Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Malware Doctor - Help required


  • This topic is locked This topic is locked
5 replies to this topic

#1 simon27

simon27

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 11 June 2009 - 12:51 PM

Hi,

Recently my computer became infected with Malware Doctor. It has crashed to a blue screen a couple of times when i tried to scan with a spyware program (worked in Safe Mode though). I lost my network connectivity (wireless) and had to reinstall an IP protocol if i remember correctly. I thought i had gotten rid of the problem, then it popped back up again a week later, and now i can not get rid of it no matter how many different scans/spyware programs i use in safe mode.. the problem is beyond my knowledge, and i require your help. Also, some error with svchost.exe (the instruction at "0x00401000" referrenced at memory "0x00401000") popped up each time i booted up to desktop, but it seems to have stopped since i tried many scans yesterday.. which found trojans etc, which i believe are all linked to this malware doctor.

Thank you for your time :-)

===



DDS (Ver_09-05-14.01) - NTFSx86
Run by Simon at 18:41:41.95 on 11/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.515 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\program Files\MicPhone\antit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Simon\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.virginmedia.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {aff01325-0fc2-4749-8914-fbf0565ad9cc} - Chrome copyright
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [shv] c:\program files\micphone\antit.exe
uRun: [Malware Doctor] c:\documents and settings\localservice\application data\1361538659.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UVS11 Preload] c:\program files\ulead systems\ulead videostudio 11\uvPL.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Malware Doctor] c:\documents and settings\localservice\application data\1361538659.exe
dRun: [Windows System Recover!] c:\windows\temp\setup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187638583578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187638549968
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15029/CTPID.cab
AppInit_DLLs: c:\windows\system32\systohx.dll,c:\progra~1\micphone\antit.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\simon\applic~1\mozilla\firefox\profiles\tsixi6ny.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 pctcore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-10 130936]
R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R2 avast!antivirus;avast!antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
R2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-10 348752]
R2 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-10 1096584]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2009-6-1 362944]
S0 hgcgumb;hgcgumb; [x]
S2 avast!avscontrolservice;avast!avscontrolservice;c:\windows\system32\avast!avscontrolservice.exe -k netsvcs --> c:\windows\system32\avast!AVSControlService.exe -k netsvcs [?]
S2 ias;Ias;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [2007-6-14 16512]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-5-28 17149]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================

2009-06-11 07:43 58,880 a------- c:\windows\system32\7.tmp
2009-06-10 23:46 29,184 a------- c:\windows\system32\jbnmcd.dll
2009-06-10 23:29 3,021,373 a------- C:\ComboFix.exe
2009-06-10 22:46 99,422 a------- c:\windows\system32\drivers\a95eddfa.sys
2009-06-10 22:46 29,184 a------- c:\windows\system32\jbnmck.dll
2009-06-10 22:46 210 a------- c:\windows\system32\sft.res
2009-06-10 22:46 36,864 a------- c:\windows\system32\avast!Antivirus.exe
2009-06-10 20:14 99,422 a------- c:\windows\system32\drivers\fd329449.sys
2009-06-10 18:55 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-10 18:55 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-10 18:55 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-10 18:55 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-10 18:55 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-10 18:55 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-10 18:55 <DIR> --d----- c:\docume~1\simon\applic~1\PC Tools
2009-06-10 18:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-10 18:52 <DIR> --d----- c:\docume~1\simon\applic~1\GetRightToGo
2009-06-10 18:48 99,422 a------- c:\windows\system32\drivers\232a016b.sys
2009-06-10 18:46 61,440 a------- c:\windows\system32\drivers\xivmhh.sys
2009-06-10 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-10 18:43 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-10 18:43 <DIR> --d----- c:\docume~1\simon\applic~1\SUPERAntiSpyware.com
2009-06-10 18:25 <DIR> --d----- c:\program files\NVT Malware Remover Tool
2009-06-10 18:21 99,422 a------- c:\windows\system32\drivers\543d0ad5.sys
2009-06-10 07:31 99,422 a------- c:\windows\system32\drivers\e5d590b0.sys
2009-06-10 07:31 124,416 a------- c:\windows\system32\avast!AVSControlService.exe
2009-06-01 15:15 15,819 a------- c:\windows\system32\drivers\netwpn11.inf
2009-06-01 15:15 8,263 a------- c:\windows\system32\drivers\WPN111.cat
2009-06-01 14:34 362,944 a------- c:\windows\system32\drivers\WPN111.sys
2009-06-01 13:53 <DIR> --d----- c:\program files\NETGEAR
2009-05-31 20:05 <DIR> --d----- c:\docume~1\simon\applic~1\Malwarebytes
2009-05-31 20:05 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-31 20:05 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-31 20:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-31 20:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-31 19:32 <DIR> --d----- c:\windows\system32\3361
2009-05-31 19:32 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-05-31 19:32 <DIR> --d----- c:\windows\dhcp
2009-05-31 19:32 <DIR> --dshr-- c:\program files\MicPhone
2009-05-31 19:31 2 a------- C:\-401561300

==================== Find3M ====================

2009-06-01 13:53 21,275 a------- c:\windows\system32\drivers\AegisP.sys
2009-05-31 19:32 182,912 a------- c:\windows\system32\drivers\ndis.sys

============= FINISH: 18:42:23.14 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 simon27

simon27
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 11 June 2009 - 12:57 PM

I should also add that i can not access taskmgr.exe, my spyware programs are unable to connect to their respective servers for updates.

#3 simon27

simon27
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 11 June 2009 - 02:19 PM

The SVC.exe error has returned :/ I booted up again, and it popped up after a delay of 30 seconds or so, instead of as soon as the desktop loads.

#4 simon27

simon27
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:09 PM

Posted 12 June 2009 - 01:42 AM

Sorry to bump but my computer is getting worse;

I can no longer boot up normally, and am now restricted to safemode. I get this blue screen error when trying to load normally;

STOP: 0x00000007F (0x00000008, 0x80042000, 0x00000000, 0x00000000)

Hello simon27,

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 14 June 2009 - 08:11 AM.


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:09 PM

Posted 20 June 2009 - 05:26 PM

Hello and welcome to Bleeping Computer. Sorry for the delay the forums here at BC are always
very busy and we do are best to keep up. If you no longer require any help could you let me no
please, so this topic can be closed.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • Copy and paste all logs requested in you reply, Do not attach them unless asked too.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.
First I would like to see a new log since alot could have changed since your origional post.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks

unite.jpg


#6 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:09 PM

Posted 24 June 2009 - 06:18 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users