Jump to content

Recommended Posts

ok so i get home last night to find that my computer has two different help bubbles coming from the system tray. bubble one says:

Windows File Protection

Some registry keys are invalid, system can run with errors and poor performance.

bubble two says:

Windows File Protection

Windows detected that some of your documents and media files are corrupted. click here to download and install recommended file repair software.

here is where i beleive it to be data doctor 2010 being that when i click the bubble it used to take me to that download page. now, however, it does take me anywhere. i have no access to the internet via firefox nor IE. I have so far taken these steps:

1. ran malwarebytes - detected nothing. on a side note i tried updating mwb and got an error 732(12029, 0)

2. ran AVG Free - still running but if mwb finds nothing im sure it will as well.

3. started in safe mode and ran mwb. found 4 files which i deleted, not sure of the names since they are now deleted.

here is where im at a brick wall. i have no access to the internet to make another scan on some other free scanner and not allowed to download any other tools without making a CD and transferring it and so forth. i made a HJT log and would very much appreciate any help anyone has to offer. thanks for your time in advance.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:23:01 PM, on 1/3/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ZuneLauncher.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\uTorrent\utorrent.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MICROS~2\rapimgr.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\System32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgui.exe

C:\Program Files\AVG\AVG9\avgscanx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = myspace.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\ZuneLauncher.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [ttool] C:\WINDOWS\essledv.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stryfe2003.spaces.live.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1150477177453

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0CAA3B51-0BFA-4F25-AC9F-2FBF908CB86B}: NameServer = 208.67.222.222,208.67.220.220

O20 - AppInit_DLLs: C:\WINDOWS\system32\oknwhj.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)

O23 - Service: HauppaugeTVServer - Unknown owner - C:\PROGRA~1\WinTV\HCWTVS~1.EXE (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--

End of file - 7440 bytes

Link to post
Share on other sites

Looks like i am not the only one who is having this problem.

Same symptoms.

System restore could not be enabled even when on safe mode.

Mbam couldn't detect anything even after update.

Tried housecall trend but hangs.

Tried Dr. cureit also no good.

Antivirus scanner couldn't find anything either(Mcaffee)

Internet explorer & firefox doesn't open. (have to use windows update website on control panel to open IE)

Windows File Protection prompts the same message and when clicked, it will try install datadoctor 2010.

Hope to find a solution for this.

Link to post
Share on other sites

Same thing here!

But i was able to update malwarebytes and do a upto date scan. Still finds nothing though.

Can`t run IE or FIREFOX. But pop ups do not happen when in safe mode.

Ran a scan in safe mode.. Doesn`t find anything eigher.

Trys to run ddsetup.exe which is that datadoctor 2010.

It was hard even to find this post! I was infected with the fake alert virus.. Which started all this.. So not sure if this is related or not.

Lucky i have another machine to post this with!

T.

Link to post
Share on other sites

Not saying i have found an answer.. But somthing odd.. file glsxl.dll in the windows/system32 dir (I have VISTA SP2) if you del it.. it re-apears..

But if you boot into safe mode, then copy like a txt file with the same name and make it read only. (Make a copy of the ORIGINAL file first).

When you re-boot you get error messages.. (just that the file glsxl.dll won`t run) But everthing runs.. IE and firefox both run fine. There is no more pop ups.

I`m not saying glsxl.dll is a virus.. But it is some how related. Maybe it alows the virus to run? or display the pop ups?

Search on google for glsxl.dll comes up blank...

But for now it seams like a workable work around for now! (I know it`s not great)

T.

Looks like i am not the only one who is having this problem.

Same symptoms.

System restore could not be enabled even when on safe mode.

Mbam couldn't detect anything even after update.

Tried housecall trend but hangs.

Tried Dr. cureit also no good.

Antivirus scanner couldn't find anything either(Mcaffee)

Internet explorer & firefox doesn't open. (have to use windows update website on control panel to open IE)

Windows File Protection prompts the same message and when clicked, it will try install datadoctor 2010.

Hope to find a solution for this.

Link to post
Share on other sites

Unfortunately i couldn't find the glsxl.dll on my XP machine.

Changed Internetexplorer to a different filename, modified my shortcut and my IE now works including firefox so at least i can surf as a temporary workaround.

Just let me know if anything is needed. I'm willing to find the fix since reinstalling my pc takes too much of my time.

Link to post
Share on other sites

Unfortunately i couldn't find the glsxl.dll on my XP machine.

Changed Internetexplorer to a different filename, modified my shortcut and my IE now works including firefox so at least i can surf as a temporary workaround.

Just let me know if anything is needed. I'm willing to find the fix since reinstalling my pc takes too much of my time.

Hi,

This Data Doctor 2010 got me also.

Winxp sp 2 has no glsxl.dll.

Malwarebytes keep on hogging itself. Adware crashed when it find Data Doctor 2010.

My virus scanner (Symantec) is blocked for retrieving new data files (and keeps hogging my system for

trying to download new anti-virus data.

Just renamed IEXplore.exe to another name. Right away a new IEXplore.exe will pop up.

Now I can surf again with the renamed IE.

When I boot my pc in Safe mode, the Data Doctor thingy is already there.

This thing is driving me crazy.

Anyone an idea how to fix this?

jvisberg

Link to post
Share on other sites

I'm having the exact same problem with Data Doctor 2010. I get the same two "Windows File Protection" bubbles you quoted, IE and Firefox will not start and none of my antivirus/MBAM scans are ineffective. Additionally, many of my media files are no longer accessible (simply won't play).

