Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor won't go after doing all the steps


  • Please log in to reply
34 replies to this topic

#1 melpaq

melpaq

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 26 April 2010 - 07:14 AM

Hello!

I am infected with Antimalware Doctor and i came here to get the manual instructions to remove it. I did all the steps, at least 2-3 times but it fails. Here's what happens: after MBAM has finished scanning and i delete the malwares it found, there's always one that it can't delete without rebooting the computer.

As the instructions advise to let it to do so, i always let my computer reboot at that point. When it has rebooted, antimalware Doctor is still there and i don't know what to do. The last file that MBAM won't delete at the end is called HKEY users.. (then i don't remember) and ends with nofolder.

Maybe there's something i'm doing wrong... The instructions mention that after rebooting and that i am logged in, i should continue with the rest of the steps. Isn't MBAM suppose to start on it's own? What am i suppose to do at that point?

Please help!!

Thanks

Edited by elise025, 26 April 2010 - 08:14 AM.
Since no logs are posted, I am moving this to the Am I Infected forum ~ Elise


BC AdBot (Login to Remove)

 


#2 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:58 PM

Posted 26 April 2010 - 03:38 PM

Rerun malwarebytes and post the log here

#3 melpaq

melpaq
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 27 April 2010 - 07:08 AM

Hi,

By "log", you mean the document with all the details that gets produced after MBAM finished it's scan? I am not sure how to do this, since my internet doesn't work on my home pc anymore and i am on my work pc now. How can i post the log here? Can you give me tricks?

Thanks again.

Mel

#4 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:58 PM

Posted 27 April 2010 - 10:30 AM

By "log", you mean the document with all the details that gets produced after MBAM finished it's scan?

Yes

my internet doesn't work on my home pc anymore and i am on my work pc now. How can i post the log here?

You can save it to a flash drive and transfer it to another pc and post it from there

#5 melpaq

melpaq
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 27 April 2010 - 10:48 AM

Ok, i'm sorry but i have no idea what a "flash drive" is. As you can see, i am not very advanced in my computer skills. Could you please explain in details what it is and how i can do that?

Sorry to ask so many questions but i am so lost!!

Thanks again.

Mel

#6 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:58 PM

Posted 27 April 2010 - 10:58 AM

http://homeworktips.about.com/od/computert.../flashdrive.htm

Maybe you can borrow one from a friend ?

#7 melpaq

melpaq
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 27 April 2010 - 12:37 PM

Ok, i will try to find one. Thanks a lot and once i get this done, i will come back here and post the log.

Thanks again.

Mel

#8 CrazyLegs702

CrazyLegs702

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:58 AM

Posted 27 April 2010 - 11:48 PM

I have same problem...i have run it 3 times and it still persists.
heres the log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/27/2010 9:46:56 PM
mbam-log-2010-04-27 (21-46-56).txt

Scan type: Flash scan
Objects scanned: 85601
Time elapsed: 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\woneripiwo (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Dan\AppData\Local\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Dan\AppData\Local\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Dan\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Dan\AppData\Local\Temp\avp32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#9 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:58 PM

Posted 28 April 2010 - 02:39 AM

CrazyLegs702

Start your own topic,you cannot just post into someone elses.Update yout MBAM and run a full scan and post that log there

#10 melpaq

melpaq
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 29 April 2010 - 07:03 AM

Hi Trollocks,

I will be able to put the log tomorrow. Do you need me to run MBAM again or i can put the last log here?

Thanks

Mel

#11 trollocks

trollocks

  • Members
  • 369 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:58 PM

Posted 29 April 2010 - 02:30 PM

Run it again and post both logs

#12 melpaq

melpaq
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 29 April 2010 - 02:54 PM

Ok, i will.

Talk to you tomorrow.

Mel

#13 aschenstrom

aschenstrom

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 PM

Posted 29 April 2010 - 05:26 PM

i had the same problem and i managed to solve it with rkill to stop antivirus doctor and malwarebytes to delete it. i'm not telling you what to do i'm just saying how i did

#14 melpaq

melpaq
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 30 April 2010 - 07:13 AM

Yeah, believe me, i tried all of this. Even after running rkill, it still doesn't work. Thanks anyways :thumbsup:

Trollocks, i wasn't able to do it yesterday, i will do it this week-end and post the log monday.

Have a great w-end!!

Mel

#15 melpaq

melpaq
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Montreal, Canada
  • Local time:10:58 AM

Posted 03 May 2010 - 08:04 AM

Hey Trollocks,

Hope you had a great week-end. I am going to post all 4 logs i got from running MBAM. Yes, i tried it 4 times and still didn't work. Yesterday, my internet connection was gone. I had a message saying that the cable wasn't plugged but it was. Anyways, here are the 4 logs, in chronical order. Hope you can help. Thanks.

Malwarebytes' Anti-Malware 1.43
Database version: 3506
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2010-04-20 06:30:23
mbam-log-2010-04-20 (06-29-10).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 154531
Time elapsed: 2 hour(s), 20 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Local Settings\Temp\maexorwnsc.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Local Settings\Temp\xmb .exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Local Settings\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Melinda\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000034b4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2010-04-25 16:59:42
mbam-log-2010-04-25 (16-59-42).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 155505
Time elapsed: 1 hour(s), 28 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\herjek.config (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\Bureau\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2010-04-25 17:43:53
mbam-log-2010-04-25 (17-43-53).txt

Scan type: Quick Scan
Objects scanned: 107699
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Melinda\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.



Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2010-05-02 15:02:17
mbam-log-2010-05-02 (15-02-17).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152749
Time elapsed: 1 hour(s), 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Melinda\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Melinda\rundll32.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users