Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Remove Anti-malware Doctor

  • This topic is locked This topic is locked
22 replies to this topic

#1 khoifish


  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 18 May 2010 - 01:03 AM

First of all, I really have no clue how I got this Anti-malware Doctor spyware program installed on my dad's laptop. I was using it to browse the web and I got the random popup, which I usually ignore or exit out of it but by then it was too late and the program was already installed.

But anyways I noticed how vicious this spyware was when it didn't allow me to open up any programs and blocked off pretty much anything I tried to open. Anything I tried opening resulted in a bogus pop-ups saying some kind of file was corrupted and cannot be opened (even the 'add and remove' option in control panel was being blocked off). Not only that but I was no longer able to connect to the internet and run my usual spyware removing programs (AVG). So pretty much my dad's laptop was locked up and un-usable and I used google to try to find an answer to my problem with this spyware.

so this is the site I found and I had followed these instructions:

Even those easy instructions were no easy task for me, my cpu was being flooded to 100% usage and everything I tried to do was extremely slow. I had about a 1-2 minute window of opportunity to even do anything on the laptop before the virus took over; which the time frame was from windows just starting up after a fresh restart. I was able to download rkill.com and malwarebytes from my computer onto a flash drive and then import those programs after a fresh restart. After running the malwarebytes (datebase version: 4052, date of 4/29/2010 - can't update with internet not accessible on it) and running rkill.com prior to it, it detected the spywares and removed them.

Seem like it was solved at the time but after the restart the laptop still had anti-malware doctor. Not only that but the laptop remained very slow (100% cpu usage and became very hot) and was still not able to access the internet. I ran malwarebytes again and had lots of trouble with the laptop just freezing up during the full scan. I eventually ran the scan in safemode and removing more malware and then luckily ran the scan all the way through during normal window mode after many failed attempts and it showed clean results.

Now the situation is up to date, after many complications I was able to run malwarebytes with clean results but my laptop is still slow, can't access internet, and has anti-malware doctor still installed on laptop. So I need help and advice.

(couldn't upload the ark file, got error msg trying to run gmer.exe so I don't have that file)

DDS (Ver_10-03-17.01) - NTFSx86
Run by hai at 1:51:38.28 on Tue 05/18/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.998.525 [GMT -4:00]

============== Running Processes ===============

Executable.exe 4
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe
C:\Program Files\Common Files\Lenovo\Logger\logmon.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\lenovo\system update\suservice.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\hai\Desktop\Defogger.exe
C:\Documents and Settings\hai\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyServer = http=
uInternet Settings,ProxyOverride = <local>
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: CPwmIEBrowserHelper Object: {f040e541-a427-4cf7-85d8-75e3e0f476c5} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [gotnewupdate000.exe] c:\documents and settings\hai\application data\00163b07caa6ce715a0df970e49bc0ae\gotnewupdate000.exe
mRun: [TrackPointSrv] tp4serv.exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [<NO NAME>]
mRun: [TpShocks] TpShocks.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Message Center Plus] c:\program files\lenovo\message center plus\MCPLaunch.exe /start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mExplorerRun: [rf4qy] c:\docume~1\hai\locals~1\temp\b8n8nse.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0045D4BC-5189-4b67-969C-83BB1906C421} - {0FE81B52-73FA-425F-8F06-3F32451AC73F} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: ACNotify - ACNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll
Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hai\applic~1\mozilla\firefox\profiles\bq0jrfbg.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-5-17 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2010-5-17 27656]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-3-2 19760]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-5-17 4368952]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2007-2-8 569344]
R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [2007-11-20 13840]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 35264]
S3 isaxbox;isaxbox;\??\c:\windows\system32\isaxbox.sys --> c:\windows\system32\isaxbox.sys [?]

