cookies\joey@www.googleadservices[1].txt
C:\Documents and Settings\Joey\Cookies\joey@bs.serving-sys[2].txt
C:\Documents and Settings\Joey\Cookies\joey@ads.pointroll[1].txt
C:\Documents and Settings\Joey\Cookies\joey@interclick[1].txt
C:\Documents and Settings\Joey\Cookies\joey@bridge1.admarketplace[1].txt
C:\Documents and Settings\Joey\Cookies\joey@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Joey\Cookies\joey@ad.yieldmanager[2].txt
C:\Documents and Settings\Joey\Cookies\joey@tacoda[1].txt
C:\Documents and Settings\Joey\Cookies\joey@ar.atwola[1].txt
C:\Documents and Settings\Joey\Cookies\joey@theclickcheck[2].txt
C:\Documents and Settings\Joey\Cookies\joey@questionmarket[2].txt
C:\Documents and Settings\Joey\Cookies\joey@insightexpressai[1].txt
C:\Documents and Settings\Joey\Cookies\joey@ads.10click[1].txt
C:\Documents and Settings\Joey\Cookies\joey@atwola[1].txt
C:\Documents and Settings\Joey\Cookies\joey@paypal.112.2o7[1].txt
C:\Documents and Settings\Joey\Cookies\joey@at.atwola[2].txt
C:\Documents and Settings\Joey\Cookies\joey@stats.paypal[2].txt
C:\Documents and Settings\Joey\Cookies\joey@revsci[2].txt
C:\Documents and Settings\Joey\Cookies\joey@media6degrees[2].txt
C:\Documents and Settings\Joey\Cookies\joey@collective-media[1].txt
C:\Documents and Settings\Joey\Cookies\joey@ar.atwola[2].txt
C:\Documents and Settings\Joey\Cookies\joey@edge.ru4[2].txt
C:\Documents and Settings\Joey\Cookies\joey@lfstmedia[2].txt
C:\Documents and Settings\Joey\Cookies\joey@trafficmp[2].txt
C:\Documents and Settings\Joey\Cookies\joey@specificmedia[1].txt
C:\Documents and Settings\Joey\Cookies\joey@admarketplace[1].txt
C:\Documents and Settings\Joey\Cookies\joey@247realmedia[2].txt
C:\Documents and Settings\Joey\Cookies\joey@www.findstuff[1].txt
C:\Documents and Settings\Joey\Cookies\joey@bizrate[2].txt
C:\Documents and Settings\Joey\Cookies\joey@specificclick[1].txt
C:\Documents and Settings\Joey\Cookies\joey@serving-sys[2].txt
C:\Documents and Settings\Joey\Cookies\joey@realmedia[1].txt
C:\Documents and Settings\Joey\Cookies\joey@f.blogads[2].txt
C:\Documents and Settings\Joey\Cookies\joey@socialmedia[2].txt
C:\Documents and Settings\Joey\Cookies\joey@richmedia.yahoo[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@admarketplace[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@bridge1.admarketplace[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@interclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@microsoftwindows.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@overture[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@theclickcheck[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@www.findstuff[1].txt

Rogue.Component/Trace
HKU\S-1-5-21-2372157693-3621793472-4265433186-1005\Software\Microsoft\FIAS4057

Trojan.Agent/Gen-FSG
C:\DOCUMENTS AND SETTINGS\JOEY\LOCAL SETTINGS\TEMP\TEMPORARY DIRECTORY 3 FOR MAGIC.DVD.COPIER.4.4.KEYGEN-REV[1].ZIP\KEYGEN.EXE

Trojan.Agent/Gen-QuickDrop
C:\RECYCLER\S-1-5-21-2372157693-3621793472-4265433186-1005\DC248.EXE

Trojan.Unclassified-Packed/Suspicious
C:\WINDOWS\SYSTEM32\JHXM32.DLL
C:\WINDOWS\SYSTEM32\LKLF32.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Joey\Local Settings\Temporary Internet Files\Content.IE5\UE7ZTLJF\crossdomain[1].xml

#4 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:54 PM

Posted 25 May 2009 - 10:03 AM

A lot of what SAS found and removed should have been removed by MBAM, also. Suggest you
update MBAM and run another scan with it. It is possible that you are not using it correctly or did
not update before using MBAM. Here is a link to the instructions for using MBAM.
http://www.bleepingcomputer.com/forums/ind...t&p=1100727
It is most important to update prior to scanning as the malware is constant changing file names and
locations to hide from the security programs.


You are not alone in wanting to remove the AVG Toolbar. You can disable it or remove it by reinstalling AVG.

