Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor - 2 hours of trying, nothings working


  • Please log in to reply
1 reply to this topic

#1 batman21

batman21

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 27 April 2010 - 03:35 PM

So I've been trying to get rid of Antimalware Doctor on an XP machine for over 2 hours. i've followed the bleeping computer steps with rkill et all, and malwarebytes. i can't even open malware bytes - getting an error after install. I tried running super antispyware just to try to get into malwarebytes, but no dice. Super killed several threats, but once i restarted they all came back. everything has been run in safe mode.

Also, i have been getting these fake spyware programs every few days for a few weeks now. malware gets rid of them temporarily but they come back. this one is the worst. help!!

BC AdBot (Login to Remove)

 


#2 batman21

batman21
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 28 April 2010 - 07:34 AM

OK - I got malware to run using the random name gen. Updated it manually. log below. after i rebooted in safe mode, i got some 'control center' garbage - wouldn't close, locked computer.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

4/28/2010 8:29:09 AM
mbam-log-2010-04-28 (08-29-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 165613
Time elapsed: 30 minute(s), 44 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 6
Folders Infected: 16
Files Infected: 25

Memory Processes Infected:
C:\Documents and Settings\lxadmin\Application Data\SystemProc\lsass.exe (Trojan.Inject) -> Unloaded process successfully.
C:\Documents and Settings\lxadmin\Application Data\ACommander\ccagent.exe (Rogue.PClean) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\acommander (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\kayvbebdhwoekkc (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Inject) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ccagent.exe (Rogue.PClean) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pbotjdgp (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ezlife (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuvanudupe (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife\1.5.2.0 (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\lxadmin\Application Data\SystemProc\lsass.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\ACommander\ccagent.exe (Rogue.PClean) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\ACommander\uninstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1230\A0041149.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1230\A0042178.dll (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1230\A0042250.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1230\A0042276.dll (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1230\A0042289.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1230\A0042290.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kayvbebdhwoekkc.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tehisuvo.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\RarSFX0\hor0410e.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2X91VA17\stpc5890[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\sonracxwme.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Application Data\ezLife\ezLife\log.xml (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\vopunxitt\jvviibetssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Desktop\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\lxadmin\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\WeFiSetup_5_501_780.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\confin.sys (Malware.Trace) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users