24 June 2009

Malware Doctor - Another rogue security application installing through security holes

About three weeks ago Avelino Rico Jr over at McAfee Labs blog reported about a new rogue security program called Malware Doctor.

This morning my honeypot caught Malware Doctor and some additional malware installing by exploiting a security. I've pasted the FreeFixer log and marked the malware item in red:

Screenshot of Malware Doctor
FreeFixer v0.41 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-06-23 23:14


System policies
HKCU\..\policies\system, DisableTaskMgr = 1
HKCU\..\policies\system, DisableRegistryTools = 1

Browser Helper Objects
{AFF01325-0FC2-4749-8914-FBF0565AD9CC}, Chrome copyright, jbnmck.dll(file is missing)

Registry Startups
HKLM\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background
HKCU\..\Run, Malware Doctor = C:\Documents and Settings\LocalService\Application Data\1361538659.exe

Processes (17 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program\FreeFixer\freefixer.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe

Services (34 whitelisted)
avast!Antivirus, , c:\windows\system32\avast!antivirus.exe

Recently modified files (1 whitelisted)
16 minutes, c:\Documents and Settings\LocalService\Application Data\1361538659.exe
16 minutes, c:\WINDOWS\system32\jbnmck.dll
16 minutes, c:\WINDOWS\system32\avast!Antivirus.exe
16 minutes, c:\WINDOWS\Temp\wpv521245837260.exe
7 days, c:\Program\FreeFixer\freefixer.exe
36 days, c:\Program\FreeFixer\Uninstall.exe

Comments

Mary writes

-1 thumb

Hi Roger,

We spoke earlier last week about your program removing WebCake for me and it worked. But I now have a similar but new problem, I think. Again, I don't know where this came from - I did not load it myself.

Here are the symptoms - let me preface this query by telling you I have run freefixer again & it didn't find anything that I could tell and I couldn't find the 1 program name I know I want to remove in the Add/Remove dialog box - 1) My Internet browser (I use Firefox mostly) never finishes loading some pages when I go to them. It continues to have that swirling green circle showing on the tab. 2) I researched JollyWallet & found it was another adware pgm but I can't remove it using Add/Remove box or freefixer. When I hover over a JollyWallet ad box I see a gazillion little messages at the bottom of the page that references loading or something like loading files from an isecurify.com website. 3) When I go to websites to purchase or research things, certain words show up in green w/a double underline & when I hover over the word(s) a little ad box pops up. This was also a problem when WebCake was installed, but went away for the most part after I removed WebCake. 4) Whenever I click on a link or a box to fill in data, 1 or 2 new tabs to "junk" sites open on Firefox and I have to close them so I can get back to what I was trying to do in the 1st place.

Any ideas or suggestions??? Don't mean to be a bother, but I need help again. Any why are these things popping up when weeks ago they never did?

Mary

# 20 Jul 2013, 18:31

Leave a reply