Malware Doctor

Hi,

I am having trouble removing malware doctor off of my system. It has disabled my task manager. I need help removing this off of my system please.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:13 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\System32\avast!AVSControlService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Documents and Settings\Josh Isbell\Desktop\HiJack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKLM\..\RunOnce: [ShOsPostRemover] C:\sh4ldr\shospostremover.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 6902 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmck.dll (file missing)
  O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
  O4 - HKLM\..\RunOnce: [ShOsPostRemover] C:\sh4ldr\shospostremover.exe
  O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
  O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
  O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
  O23 - Service: avast!avscontrolservice - Unknown owner - C:\WINDOWS\System32\avast!AVSControlService.exe
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.37
Database version: 2260
Windows 5.1.2600 Service Pack 3

6/10/2009 10:17:03 PM
mbam-log-2009-06-10 (22-17-03).txt

Scan type: Quick Scan
Objects scanned: 83915
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\avast!AVSControlService.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\jbnmcd.dll (Password.Stealer) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!Antivirus (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avast!avscontrolservice (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aff01325-0fc2-4749-8914-fbf0565ad9cc} (Password.Stealer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware doctor (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware doctor (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Application Data\1361538659.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\WINDOWS\downloaded program files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00367F7.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00A3F3C.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\__c00C2C10.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\3a73f4b.sys (Rootkit.Rustock) -> Delete on reboot.
c:\WINDOWS\system32\drivers\404bd0bf.sys (Rootkit.Rustock) -> Delete on reboot.
c:\WINDOWS\system32\drivers\465d6cea.sys (Rootkit.Rustock) -> Delete on reboot.
c:\WINDOWS\system32\drivers\51ec6d7.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\c6abf0fb.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\104.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\C5.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\F6.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\F7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\josh isbell\local settings\temporary internet files\Content.IE5\VRTJCBWU\lvreefo[1].htm (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\documents and settings\josh isbell\local settings\temporary internet files\Content.IE5\XT3DMMKH\ggcqqdde[2].htm (Trojan.Winwebsec) -> Quarantined and deleted successfully.
c:\documents and settings\josh isbell\local settings\temporary internet files\Content.IE5\XT3DMMKH\aasuper0[1].htm (Backdoor.Rustock) -> Quarantined and deleted successfully.
c:\documents and settings\josh isbell\local settings\temporary internet files\Content.IE5\XT3DMMKH\cyiivvvjjw[2].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\WI7KX1N6\mlw[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\XPW0JW3D\install_10[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\avast!Antivirus.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jbnmck.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jbnmcd.dll (Password.Stealer) -> Delete on reboot.
C:\WINDOWS\system32\avast!AVSControlService.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Avira)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.