Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antimalware Doctor infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 Flabbergasted

Flabbergasted

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 08 May 2010 - 09:10 PM

Hello.

As one can tell, I'm new here but hoping to find assistance in removing Antimalware Doctor, which I caught just yesterday.
I finished going through this guide I found Remove Antimalware Doctor previous to posting but found it has not rid me of my 'Doctor' problem; however I no longer get the annoying pop-ups I once suffered previous to using Malwarebytes' Antimalware progam (Although I still suffer from a barrage of "Application terminated, do you want to send a report to microsoft?" from a variety of different programs such as om1, btdna, etc. whenever my computer starts up).

I'm also being denied access to a variety of functions I could access previously, including the majority of anti-virus websites, Windows-update and possibly more that I'm not aware of. My computer is also restarting at random; although I've noticed it only does that when my screen-saver pops up in the middle of scanning with GMER. Another problem I just noticed I'm suffering from as I was typing this was that a random tab was created, connecting me to some cbbb or whatever website (I panicked to get rid of it before I clearly saw the entire name, sorry)

Note: The ark.txt from GMER isn't from a complete scan, since it kept restarting, I plan to scan again tonight without my screen-saver to see how that goes but I figured it would be better than nothing for now. Also, I've scanned with GMER twice now, and found it odd that the first time a file came up labeled as ??? but the second time I attempted to scan, it did not appear despite the results being symmetrical otherwise.

Thanks in advance for all the help, I hope I can provide enough information with my limited computer knowledge.



Edit: While trying to scan with GMER once more, with my screen-saver set to go off in 9999 min in an attempt to cure the restarts, my computer crashed with a blue screen of death, requiring a hard-boot. If it helps, it said something around the likes of:

The problem seems to have been caused by the following file: kwxyafod.sys
PAGE_FAULT_IN_NONPAGED_AREA

*** STOP: 0x00000050 (0xE542E000, 0x00000000, 0xB6B76x3E, 0x00000001)

address 0xB6B76c3E base at B6B76000, DateStamp 4b274f8d

There was also something about a physical memory dump.

Edit: After 13-14 hours of scanning, GMER finally finished, coming up with an astonishing huge list compared to the short one I have posted; however as soon as it finished I started getting error spammed and then it froze, forcing a reboot before I could save. Guess I have to try again tonight.

The errors said something along the lines of this:

Windows - Delayed Write Failed

Windows was unable to save all date for the file \Device\HarddiskVolume1\WINDOWS\system32\config\AppEvent.Evt

The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.


Edit once again: Alright so GMER finished up at an amazing speed compared to the previous 13-14 hour attempt and I've uploaded the new log for it; however this list is significantly shorter than what was displayed before, when I froze up on the 14 hour scan.

Also I've noticed many simply copy paste, if that is preferred to rather than uploading, feel free to inform me.

Attached Files


Edited by Flabbergasted, 09 May 2010 - 06:43 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 10 May 2010 - 06:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Flabbergasted

Flabbergasted
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 11 May 2010 - 02:52 PM

Alrighty, hello m0le, nice to meet you.

As requested, I'll listen to directions and avoid doing much else on my own~

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 11 May 2010 - 02:58 PM

Another victim of the TDSS variant, TDL3. The Gmer crash and the modification from the log means that we should be able to remove it. There may be damage left over from the attack but first we must remove this pest.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 Flabbergasted

Flabbergasted
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 11 May 2010 - 03:13 PM

Bit of a problem, I use Norton internet security and was following the disable guide, however there is no 'User accounts' option anywhere that I can see. It's Norton Internet Security 2008 if that helps.

The only things to the left are options such as

Run LiveUpdate
Scan now
View history
Options-Norton security/protection center
Subscription

Going through the options, in both categories I still don't see a 'user account' area, or a way to turn it off.

Edit: I should mention my subscription with it expired by the way.

Edited by Flabbergasted, 11 May 2010 - 03:16 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 11 May 2010 - 03:17 PM

Norton instructions to disable the user account
Posted Image
m0le is a proud member of UNITE

#7 Flabbergasted

Flabbergasted
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 11 May 2010 - 03:28 PM

Actually that's the guide I'm having trouble with.





I've checked around Norton, but, as you can see, there's no 'User Accounts' option anywhere, nor even a sign signifying you can log in.

Edit: Just to make it clearer, the guide says..

"1
Start Norton Internet Security.