Cleanup the temporary files and logs in your computer using the ATF Cleaner.
http://www.atribune.org/ccount/click.php?id=1
Double-click ATF-Cleaner.exe to run the program.

* Under Main "Select Files to Delete" choose: Select All.
* Click the Empty Selected button.
* If you use Firefox browser click Firefox at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* If you use Opera browser click Opera at the top and choose: Select All
* Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Post back with the logs from MBAM and a new scan from SAS.

Scan your computer for missing security updates using Secunia Online Scanner. Only takes a few seconds.
If Secunia says you need to update Java, update it and then go to Add/Remove and remove ALL older
Java programs.
http://secunia.com/vulnerability_scanning/online/

Edited by buddy215, 25 May 2009 - 10:05 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 jlavezzo

jlavezzo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 25 May 2009 - 11:23 AM

I'm pretty sure that I updated both MBAM and SAS prior to scanning. However, I will do them both again. Should I be doing a "Complete" scan using both products? SAS took 13 hours so its a it cumbersome.

#6 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:54 PM

Posted 25 May 2009 - 11:51 AM

That length of scan may be a record! But it did find what was likely the source of the malware attack.
Someone downloaded a crack to your computer (keygen).

Do a quick scan with both.

Some of your System Restore points are infected. When you are rid of all other malware, you can delete
those, too. Deleting all restore points is the only option.
Directions for doing that, if needed, are in the link below for XP
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

You can block the Ad/Tracking cookies that SAS removed from ever installing on your computer
by following the simple instructions in the link below. Once you have changed the settings you will need
to remove the existing third party cookies by using SAS.
http://www.howtogeek.com/howto/windows-vis...cookies-in-ie7/

If you have Firefox, simply uncheck "allow third party cookies" in the options, privacy tab.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 jlavezzo

jlavezzo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 25 May 2009 - 08:11 PM

Completed both scans and logs are posted below. Cleaned out temp files using ATF. Secunia indicated that I was ok except for patches for Quicktime and Itunes. I blocked all third-party cookies. It seems like neither software is able to remove the msb.dll and the other "Delete on Reboot" file from Malwarebytes. Also, the protect.dll seems to always appeare on the SAS scan.

Malwarebytes' Anti-Malware 1.36
Database version: 2178
Windows 5.1.2600 Service Pack 2

5/25/2009 6:02:08 PM
mbam-log-2009-05-25 (18-02-08).txt

Scan type: Quick Scan
Objects scanned: 92503
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
c:\program Files\ThunMail\testabd.exe (Spyware.OnlineGamer) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svc (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.OnlineGamer) -> Data: c:\progra~1\thunmail\testabd.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.
C:\Documents and Settings\Joey\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\SystemProfile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail\testabd.dll (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail\testabd.exe (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Joey\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\vp_setup.exe.bat (Malware.Trace) -> Quarantined and deleted successfully.


=======================================================================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/25/2009 at 07:18 PM

Application Version : 4.26.1002

Core Rules Database Version : 3909
Trace Rules Database Version: 1853

Scan type : Quick Scan
Total Scan Time : 00:45:48

Memory items scanned : 980
Memory threats detected : 1
Registry items scanned : 676
Registry threats detected : 4
File items scanned : 60339
File threats detected : 7

Trojan.Unknown Origin
C:\WINDOWS\TEMP\MSB.DLL
C:\WINDOWS\TEMP\MSB.DLL
[autochk] C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
C:\WINDOWS\SYSTEM32\AUTOCHK.DLL
[autochk] C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUME~1\LOCALS~1\PROTECT.DLL
[autochk] C:\DOCUME~1\JOEY\PROTECT.DLL
C:\DOCUME~1\JOEY\PROTECT.DLL
[autochk] C:\DOCUME~1\LOCALS~1\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\JOEY\PROTECT.DLL
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\PROTECT.DLL
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\PROTECT.DLL

#8 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:54 PM

Posted 25 May 2009 - 09:24 PM

You have some very nasty malware there. You are going to need to some expert help to
remove it. Post a Hijack This Log in the HJT Forum by following the instructions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Once you have posted the log do not bump it. Wait for one of the team members to respond.
They are very busy and it will likely be more than a week before they will get to you.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 jlavezzo

jlavezzo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 26 May 2009 - 07:32 PM

I'm going to the system recovery cd. This is taking too much time. Thanks so much for your help. At least you were able to get me back up and running so that I could backup to external storage.

Regards,
JL

#10 buddy215

buddy215

  • Moderator
  • 13,196 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:54 PM

Posted 27 May 2009 - 06:36 AM

Good decision. That is what I would of done, too. A reformat and reinstall of all programs and OS.
Hey, and stay away from cracks and P2P programs. Good luck to you.
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users