=============== Created Last 30 ================

2010-05-18 05:26:08 0 ----a-w- c:\documents and settings\hai\defogger_reenable
2010-05-18 03:18:30 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2010-05-18 03:18:30 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-05-18 03:18:30 0 d-----w- c:\program files\Prevx
2010-05-18 03:18:24 62 ----a-w- c:\windows\wininit.ini
2010-05-18 03:18:24 0 d-----w- c:\docume~1\alluse~1\applic~1\PrevxCSI
2010-05-16 15:10:40 0 d-----w- c:\docume~1\hai\applic~1\Malwarebytes
2010-05-16 15:00:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 15:00:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-16 15:00:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 15:00:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-13 05:58:38 0 d-----w- c:\windows\pss
2010-05-13 01:57:16 342 ----a-w- c:\windows\system32\MRT.INI
2010-05-13 01:55:27 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-13 01:40:41 1879 ----a-w- c:\windows\lsrslt.ini
2010-05-13 01:28:49 0 d-----w- c:\docume~1\hai\applic~1\ATManager
2010-05-13 01:27:48 0 d-----w- c:\docume~1\hai\applic~1\00163B07CAA6CE715A0DF970E49BC0AE
2010-05-05 16:23:40 1220 ----a-w- C:\SISTodo
2010-05-05 16:23:40 12 ----a-w- C:\SISHashTodo

==================== Find3M ====================

2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ----a-w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ----a-w- c:\windows\system32\dllcache\ieakui.dll
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2007-11-20 14:48:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-14 20:42:55 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091420080915\index.dat
2008-06-14 20:21:45 16384 --sha-w- c:\windows\temp\cookies\index.dat
2008-06-14 20:21:45 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2008-06-14 20:21:45 16384 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 1:53:51.32 ===============

Attached Files

BC AdBot (Login to Remove)


#2 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 19 May 2010 - 06:36 PM


Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 khoifish

  • Topic Starter

  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 20 May 2010 - 01:08 AM

hello m0le smile.gif

yes I am here but replying when I can and on my desktop, my dad's laptop is really unusable atm

I think my dad got laptop 3-4 years ago (not quite sure) and he has no disks so I really need to try to clean it from all viruses. I would have reformatted if I could and not even bother with trying to clean it. It's also a laptop with no CD drive :/

Cheers afro2.gif

#4 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 20 May 2010 - 12:54 PM

Please run Combofix and we can try and remove this malicious rogue

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#5 khoifish

  • Topic Starter

  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 20 May 2010 - 11:02 PM

well, I can't access the internet with my laptop at all so I couldn't download material needed for complete scan. My network connection folder is completely empty. However, I did run the scan without the extra downloaded stuff (files maybe?).

The combofix.txt without access to internet is attached

maybe you can help me get my internet to work aswell, the virus disabled it I think and I am using a flash drive to download files/programs from my computer to put on my laptop.

Attached Files

#6 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 21 May 2010 - 03:53 PM

Let's try something to connect your internet again.

We Need to Repair Your Internet Connection
  1. Please download WinsockXPFix from a working machine and copy it to a CD or flash media.
  2. Copy the file to the desktop on the non working machine.
  3. Double Click on on your desktop.
  4. Push the button.
  5. Allow your system to reboot.

Please let me know if your connection is restored in your next reply
Posted Image
m0le is a proud member of UNITE

#7 khoifish

  • Topic Starter

  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 21 May 2010 - 11:36 PM

Ran the program on laptop like you told me to and still can't connect to internet after the reboot.

#8 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 22 May 2010 - 09:40 AM

Okay, it was a long shot. tongue.gif

Please run Combofix again, as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

c:\documents and settings\hai\Local Settings\Application Data\natikmqky
c:\documents and settings\hai\Start Menu\Programs\Startup\Antimalware Doctor.lnk
c:\windows\pss\Antimalware Doctor.lnkStartup

c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\System32\drivers\ndis.sys


Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 khoifish

  • Topic Starter

  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 22 May 2010 - 11:35 PM

I dragged CFScript.txt onto combofix.exe like said (although it was renamed comfix.exe from previous instructions, don't know if it matters)

after that, the combofix.exe ran like it did when I ran it the first time (running combofix.exe scan without downloading files due to no internet)

I got to the part where it says something like: please be patient usually the scan does not last more than 10 minutes....