2
In the Norton Internet Security window, in the left pane, click User Accounts.

3
The account that you are logged on as is displayed after "you are logged on as:"

* If you are logged on as Supervisor, go to "To turn on or turn off Norton Internet Security."

* If you are not logged on as Supervisor, go to line 4 of this STEP."

However, I see no such pane or user account

Also, Norton just detected an attack, that's a first.

Edited by Flabbergasted, 11 May 2010 - 03:50 PM.


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 11 May 2010 - 03:55 PM

Uninstall Norton. We can install it after you're clean.

Download the Norton uninstaller from here
Posted Image
m0le is a proud member of UNITE

#9 Flabbergasted

Flabbergasted
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 11 May 2010 - 04:15 PM

More problems, I'm sorry to say.

Instructions provided:
The Norton Removal Tool uninstalls all Norton 2003 and later products, Norton 360, and Norton SystemWorks 12.0 from your computer. Before you continue, make sure that you have the installation CDs or downloaded installation files for any Norton products that you want to reinstall. If you have pcAnywhere or WinFAX, uninstall it using Add or Remove Programs before running the Norton Removal Tool. Also, if you use ACT! or WinFAX, back up those databases and uninstall those products.

1. Download the Norton Removal Tool. Save the file to the Windows desktop. DOWNLOAD

2. On the Windows desktop, double-click the Norton Removal Tool icon.

3. Follow the on-screen instructions.

I downloaded the removal tool, set it to desktop, and double clicked it; however nothing happens. It gives a brief, 1 second load then.. well, nothing. It lurks around it my task manager under processes however I don't see any screen or further instructions. It also wont allow me to run the program again, saying the program is already running. I can run it again after restarting my computer; however if I try to end the process via task manager, it says

"The operation could not be completed, access denied."

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 11 May 2010 - 04:17 PM

It may be that the malware is denying access to this uninstaller.

Please skip this and run Combofix as is. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#11 Flabbergasted

Flabbergasted
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 11 May 2010 - 04:53 PM

Here you go. Thank you by the way, upon restarting the barrage of malfunctioning programs significantly decreased; however there are still two whose names I can get if desired by restarting my computer. (Antimalware doctor didn't appear <3 woot)

Also it detected rootkits and had to restart.. anyway~

ComboFix 10-05-10.05 - HP_Administrator 11/05/2010 16:29:34.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.623 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\comfix.exe.exe
AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator\Application Data\13272BA4CA841B5DD5DD43747543E84B
c:\documents and settings\HP_Administrator\Application Data\13272BA4CA841B5DD5DD43747543E84B\enemies-names.txt
c:\documents and settings\HP_Administrator\Application Data\13272BA4CA841B5DD5DD43747543E84B\gotnewupdate000.exe
c:\documents and settings\HP_Administrator\Application Data\13272BA4CA841B5DD5DD43747543E84B\hookdll.dll
c:\program files\AOL 9.0\AOL.exe
c:\program files\DNA\btdna.exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop.exe
c:\program files\HP DigitalMedia Archive\DMAScheduler.exe
c:\program files\Hp\HP Software Update\HPWuSchd2.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
c:\program files\Java\jre6\bin\jusched.exe
c:\program files\NVIDIA Corporation\nView\nwiz.exe
c:\windows\SMINST\RECGUARD.EXE
c:\windows\system32\driVERs\uxlmksa.sys
c:\windows\system32\rthdcpl.exe
c:\windows\system32\rundll32 .exe
D:\Autorun.inf

