Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor - Can't Remove with MBAM


  • This topic is locked This topic is locked
6 replies to this topic

#1 spockette

spockette

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 03 May 2010 - 12:07 PM

Hello :thumbsup:

Unfortunately I've ended up with Antimalware Doctor on my pc and I can't seem to get rid of it. It also seems to have messed with the MS Security Centre - Windows defender doesn't work, and some options are shown as having been switched off when they haven't. For info, I'm running VISTA. The steps I've taken so far are:

1) Tried rkill and then Malwarebytes
2) This seemed to remove it, but after reboot, it appeared again.
3) Tried running Malwarebytes in safe mode, but no luck.
4) Tried downloading Malwarebytes again and running it again, but it was a repeat of step 2 above.

I've got my logs from every attempt, so am able to post those if needed. Please let me know if you need more info about my system/pc. For info, initially there were a few of these malware things and they were disrupting the functioning of my pc (e.g. the screen would 'go grey' and pop-ups would appear) - after running MBAM the first time it seemed to resolve that - except the existence of the Antimalware Dr!

Any help much appreciated!!

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 03 May 2010 - 03:27 PM

Hi spockette,

Can you run Gmer for me.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 spockette

spockette
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 03 May 2010 - 04:44 PM

Hello,

I seem to be having some problems with GMER.

- Initial automatic scan runs
- PC crashes after a minute or so of the scan that comes next

I've tried running it in safe mode and the same thing happens. If it's any help, I've managed to get the following:


1) Results of initial (auto) scan:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-05-03 22:04:06
Windows 6.0.6001 Service Pack 1
Running: w54i1xyr.exe; Driver: C:\Users\Sarbjit\AppData\Local\Temp\uwldapow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8FFDB79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8FFDB738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8FFDB74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8FFDB7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8FFDB710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8FFDB724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8FFDB7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8FFDB78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8FFDB776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8FFDB80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8FFDB7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8FFDB7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8FFDB762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 865CBEE4

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


Details about the 'unexpected shutdown' after the pc restarts (for what it's worth!) There are 2 as I tried it again....

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057

Additional information about the problem:
BCCode: f4
BCP1: 00000003
BCP2: 895B0A10
BCP3: 895B0B5C
BCP4: 82E724B0
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1



Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057

Additional information about the problem:
BCCode: a
BCP1: 0000AC1A
BCP2: 00000002
BCP3: 00000000
BCP4: 82CE8E5B
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1

Thanks for your help so far :thumbsup:

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 03 May 2010 - 04:49 PM

You have the TDL3 variant of TDSS. This is a nasty rootkit and needs tools which are not available to us in this forum to remove it.

Please post a topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum

Make sure you read this post first.
Posted Image
m0le is a proud member of UNITE

#5 Cybergoth

Cybergoth

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 03 May 2010 - 10:10 PM

Can't this rootkit be fixed by reinstalling the affected sys file(s) from the original boot disk or operating system installation disk?

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:04:53 PM

Posted 04 May 2010 - 11:43 AM

It is possible to replace the infected file another way, yes, but the safest and easiest way to do this is to take it to the other forum.

There is often a number of other malware elements that enter the compromised PC including at least two trojans which are very hard or impossible to remove using the tools available in this forum, such as the Vundo file infector.
Posted Image
m0le is a proud member of UNITE

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:53 PM

Posted 04 May 2010 - 05:44 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/314738/infected-with-antimalware-doctor/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users