Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Malware Doctor + Popups + Google Redirecting + Site stalling = HELP!

  • This topic is locked This topic is locked
5 replies to this topic

#1 Freddy Fro

Freddy Fro

  • Members
  • 3 posts
  • Local time:12:37 PM

Posted 26 May 2009 - 05:58 PM

Hi there, recently I've encountered quite a few problems with my computer, mainly the malware "Malware Doctor." Along with that, I've also aquired Google redirect, pop-ups, and some sites not loading. I have the following programs: Ad-aware, SpyBot S&D, and Malwarebytes Antibytes installed on my computer (Although I just recently installed SpyBot hoping that would help me with my Malware/virus problem) and I use to run Ad-aware and MBAM on a semi-weekly basis. I've had a few problems with malware and viruses in the past, but I've gotten them either removed or out of the way by going into the system startup and unchecking them there. After numerous times of scanning with Ad-aware, SpyBot, and MBAM each time coming up with viruses/malware, I make sure they're checked and deleted. But then, they pop right back after scanning again! I've also tried turning off system restore hoping that that would work (after I tried USING system restore, but it wouldn't want to work because I kept trying to click "next" but with no luck) and doing another scan, but alas, still nothing. I've tried everything that I can think of, but the malware/viruses just keep coming back, and Malware Doctor is making it even worse. Oh and I've also downloaded HijackThis, so here is the log for that, followed by MalwareByte's log. Thanks again in advance! :thumbup2:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:27 PM, on 5/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\CinemaNow\CinemaNow Media

c:\Program Files\Microsoft SQL Server\MSSQL.1

C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\LocalService\Application Data\691447002.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-

206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MSConfig]

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program

O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support

Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and

Settings\LocalService\Application Data\691447002.exe
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32

O4 - HKLM\..\RunOnce: [SpybotDeletingC7066] cmd.exe /c del


O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program

Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and

Settings\LocalService\Application Data\691447002.exe
O4 - HKUS\.DEFAULT\..\Run: [autochk] rundll32.exe C:\DOCUME~1

\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SYSDLL] SYSDLL (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User

'Default user')
O4 - .DEFAULT Startup: ChkDisk.lnk = ? (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O7 -


O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-

AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-

00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-

58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-

f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-

4134-82b7-f2ba38496583} - C:\WINDOWS\Network

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2

-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1

\admini~1\locals~1\temp\ntdll64.dll' missing
O15 - Trusted Zone: http://*.cinemanow.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows

Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?

O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney

Internet Group Hardware Control) -

O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) -

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games -

Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}

(MessengerStatsClient Class) -


O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown

TestServer Installer ActiveX Control) -

O20 - AppInit_DLLs: qrcble.dll zvfhlz.dll c:\windows\system32

\sosazeri.dll C:\WINDOWS\system32\ C:\WINDOWS\system32\


O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32

O23 - Service: avast!Antivirus - Unknown owner -

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown

owner - C:\WINDOWS\
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program

Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

O23 - Service: lxbm_device - - C:\WINDOWS\system32\lxbmcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation -

C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32

O23 - Service: ProtexisLicensing - Unknown owner -

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter)

(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell

Support Center\bin\sprtsvc.exe

End of file - 7840 bytes


Malwarebytes' Anti-Malware 1.25
Database version: 1098
Windows 5.1.2600 Service Pack 2

3:41:49 PM 1/26/2009
mbam-log-01-26-2009 (15-41-49).txt

Scan type: Quick Scan
Objects scanned: 86136
Time elapsed: 25 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 17
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yayvUNGW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\byXQKeDV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bqyldypv.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00ffa592-bffb-4423-ba67-fb9fa41af4f1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{00ffa592-bffb-4423-ba67-fb9fa41af4f1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxqkedv (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{befc3ed7-ad94-4ca6-b9ea-fa8d80991857} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{befc3ed7-ad94-4ca6-b9ea-fa8d80991857} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1037b06c-84b7-4240-8d80-485810a0497d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{54b287f9-fd90-4457-b65e-cb91560c021d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{566dede9-9ed8-45da-9be6-9b2eeab17f49} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9a9c9b69-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8a0dcbda-6e20-489c-9041-c1e8a0352e75} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayvungw -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayvungw -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayvUNGW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WGNUvyay.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WGNUvyay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXQKeDV.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qrcble.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bqyldypv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\WinNB55.dll (Adware.Mirar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Davis\Local Settings\Temporary Internet Files\Content.IE5\0P8F4FSF\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtssqrs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



BC AdBot (Login to Remove)


#2 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:37 AM

Posted 28 May 2009 - 06:44 PM

Hello Freddy Fro,

I've also tried turning off system restore hoping that that would work

Turn System Restore back on.

Do NOT start your fix by disabling System Restore.
This rule applies to any manual fixes and is especially true for spyware removal.

That is because disabling System Restore wipes out all restore points.
Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. :)

Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off.
We clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.

Malwarebytes' Anti-Malware 1.25
Database version: 1098

You are running an old version of Malwarebytes as well as an old Database version.

The latest is Malwarebytes' Anti-Malware 1.37 and Database version 2187

Please update Malwarebytes, run it and post its log.

Please make sure that Word Wrap is turned OFF in Notepad before you copy and paste the HijackThis log here. Take a look at the log you just posted. It's an eye killer :thumbup2:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Select Files and Folders created in last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).
    info.txt can also be found at c:\RSIT\info.txt

Edited by SifuMike, 28 May 2009 - 06:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Freddy Fro

Freddy Fro
  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:37 PM

Posted 29 May 2009 - 04:14 PM

Help, I have not gotten to start the fixes yet, Now the computer is not even letting me log in at the user logons. When I click my name to go in, it just says

loading system settings, and then flashes my background and then logs me out and saves the settings. Any suggestions ?

#4 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:37 AM

Posted 29 May 2009 - 04:44 PM

Hi Freddy Fro,

If you cant log in I cant help you here. Sounds like you have a major Windows problem.

I suggest you go to our Windows XP Home and Professional forum and ask the experts there for help.

When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Freddy Fro

Freddy Fro
  • Topic Starter

  • Members
  • 3 posts
  • Local time:12:37 PM

Posted 01 June 2009 - 07:46 PM

Hiya Sifu, sorry for the extremely late response, but this thread completely slipped my mind. I couldn't get it to work, and I didn't feel like paying Geek Squad 200 bucks to fix my log in problem, so I decided just to reformat. While I did lose everything, most of my pictures, documents, etc are on the internet somewhere, so it's not too bad. Thanks for your patience, and once again sorry for not letting you know my situation soon enough! :D

#6 SifuMike


    malware expert

  • Staff Emeritus
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:37 AM

Posted 01 June 2009 - 09:17 PM

Thanks of letting me know. Since your problem is resolved, I will close this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users