----- File Replicators -----

c:\hp\bin\commands.exe
c:\windows\system32\pcintro\tools\commands.exe
d:\i386\APPS\APP00151\commands.exe
d:\i386\APPS\APP01326\commands.exe
d:\i386\APPS\APP01498\commands.exe
d:\i386\APPS\APP02292\commands.exe
d:\i386\APPS\APP03042\commands.exe
d:\i386\APPS\APP05461\commands.exe
d:\i386\APPS\APP07558\commands.exe
d:\i386\APPS\APP09726\commands.exe
d:\i386\APPS\APP11874\commands.exe
d:\i386\APPS\APP12777\commands.exe
d:\i386\APPS\APP13220\commands.exe
d:\i386\APPS\APP14067\commands.exe
d:\i386\APPS\APP14963\commands.exe
d:\i386\APPS\APP15086\commands.exe
d:\i386\APPS\APP20456\commands.exe
d:\i386\APPS\APP22789\commands.exe
d:\i386\APPS\APP25764\commands.exe
d:\i386\APPS\APP26110\commands.exe
d:\i386\APPS\APP26795\commands.exe
d:\i386\APPS\APP27693\commands.exe
d:\i386\APPS\APP27914\commands.exe
d:\i386\APPS\APP28325\commands.exe
d:\i386\APPS\APP28936\commands.exe
d:\i386\APPS\APP30280\commands.exe
d:\i386\APPS\APP30807\commands.exe
d:\i386\APPS\APP31453\commands.exe
d:\i386\DRV\APP03533\commands.exe
d:\i386\DRV\APP05130\commands.exe
d:\i386\DRV\APP06610\commands.exe
d:\i386\DRV\APP07161\commands.exe
d:\i386\DRV\APP07167\commands.exe
d:\i386\DRV\APP08932\commands.exe
d:\i386\DRV\APP09275\commands.exe
d:\i386\DRV\APP15143\commands.exe
d:\i386\DRV\APP16242\commands.exe
d:\i386\DRV\APP18368\commands.exe
d:\i386\DRV\APP20518\commands.exe
d:\i386\DRV\APP28412\commands.exe
d:\i386\DRV\APP31049\commands.exe
d:\i386\DRV\APP32437\commands.exe
.
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_uxlmksa
-------\Service_uxlmksa


((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 20:48 . 2010-05-11 20:48 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-11 20:48 . 2010-05-11 20:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-07 22:59 . 2010-05-07 22:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-05-07 22:58 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 22:58 . 2010-05-07 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-07 22:58 . 2010-05-07 22:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 22:58 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 21:28 . 2010-05-07 21:28 56766 ----a-w- c:\windows\system32\alcmtr.exe
2010-05-07 21:28 . 2010-05-07 21:28 50990 ----a-w- c:\windows\system32\yaaoymmrluyurzfu.exe
2010-05-02 18:11 . 2010-05-02 18:11 -------- d-----w- c:\program files\MatrixEngine 1.0
2010-04-29 16:26 . 2010-04-29 16:26 974400 ----a-w- c:\windows\Let's Meow Meow! Uninstaller.exe
2010-04-29 16:25 . 2010-04-29 16:27 -------- d-----w- c:\program files\Let's Meow Meow!
2010-04-26 21:01 . 2010-04-26 21:01 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-04-26 21:01 . 2005-11-25 00:51 245248 ----a-w- c:\windows\system32\rt73.sys
2010-04-26 21:01 . 2005-11-25 00:51 245248 ----a-w- c:\windows\system32\drivers\rt73.sys
2010-04-26 21:01 . 2003-10-13 20:30 94208 ----a-w- c:\windows\system32\GTW32N50.dll
2010-04-26 21:01 . 2003-09-26 03:15 15872 ----a-w- c:\windows\system32\GTNDIS5.sys
2010-04-26 21:01 . 2005-11-03 22:41 32768 ----a-w- c:\windows\system32\GTGina.dll
2010-04-26 21:01 . 2005-02-01 23:18 17992 ----a-w- c:\windows\system32\drivers\bcm42rly.sys
2010-04-26 21:01 . 2005-02-01 23:18 17992 ----a-w- c:\windows\system32\bcm42rly.sys
2010-04-26 21:01 . 2005-02-01 23:18 17992 ----a-w- c:\windows\bcm42rly.sys
2010-04-26 21:01 . 2010-04-26 21:01 -------- d-----w- c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 21:38 . 2010-04-06 21:16 -------- d-----w- c:\program files\AOL 9.0
2010-05-11 21:38 . 2008-03-18 13:38 -------- d-----w- c:\program files\DNA
2010-05-11 21:38 . 2008-03-17 21:01 -------- d-----w- c:\program files\HP DigitalMedia Archive
2010-05-11 21:20 . 2008-03-17 21:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-07 21:20 . 2008-03-18 13:38 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\DNA
2010-04-29 00:19 . 2009-09-03 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-04-27 12:48 . 2008-03-17 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-04-27 12:48 . 2010-04-06 21:17 -------- d-----w- c:\program files\AOL Deskbar
2010-04-26 21:01 . 2008-03-17 20:48 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-16 19:13 . 2010-04-06 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-04-16 19:13 . 2010-04-06 21:20 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AOL
2010-04-07 02:41 . 2010-04-06 21:16 -------- d-----w- c:\program files\Common Files\AOL
2010-04-06 21:18 . 2008-03-17 21:00 -------- d-----w- c:\program files\Common Files\Real
2010-04-06 21:17 . 2010-04-06 21:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-06 21:17 . 2010-04-06 21:17 -------- d-----w- c:\program files\Viewpoint
2010-04-06 21:17 . 2010-04-06 21:16 -------- d-----w- c:\program files\Common Files\aolshare
2010-04-06 21:16 . 2009-08-26 05:40 335 ----a-w- c:\windows\nsreg.dat
2010-04-06 17:23 . 2008-09-16 02:04 -------- d-----w- c:\program files\StepMania
2010-03-11 04:24 . 2009-06-20 03:21 262 ----a-w- c:\windows\PowerReg.dat
2009-06-26 08:34 . 2009-06-26 08:34 251 ----a-w- c:\program files\wt3d.ini
2008-04-01 19:55 . 2008-04-01 19:55 22 --sha-w- c:\windows\SMINST\HPCD.sys
2009-09-23 21:14 . 2009-09-23 21:14 56 --sh--r- c:\windows\system32\A32CBCF86A.sys
2009-09-23 21:14 . 2009-09-23 21:14 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
CODE
<pre>
c:\program files\AOL 9.0\aol .exe
c:\program files\DNA\btdna .exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP DigitalMedia Archive\dmascheduler .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\NVIDIA Corporation\nView\nwiz .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\SMINST\recguard .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [N/A]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [N/A]
"gotnewupdate000.exe"="c:\documents and settings\HP_Administrator\Application Data\13272BA4CA841B5DD5DD43747543E84B\gotnewupdate000.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [N/A]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [N/A]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [N/A]
"PCDrProfiler"="" [N/A]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-07 718704]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-07-14 86016]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2010-05-07 56766]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2010-05-07 56766]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [N/A]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"HostManager"="c:\program files\Common Files\AOL\1270588618\EE\AOLHostManager.exe" [2004-11-04 125528]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
MiniMavis.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\MiniMavis.exe [2010-1-26 2392064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonJP\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32server.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 2010\\mentalray\\satellite\\raysat_3dsmax2010_32.exe"=
"c:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56547:TCP"= 56547:TCP:Pando Media Booster
"56547:UDP"= 56547:UDP:Pando Media Booster

