Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Doctor - Returns after cleaning


  • This topic is locked This topic is locked
5 replies to this topic

#1 hrudy24

hrudy24

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 25 May 2009 - 03:13 PM

I've been trying to remove the Malware Doctor program for the past few days, but all my attempts have been unsuccessful. It will disappear for a few hours, but it always returns without warning. My system appears clean at the present time, but I want to be sure I've completely removed it. Can you please review my log files and guide me where to go from here?

Below is the process I recently did to clean my system:

1. Delete avast!antivirus.exe from my system in safe mode
2. Update MBAM, scan in safe mode, restart system Attached File  mbam_log_2009_05_25__13_25_44_.txt   1.16KB   12 downloads
3. Run Combofix in safe mode and restart Attached File  logcf.txt   13.37KB   13 downloads
4. Fresh Hijack log after restart Attached File  hijackthis.log   4.66KB   8 downloads
5. RSIT log Attached File  rsitlog.txt   21.53KB   18 downloads
6. Ran a Kaspersky Scan because it may be asked for in future. Attached File  kasperskylog.txt   4.02KB   18 downloads

Let me know if I need to run any more logs or programs. Thanks for your help guys. I know you stay extremely busy!

Edited by hrudy24, 25 May 2009 - 06:07 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 07 June 2009 - 10:11 AM

Hi!

Welcome to Bleeping Computer. My name is etavares and I will be helping you with your log.

I'd like to let you know that I am in training here at BC. At each stage of the process, my work will be checked by an expert coach. That means there may be a slight delay between my responses as they check it. Don't worry, we won't leave you.

Here's a few things to get started:
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
  • In your reply, please post an updated RSIT log so we have the most up to date information. Please also let me know any symptoms your computer is showing.


Due to the number of people waiting for help, if I don't hear from you in 3 days, I'll bump the topic, then close this topic the next day if you haven't replied.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 hrudy24

hrudy24
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 07 June 2009 - 05:14 PM

Hi!

Thanks for helping me. Here is the log you requested:

Attached File  rsitlog6_7.txt   26.53KB   11 downloads

I haven't experienced any problems since I posted the first set of logs. Everything seems fine on the surface. However, I want to be sure I've removed everything. Thanks!

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 09 June 2009 - 04:43 PM

Hi hrudy42,

The good news is that Malware Doctor looks to be gone. There is one piece of malware we need to take care of using the following instructions.

When you post a log, please cut and paste it into your reply instead of attaching it. It makes it easier for us. Thanks!

Here's the instructions:

1. We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2. Backup Registry
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished with fixing your computer (I will make it clear when we are), you can uninstall ERUNT through http://www.bleepingcomputer.com/forums/topic42133.html]Add/Remove Programs://http://www.bleepingcomputer.com/for...Remove Programs. The backups will be stored at C:\WINDOWS\erdnt, and will not be deleted when ERUNT is uninstalled.

3. We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Documents and Settings\Admin\Application Data\Adobe\Player.exe
    C:\WINDOWS\system32\drivers\alg7qjta.sys
    :services
    alg7qjta
    :reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Run"=-
  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Please also post a fresh RSIT log as well.

4. Online Antivirus Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

5. We need to enable Spybot S&D's "TeaTimer"
Now that we're done with the fix, we should reenable TeaTimer.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click on Posted Image
  • Click on Posted Image
  • Check this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

6. Antivirus
Finally, I see you have antivir installed and that it is set up to run a scan every so often. I highly recommend you enable real-time protection. Antivir calls this the Guard. If you open the control center, AntiVir Guard should be Activated. If not, please click 'Activate' to the right.


The following link has more information about Guard if you ahve questions.
http://www.free-av.com/documents/products/...personal_en.pdf

If you prefer to start from scratch, then first Remove antivir from add/remove programs. Then, please do the following. If you choose to keep antivir and enable real-time protection, then please skip to the next step.
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Last Step:
Please post the OTM log, the Kapersky online scan log and a fresh DDS log in your next post.


Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 PM

Posted 14 June 2009 - 10:04 AM

Hi hrudy24-

Do you still require assistance? Have you had a chance to complete the previous instructions? Please let us know.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:51 PM

Posted 15 June 2009 - 11:33 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users