So I looked away from the laptop for 5 minutes and the whole laptop crashed when I went to check the progress

Now I can't even load up windows, I get the blue screen everytime.

I will try again to run my laptop normally tomorrow to see if letting the laptop cooldown will help (with this infection, my laptop is running extremely hot and cpu usage is stuck on 100%)

#10 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 23 May 2010 - 09:22 AM

Okay, I will wait for that but I think we may have to try something different to clear this infection. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#11 khoifish

  • Topic Starter

  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 23 May 2010 - 10:18 AM

It still doesn't load up windows even if I do it under safe-mode, using last good configuration, or normal mode (I get blue screen every time).

#12 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 23 May 2010 - 10:34 AM

Okay, we need to get into the system another way.

In order to resolve your problem we will need to to download a program called OTLPE. This program is quite large, at 292MB, so it will take a while to download. In order to get this program setup properly, please print out these instructions so you can follow them when you are at the computer we will be working on.


Please download ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.

    Note : If you do not know how to set your computer to boot from CD follow the steps here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to Use Safelist
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system
  • Please post the contents of the OTL.txt file in your reply.

Posted Image
m0le is a proud member of UNITE

#13 khoifish

  • Topic Starter

  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 23 May 2010 - 02:03 PM

ouch, that's what I was worried about; having to boot the laptop using CD drive. I don't think there's a way around it too, for some reason this model laptop doesn't come with CD drive. I think I have to order an external CD drive.

lenovo x61 thinkpad

the cheaper the better

do you know if the top two will be able to function on my laptop?

#14 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 AM

Posted 23 May 2010 - 03:38 PM

Aha, but OTLPE can be loaded onto a flash drive. clapping.gif

You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.

    • Download OTLPE.iso from one of the following links and save it to your Desktop mirror1 or mirror2

    • Download eeepcfr.zip from the following link and save it to your Desktop: the mirror

    • Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror

  1. Once you have 7-zip install, decompress OTLPE.iso by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop

  2. Please also decompress eeepcfr to your systemroot (usually C:\).
  3. Empty the flash drive you want to install OTLPE on.
  4. Go to C:\eeecpfr and double-click usb_prep8.cmd to launch it.
  5. Press any key when asked to in the black window that opens.
  6. As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
    For Drive Label: type in OTLPE.
    Under Source Path to built BartPE/WinPE Files click ... and select the folder OTLPE that you created on your Desktop.
    Finally check Enable File Copy.

  7. Click on Start, accept the disclaimers and wait for the program to finish.

Your bootable flash drive should now be ready!

Now complete the OTLPE run from the Your system should now display a REATOGO-X-PE desktop. line.
Posted Image
m0le is a proud member of UNITE

#15 khoifish

  • Topic Starter

  • Members
  • 10 posts
  • Local time:04:45 AM

Posted 24 May 2010 - 01:03 AM

I'm still having some troubles, it took me awhile to figure out why PeToUSB couldn't read my flash drive but then found out the fix (find PeToUSB.exe program and run as administrator for vista)

Now, I can't load the USB bootable flash drive onto my laptop. I went into bios to make sure the order of booting was set to flash drive first and that didn't make a difference for it to boot. After some research, I found the option of a "booting list" by pressing F12 at startup and I got excited thinking I found the solution. On the boot menu, it allowed me to select the "Scandisk Cruzer Pattern" but under USB HDD (should be under USB FDD (?) but no option for that). My guess was that the laptop read it as external hard drive (USB HDD) not flash drive (USB FDD) but it probably wouldn't make a difference. So I select it anyways to enter setup and the message I get is:

"remove disks or other media" "Press any key to restart"

I pressed any key and the same messages is repeated and if I remove the flash drive then press any key, it tries to boot window only to crash again like always.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users