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [25/01/2008 8:47 PM 149352]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [12/03/2009 5:36 PM 86016]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [12/01/2008 9:32 PM 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [15/03/2009 8:54 PM 101936]
S3 {6C5EDCC0-615B-4B64-B331190B2254A6CE};{6C5EDCC0-615B-4B64-B331190B2254A6CE};c:\windows\System32\svchost.exe -k netsvcs [17/03/2008 4:06 PM 14336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 XDva193;XDva193;c:\windows\system32\XDva193.sys [23/08/2008 9:22 PM 46720]
S3 XDva202;XDva202;c:\windows\system32\XDva202.sys [24/09/2008 3:06 AM 47488]
S3 XDva275;XDva275;\??\c:\windows\system32\XDva275.sys --> c:\windows\system32\XDva275.sys [?]
S3 XDva280;XDva280;\??\c:\windows\system32\XDva280.sys --> c:\windows\system32\XDva280.sys [?]
S3 XDva281;XDva281;\??\c:\windows\system32\XDva281.sys --> c:\windows\system32\XDva281.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2010-05-11 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - HP_Administrator.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 14:05]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_CA&c=64&bd=PAVILION&pf=desktop
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://secure.footprint.net/kingsisle/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
DPF: {8E9089E1-0461-4F60-8150-1E334629ABB7} - hxxp://webdown2.nexon.co.jp/arad/real/installer/arad_dis.cab
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\25ir9epr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMXENG.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 16:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1576949565-2003599693-3730689740-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1576949565-2003599693-3730689740-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\‚„E*‚„B*‚„9 ‚„e*‚„C*‚„ ]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"Order"=hex:08,00,00,00,02,00,00,00,8c,00,00,00,01,00,00,00,01,00,00,00,80,00,
00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,32,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1304)
c:\windows\system32\GTGina.dll

- - - - - - - > 'explorer.exe'(4020)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\program files\Broderbund\Mavis Beacon Teaches Typing 12 Deluxe\KeyHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Symantec Shared\NPC\2.0\NPCEXT.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel Quick Resume Technology Drivers\Elservice.exe
c:\windows\system32\dllhost.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\progra~1\COMMON~1\AOL\127058~1\EE\AOLHOS~1.EXE
c:\progra~1\COMMON~1\AOL\127058~1\EE\AOLServiceHost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\msiexec.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-05-11 16:49:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-11 21:49

Pre-Run: 308,193,120,256 bytes free
Post-Run: 310,903,873,536 bytes free

- - End Of File - - 8A26B786D7293F37903308CE73C6FE0C

Edited by Flabbergasted, 11 May 2010 - 04:59 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 11 May 2010 - 05:08 PM

Antimalware Doctor is nasty but there was also the TDL3 rootkit which Combofix has removed.