Any help would be much appreciated. Thanks.

Link to post
Share on other sites

Afraid I've been nailed by the same crap. Exact same symptoms: browsers blocked, Malwarebytes runs in a loop on mbam.exe when run for a second time, attempting to open most files results in file corruption warning (but they're OK as can open from another machine on network) offering Data Doctor as solution.

I think what we're dealing with here is NOT Data Doctor 2010 but a new malware mechanism that is trying to drop the old Data Doctor as it's payload.

Happy to provide data if someone has ideas on how to tackle this. I've got a fair bit of experience and quite a few tools to hand, but have been utterly unsuccessful so far. (Thankfully this is on a test laptop so not time critical or I'd just reimage)

Paul

Link to post
Share on other sites

apparently since my thread got hijacked this thread is useless, so with the moderator's approval i would like to close this one and start another and possibly receive some professional help this time. awaiting moderators reply

Sorry, failedsenses - I arrived here via search & didn't notice that this was a Hijack This Logs thread. Apologies for hijacking you Hijack thread.

Link to post
Share on other sites

Sorry, failedsenses - I arrived here via search & didn't notice that this was a Hijack This Logs thread. Apologies for hijacking you Hijack thread.

Just and FYI, the Vipre from Sunbelt Software worked. I used the 15 day free trial. It found the culprit.

Thanks for the recommendation and the help. This thing kicked my butt for 2 days.

Link to post
Share on other sites

Just and FYI, the Vipre from Sunbelt Software worked. I used the 15 day free trial. It found the culprit.

Thanks for the recommendation and the help. This thing kicked my butt for 2 days.

Just to add a little more information. I ran the quick scan first, which uncovered alot; but the deep scan got the rest.

Link to post
Share on other sites

Unfortunately i couldn't find the glsxl.dll on my XP machine.

Changed Internetexplorer to a different filename, modified my shortcut and my IE now works including firefox so at least i can surf as a temporary workaround.

Just let me know if anything is needed. I'm willing to find the fix since reinstalling my pc takes too much of my time.

The dll filename appears to be different for everyone. I had the same exact problem starting Saturday 1/2 and when I ran HijackThis I found the offending dll named nsiebg.dll. After I followed dtp30's fix everything on my computer went back to working correctly.

Steps:

Note: I had previously ran Spybot S&D, SuperAntiSpyware, Anti-Malware, and AVG before trying this fix

1. Run HijackThis and look for the entry named "AppInit_DLLs"

2. Using failedsense's HJT log file as the example, that entry is "AppInit_DLLs: C:\WINDOWS\system32\oknwhj.dll" The offending dll is named in this case oknwhj.dll. I'm going to guess it's different for everyone. If you select this dll to be fixed by HiJackThis the entry just keeps coming back.

I was not able to copy a text file named oknwhj.dll like dtp30, Windows kept complaining about the file being in use. I had to resort to using a live cd to mount the drive. Once mounted:

1. I renamed oknwhj.dll to oknwhj.bak (just in case)

2. Created a text file and named it oknwhj.dll

3. Set the Attributes for that file to be Read Only (Right click file>Properties>check box for Read Only)

4. Rebooted Windows. I got several errors about oknwhj.dll/nsiebg.dll not being being able to run during Windows startup but that was to be expected. Once Windows has started HiJackThis needs to be run again.

5. Run HiJackThis and scan your computer. The offending AppInit dll will still be there but this time it will stay gone

6. Put a checkmark next to the AppInit entry in HJT and select Fix Checked button. It doesn't come back this time.

7. Reboot Windows again, no errors appear, all programs working, virus/spyware working again. I updated and scanned the computer again with all the Spyware and AV programs I had used and nothing was found. I've played Battlefield 2, surfed the web, and worked on a MS Word doc for several hours now and none of the problems encountered in the last few days appeared.

Link to post
Share on other sites

OK, my story is the same as all of yours:

I was attacked the 3rd of january, lost my internet access, had a very slow computer, and began to read fake pop-ups that would appear again and again, and if you just click one of them, you are asked to install Data Doctor 2010...

Norton/Spybot/Spyware Terminator/Adaware were useless, as was a Trend scan and a Panda scan.

Malware was the only one a bit usefull, destroying 3 Data Doctor items, but it wasn't enough to clean my PC. But I could at least run outlook, and clicking a shortcut in a mail, I had firefox OK => this forum where I read Fatdcuk and Remixed post 'and those two seem to be "elite members" from this forum.

here you may find a shortcut to a virustotal analysis claming only Sunbelt's antivrus could detect it.

So like gmbakes, I downloaded their antivrus and my PC is now as efficient as before, no pop-up, averything seems working.

The only question in my mind is: did I clean everything? Because you'll discover this Data Doctor thing isn't alone and came in your PC with a few friends (3 trojan and one virus...), so are all those a decoy for another one sleeping under my bed??

Whatever, At least, my PC's working fine, and Sunbelt's antivirus is free for a month so I hope other device like spybot will deal with Data Doctor before I have to uninstall it.

Hope this will help ! And A VERY BIG THANKS to Fatdcuk and Remixed for giving us a clue (and thanks to you too gmbakes).

Fatdcuk and Remixed's topic: http://www.malwarebytes.org/forums/index.php?showtopic=34107

Virustotal analysis: http://www.virustotal.com/analisis/1a27f41...a919-1261199625

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.