There's still more in the log so please rerun Combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/315628/antimalware-doctor-infection/?p=1753178

Collect::
c:\windows\system32\yaaoymmrluyurzfu.exe

File::
c:\documents and settings\HP_Administrator\Application Data\13272BA4CA841B5DD5DD43747543E84B\gotnewupdate000.exe

RenV::
c:\program files\AOL 9.0\aol .exe
c:\program files\DNA\btdna .exe
c:\program files\Hewlett-Packard\HP Boot Optimizer\hpbootop .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\HP DigitalMedia Archive\dmascheduler .exe
c:\program files\Intel\Intel Matrix Storage Manager\iaanotif .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\NVIDIA Corporation\nView\nwiz .exe
c:\windows\ehome\ehtray .exe
c:\windows\ime\imjp8_1\imjpmig .exe
c:\windows\ime\imkr6_1\imekrmig .exe
c:\windows\SMINST\recguard .exe
c:\windows\system32\IME\PINTLGNT\imscinst .exe

RegNull::
[HKEY_USERS\S-1-5-21-1576949565-2003599693-3730689740-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\€™E*€™B*€™9 €™e*€™C*€™ ]

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gotnewupdate000.exe"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Flabbergasted

Flabbergasted
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 11 May 2010 - 05:53 PM

It's a m0ley miracle~ Norton uninstalled successfully and I didn't see a single 'program terminated' upon restarting.
By the way, although safe internet practice is something I must work on myself, is there any anti-virus program you recommend? I saw a list of them somewhere, but the location as to where slips my mind.

That aside, I've uploaded it since it was too long to post.

Attached Files



#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:04 PM

Posted 11 May 2010 - 06:12 PM

That's good news, Flabbergasted. thumbup2.gif


Let's run the ESET scanner to check for remnants

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#15 Flabbergasted

Flabbergasted
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 12 May 2010 - 07:02 AM

Here ya go~ By the way if the explanation isn't too troublesome for you, what is a TDL3 rootkit anyway? Honestly this whole ordeal made me want to take up that malware training program I saw during the time I spent here.

C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\44\5473416c-24b562f1 a variant of Java/TrojanDownloader.Agent.NAN trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-5586660f a variant of Java/TrojanDownloader.Agent.NAN trojan
C:\hp\bin\wbug\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Documents and Settings\HP_Administrator\Application Data\13272BA4CA841B5DD5DD43747543E84B\gotnewupdate000.exe.vir a variant of Win32/Kryptik.EFW trojan
C:\Qoobox\Quarantine\C\Program Files\AOL 9.0\aol.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\Program Files\DNA\btdna.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\Program Files\Hewlett-Packard\HP Boot Optimizer\hpbootop.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\Program Files\HP\HP Software Update\hpwuschd2.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\Program Files\HP DigitalMedia Archive\dmascheduler.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jusched.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\Program Files\NVIDIA Corporation\nView\nwiz.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\WINDOWS\SMINST\recguard.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\rthdcpl.exe.vir Win32/TrojanDownloader.Unruy.BO trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rasacd.sys.vir Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP540\A0300684.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP540\A0300693.exe multiple threats
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP540\A0300695.exe Win32/Lifze.H trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312194.sys Win32/Olmarik.ZC trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312280.exe a variant of Win32/Kryptik.EFW trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312282.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312283.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312284.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312285.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312286.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312287.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312288.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312289.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312290.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0312292.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0314019.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP543\A0314020.exe Win32/TrojanDownloader.Unruy.BO trojan
C:\WINDOWS\system32\alcmtr.exe Win32/TrojanDownloader.Unruy.BO trojan
D:\I386\APPS\APP30280\src\CompaqPresario_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application
D:\I386\APPS\APP30280\src\HPPavillion_Spring06.exe a variant of Win32/Toolbar.MyWebSearch application

Edited by Flabbergasted, 12 May 2010 - 07:12 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users